From 8a6cc168153171a4ae26bedfb47a2e7b43b29398 Mon Sep 17 00:00:00 2001
From: erjosito <9462396+erjosito@users.noreply.github.com>
Date: Thu, 8 Aug 2024 08:27:29 +0000
Subject: [PATCH] [create-pull-request] automated change
---
checklists-ext/fullwaf_checklist.en.json | 12244 ++--
checklists/checklist.en.master.json | 50182 ++++++++--------
.../network_appdelivery_checklist.en.json | 4 +-
.../network_appdelivery_checklist.es.json | 194 +-
.../network_appdelivery_checklist.ja.json | 244 +-
.../network_appdelivery_checklist.ko.json | 190 +-
.../network_appdelivery_checklist.pt.json | 364 +-
...network_appdelivery_checklist.zh-Hant.json | 150 +-
checklists/waf_checklist.en.json | 12276 ++--
checklists/waf_checklist.es.json | 12620 ++--
checklists/waf_checklist.ja.json | 12272 ++--
checklists/waf_checklist.ko.json | 11488 ++--
checklists/waf_checklist.pt.json | 12922 ++--
checklists/waf_checklist.zh-Hant.json | 11424 ++--
.../macrofree/checklist.en.master.xlsx | Bin 471385 -> 439831 bytes
.../network_appdelivery_checklist.en.xlsx | Bin 26378 -> 26477 bytes
.../network_appdelivery_checklist.es.xlsx | Bin 27102 -> 27209 bytes
.../network_appdelivery_checklist.ja.xlsx | Bin 28495 -> 28696 bytes
.../network_appdelivery_checklist.ko.xlsx | Bin 28135 -> 28185 bytes
.../network_appdelivery_checklist.pt.xlsx | Bin 27077 -> 27150 bytes
...network_appdelivery_checklist.zh-Hant.xlsx | Bin 27553 -> 27663 bytes
spreadsheet/macrofree/waf_checklist.en.xlsx | Bin 176840 -> 176673 bytes
spreadsheet/macrofree/waf_checklist.es.xlsx | Bin 188073 -> 187767 bytes
spreadsheet/macrofree/waf_checklist.ja.xlsx | Bin 204120 -> 204812 bytes
spreadsheet/macrofree/waf_checklist.ko.xlsx | Bin 198792 -> 198519 bytes
spreadsheet/macrofree/waf_checklist.pt.xlsx | Bin 187847 -> 187869 bytes
.../macrofree/waf_checklist.zh-Hant.xlsx | Bin 192972 -> 193318 bytes
...hecklist.en_network_counters_workbook.json | 220 +-
...en_network_counters_workbook_template.json | 2 +-
...elivery_checklist.en_network_workbook.json | 200 +-
...hecklist.en_network_workbook_template.json | 2 +-
...livery_checklist.en_counters_workbook.json | 6 +-
...ecklist.en_counters_workbook_template.json | 2 +-
...ork_appdelivery_checklist.en_workbook.json | 6 +-
...livery_checklist.en_workbook_template.json | 2 +-
35 files changed, 67295 insertions(+), 69719 deletions(-)
diff --git a/checklists-ext/fullwaf_checklist.en.json b/checklists-ext/fullwaf_checklist.en.json
index 299248760..c9bd293fb 100644
--- a/checklists-ext/fullwaf_checklist.en.json
+++ b/checklists-ext/fullwaf_checklist.en.json
@@ -1,4378 +1,4389 @@
{
"items": [
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
- "severity": "High",
- "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
- "severity": "High",
- "text": "Protect logic apps from region failures with zone redundancy and availability zones",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
- "severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Implement an error handling policy at the global level",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
- "severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Ensure all APIs policies include a element.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+ "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "service": "APIM",
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "Device Update Review",
- "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
- "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
- "service": "Device Update for IoT Hub",
- "severity": "High",
- "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+ "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "Device Update Review",
- "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
- "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
- "service": "Device Update for IoT Hub",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "service": "APIM",
"severity": "High",
- "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
- "waf": "Reliability"
+ "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "Device Update Review",
- "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Device Update for IoT Hub",
- "severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Enable Application Insights for more detailed telemetry",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "Device Update Review",
- "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Device Update for IoT Hub",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "service": "APIM",
"severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "text": "Configure alerts on the most critical metrics",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
- "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
- "service": "Logic Apps",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "service": "APIM",
"severity": "High",
- "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
- "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "Logic Apps",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "service": "APIM",
"severity": "High",
- "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "text": "Protect incoming requests to APIs (data plane) with Azure AD",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
- "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Logic Apps",
- "severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
- "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
- "service": "Logic Apps",
- "severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Create appropriate groups to control the visibility of the products",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
- "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
- "service": "Logic Apps",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+ "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "service": "APIM",
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "text": "Use Backends feature to eliminate redundant API backend configurations",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "service": "APIM",
"severity": "Medium",
- "text": "Follow reliability support recommendations in Azure Bot Service",
- "waf": "Reliability"
+ "text": "Use Named Values to store common values that can be used in policies",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "service": "APIM",
"severity": "Medium",
- "text": "Deploying bots with local data residency and regional compliance",
+ "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+ "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "service": "APIM",
"severity": "Medium",
- "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
+ "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
- "service": "CosmosDB",
- "severity": "Medium",
- "text": "FTA Resiliency Playbook",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+ "service": "APIM",
+ "severity": "High",
+ "text": "Ensure there is an automated backup routine",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
- "service": "CosmosDB",
- "severity": "High",
- "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+ "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
- "service": "CosmosDB",
- "severity": "Medium",
- "text": "Run multiple replicas of the database (>1 ) in Prod",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+ "service": "APIM",
+ "severity": "Low",
+ "text": "If you need to log at high performance levels, consider Event Hubs policy",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
- "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+ "service": "APIM",
"severity": "Medium",
- "text": "Leverage Multi-Region Writes",
- "waf": "Reliability"
+ "text": "Apply throttling policies to control the number of requests per second",
+ "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Span Cosmos account across two or more regions with multi-region writes",
- "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+ "service": "APIM",
"severity": "Medium",
- "text": "Distribute your data globally",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
- "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
- "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
- "service": "CosmosDB",
- "severity": "High",
- "text": "Choose from several well-defined consistency models",
- "waf": "Reliability"
+ "text": "Configure autoscaling to scale out the number of instances when the load increases",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
- "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
- "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+ "service": "APIM",
"severity": "Medium",
- "text": "Enable Service managed failover",
- "waf": "Reliability"
+ "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
- "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
- "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+ "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+ "service": "APIM",
"severity": "Medium",
- "text": "Enable Automatic Backups",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "text": "Use the premium tier for production workloads.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
- "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
- "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+ "service": "APIM",
"severity": "Medium",
- "text": "Perform Periodic Backups",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
- "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
- "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
- "service": "CosmosDB",
- "severity": "Medium",
- "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
- "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+ "service": "APIM",
+ "severity": "High",
+ "text": "Be aware of APIM's limits",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+ "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+ "service": "APIM",
"severity": "High",
- "text": "Enable 2 replicas to have 99.9% availability for read operations",
+ "text": "Ensure that the self-hosted gateway deployments are resilient.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+ "service": "APIM",
"severity": "Medium",
- "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
- "service": "Cognitive Search",
- "severity": "High",
- "text": "Leverage Availability Zones by enabling read and/or write replicas",
- "waf": "Reliability"
+ "text": "Use Azure Front Door in front of APIM for multi-region deployment",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+ "service": "APIM",
"severity": "Medium",
- "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
+ "text": "Deploy the service within a Virtual Network (VNet)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+ "service": "APIM",
"severity": "Medium",
- "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
+ "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+ "service": "APIM",
"severity": "Medium",
- "text": "Use Azure Traffic Manager to coordinate requests",
+ "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+ "service": "APIM",
"severity": "High",
- "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
+ "text": "Disable Public Network Access",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
- "service": "Cognitive Services",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+ "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+ "service": "APIM",
"severity": "Medium",
- "text": "Leverage FTA HandBook for Cognitive Services",
- "waf": "Reliability"
+ "text": "Simplify management with PowerShell automation scripts",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Cognitive Services",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+ "service": "APIM",
"severity": "Medium",
- "text": "Backup Your Prompts",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Cognitive Services",
- "severity": "High",
- "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
- "waf": "Reliability"
+ "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
- "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
- "service": "Cognitive Services",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+ "service": "APIM",
"severity": "Medium",
- "text": "Backup Your ChatGPT conversations",
- "waf": "Reliability"
+ "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
- "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
- "service": "Cognitive Services",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+ "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+ "service": "APIM",
"severity": "Medium",
- "text": "CI/CD for custom speech",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "3687a046-7a1f-4893-9bda-43324f248116",
- "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
- "service": "Cognitive Services",
- "severity": "Low",
- "text": "Move a knowledge base using export-import",
- "waf": "Reliability"
+ "text": "Implement DevOps and CI/CD in your workflow",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "Container Apps Review",
- "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
- "service": "Container Apps",
- "severity": "High",
- "text": "Leverage Availability Zones if regionally applicable",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Secure APIs using client certificate authentication",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "Container Apps Review",
- "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
- "service": "Container Apps",
- "severity": "High",
- "text": "Use more than one replica and enable Zone Redundancy.",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Secure backend services using client certificate authentication",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "Container Apps Review",
- "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
- "service": "Container Apps",
- "severity": "High",
- "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+ "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "Container Apps Review",
- "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
- "service": "Container Apps",
- "severity": "High",
- "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+ "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Functions",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+ "service": "APIM",
"severity": "High",
- "text": "Select the right Function hosting plan based on your business & SLO requirements",
+ "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Functions",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+ "service": "APIM",
"severity": "High",
- "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
+ "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Functions",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+ "service": "APIM",
"severity": "Medium",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "text": "Use managed identities to authenticate to other Azure resources whenever possible",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Functions",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+ "service": "APIM",
"severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Functions",
- "severity": "High",
- "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
+ "severity": "Medium",
+ "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Functions",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
+ "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Functions",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
- "waf": "Operations"
+ "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
- "waf": "Operations"
+ "text": "Use more than 1 app instance for your apps",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
- "training": "https://github.com/Azure/sap-automation",
- "waf": "Operations"
+ "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+ "text": "Set up autoscaling in Spring Cloud Gateway",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
+ "severity": "Low",
+ "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+ "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+ "service": "AVS",
"severity": "High",
- "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "75089c20-990d-4927-b105-885576f76fc2",
+ "service": "AVS",
"severity": "Medium",
- "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+ "service": "AVS",
"severity": "High",
- "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "SAP",
- "severity": "Low",
- "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+ "service": "AVS",
"severity": "Medium",
- "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
+ "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
- "service": "SAP",
- "severity": "Low",
- "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
- "severity": "High",
- "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Has an RBAC model been created for use within VMware vSphere",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
- "service": "SAP",
- "severity": "High",
- "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+ "service": "AVS",
"severity": "High",
- "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+ "service": "AVS",
"severity": "High",
- "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+ "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+ "service": "AVS",
"severity": "High",
- "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+ "service": "AVS",
"severity": "High",
- "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "Reliability"
+ "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
- "service": "SAP",
- "severity": "High",
- "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
- "service": "SAP",
- "severity": "High",
- "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+ "service": "AVS",
"severity": "High",
- "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Reliability"
+ "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+ "service": "AVS",
"severity": "High",
- "text": "Make sure the Floating IP is enabled on the Load balancer",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+ "service": "AVS",
"severity": "High",
- "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "SAP",
- "severity": "High",
- "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+ "service": "AVS",
"severity": "High",
- "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "text": "Limit use of CloudAdmin account to emergency access only",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+ "service": "AVS",
"severity": "Medium",
- "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
- "severity": "High",
- "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+ "service": "AVS",
"severity": "High",
- "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
+ "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "High",
- "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Is East-West traffic filtering implemented within NSX-T",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+ "service": "AVS",
"severity": "High",
- "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
- "service": "SAP",
- "severity": "Medium",
- "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+ "service": "AVS",
"severity": "Medium",
- "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
+ "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "334fdf91-c234-4182-a652-75269440b4be",
+ "service": "AVS",
"severity": "Medium",
- "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
- "severity": "High",
- "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
- "service": "SAP",
- "severity": "High",
- "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
- "service": "SAP",
- "severity": "High",
- "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
- "severity": "High",
- "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
- "service": "SAP",
- "severity": "Medium",
- "text": "Automate SAP System Start-Stop to manage costs.",
- "waf": "Cost"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+ "service": "AVS",
"severity": "Low",
- "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
- "waf": "Cost"
+ "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "Low",
- "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
- "waf": "Cost"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5ac94222-3e13-4810-9230-81a941741583",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+ "service": "AVS",
"severity": "High",
- "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
- "severity": "Medium",
- "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d88408f3-7273-44c8-96ba-280214590146",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
- "severity": "Medium",
- "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "Reliability"
+ "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
- "waf": "Reliability"
+ "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+ "service": "AVS",
"severity": "Medium",
- "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "Reliability"
+ "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
+ "waf": "Cost"
},
{
- "checklist": "SAP Checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
- "service": "SAP",
- "severity": "Medium",
- "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
+ "waf": "Cost"
},
{
- "checklist": "SAP Checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+ "service": "AVS",
"severity": "Medium",
- "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+ "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
- "service": "SAP",
- "severity": "Medium",
- "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure all required resource reside within the same Azure availability zone(s)",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO to SAP HANA",
+ "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+ "service": "AVS",
"severity": "Medium",
- "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
+ "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
- "service": "SAP",
- "severity": "Medium",
- "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+ "service": "AVS",
"severity": "Medium",
- "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
- "waf": "Reliability"
+ "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO to SAP BTP",
- "waf": "Reliability"
+ "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+ "service": "AVS",
"severity": "Medium",
- "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+ "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+ "service": "AVS",
"severity": "Medium",
- "text": "enforce existing Management Group policies to SAP Subscriptions",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
- "waf": "Operations"
+ "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+ "service": "AVS",
"severity": "High",
- "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
- "waf": "Operations"
+ "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+ "service": "AVS",
"severity": "High",
- "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
- "waf": "Operations"
+ "text": "Are data processing implications (service provider / service consumer model) clear and documented",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+ "service": "AVS",
"severity": "High",
- "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
- "severity": "Low",
- "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+ "service": "AVS",
"severity": "High",
- "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
+ "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+ "service": "AVS",
"severity": "High",
- "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+ "service": "AVS",
"severity": "Medium",
- "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
- "severity": "High",
- "text": "Help protect your HANA database by using the Azure Backup service.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
- "severity": "Medium",
- "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+ "service": "AVS",
"severity": "High",
- "text": "Ensure time-zone matches between the operating system and the SAP system.",
+ "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+ "service": "AVS",
"severity": "Medium",
- "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
- "severity": "Low",
- "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
- "waf": "Cost"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+ "service": "AVS",
"severity": "Medium",
- "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
+ "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
- "severity": "Low",
- "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
- "severity": "High",
- "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
- "waf": "Operations"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "Operations"
+ "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
- "waf": "Operations"
+ "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+ "service": "AVS",
"severity": "Medium",
- "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
- "waf": "Operations"
+ "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+ "service": "AVS",
"severity": "High",
- "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "Performance"
+ "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+ "service": "AVS",
"severity": "Medium",
- "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+ "service": "AVS",
"severity": "Medium",
- "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
- "waf": "Operations"
+ "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
- "severity": "Low",
- "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+ "service": "AVS",
"severity": "Medium",
- "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.",
- "waf": "Performance"
+ "text": "Deploy your backup solution outside of vSan, on Azure native components",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+ "service": "AVS",
"severity": "Low",
- "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
- "waf": "Performance"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
- "severity": "Medium",
- "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
- "waf": "Performance"
+ "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
- "severity": "Medium",
- "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For manual deployments, all configuration and deployments must be documented",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
- "severity": "High",
- "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
- "severity": "Medium",
- "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For automated deployments, request or reserve quota prior to starting the deployment",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
- "severity": "Medium",
- "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
- "severity": "High",
- "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
- "severity": "Medium",
- "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
- "severity": "Medium",
- "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+ "service": "AVS",
"severity": "Medium",
- "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
- "waf": "Operations"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "High",
- "text": "Public IP assignment to VM running SAP Workload is not recommended.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Reliability"
+ "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
- "severity": "High",
- "text": "Consider reserving IP address on DR side when configuring ASR",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Operations"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "High",
- "text": "Avoid using overlapping IP address ranges for production and DR sites.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Operations"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+ "service": "AVS",
"severity": "Medium",
- "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
- "waf": "Operations"
+ "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
- "waf": "Reliability"
+ "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+ "service": "AVS",
"severity": "Medium",
- "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
- "waf": "Reliability"
+ "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "High",
+ "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "High",
+ "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Reliability"
+ "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
"waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+ "service": "AVS",
"severity": "Medium",
- "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+ "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
- "severity": "High",
- "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "AVS",
"severity": "Medium",
- "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "AVS",
"severity": "Medium",
- "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "AVS",
"severity": "High",
- "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Performance"
+ "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "Medium",
- "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "AVS",
+ "severity": "High",
+ "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "AVS",
"severity": "High",
- "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Performance"
+ "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "AVS",
"severity": "High",
- "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Cost"
+ "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
"severity": "High",
- "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Performance"
+ "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
- "severity": "Medium",
- "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
+ "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
+ "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Disable Azure Container Registry image export",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
+ "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
+ "service": "ACR",
"severity": "High",
- "text": "Review SAP HANA database backups for Azure VMs.",
- "waf": "Cost"
+ "text": "Enable Azure Policies for Azure Container Registry",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
+ "guid": "d345293c-7639-4637-a551-c5c04e401955",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Sign and Verify containers with notation (Notary v2)",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
+ "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
+ "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
+ "service": "ACR",
"severity": "Medium",
- "text": "Review Site Recovery built-in monitoring, where used for SAP.",
- "waf": "Cost"
+ "text": "Encrypt registry with a customer managed key",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
+ "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+ "service": "ACR",
"severity": "High",
- "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
- "waf": "Operations"
+ "text": "Use Managed Identities to connect instead of Service Principals",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review Oracle Database in Azure Linux VM backup strategies.",
- "waf": "Operations"
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
+ "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Disable local authentication for management plane access",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
- "waf": "Operations"
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
+ "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable anonymous pull/push access",
+ "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
+ "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
+ "service": "ACR",
"severity": "Medium",
- "text": "Review the use of Automated Backup v2 for Azure VMs.",
- "waf": "Operations"
+ "text": "Disable Anonymous pull access",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
+ "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
+ "service": "ACR",
"severity": "High",
- "text": "Enabling Write accelerator for M series when using premium disks(V1)",
- "waf": "Operations"
+ "text": "Disable repository-scoped access tokens",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
- "severity": "Medium",
- "text": "Test availability zone latency.",
- "waf": "Performance"
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
+ "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Deploy images from a trusted environment",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
+ "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
+ "service": "ACR",
"severity": "Medium",
- "text": "Activate SAP EarlyWatch Alert for all SAP components.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
- "waf": "Performance"
+ "text": "Disable Azure ARM audience tokens for authentication",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
+ "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
+ "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
+ "service": "ACR",
"severity": "Medium",
- "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
- "training": "https://me.sap.com/notes/0002879613",
- "waf": "Performance"
+ "text": "Enable diagnostics logging",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
+ "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+ "service": "ACR",
"severity": "Medium",
- "text": "Review SQL Server performance monitoring using CCMS.",
- "waf": "Performance"
+ "text": "Control inbound network access with Private Link",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable public network access if inbound network access is secured using Private Link",
+ "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
+ "service": "ACR",
"severity": "Medium",
- "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "Performance"
+ "text": "Disable Public Network access",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Only the ACR Premium SKU supports Private Link access",
+ "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
+ "service": "ACR",
"severity": "Medium",
- "text": "Review SAP HANA studio alerts.",
- "waf": "Performance"
+ "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
- "service": "SAP",
- "severity": "Medium",
- "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
- "waf": "Performance"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
- "severity": "Medium",
- "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
+ "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+ "service": "ACR",
+ "severity": "Low",
+ "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+ "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
+ "service": "ACR",
"severity": "Medium",
- "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+ "text": "Deploy validated container images",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "Low",
- "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+ "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Use up-to-date platforms, languages, protocols and frameworks",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "High",
- "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
- "training": "https://me.sap.com/notes/3019299/E",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
+ "severity": "Medium",
+ "text": "Follow reliability support recommendations in Azure Bot Service",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "High",
- "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
+ "severity": "Medium",
+ "text": "Deploying bots with local data residency and regional compliance",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "SAP",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
"severity": "Medium",
- "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+ "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "SAP",
- "severity": "High",
- "text": "Use Azure Key Vault to store your secrets and credentials",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+ "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
+ "service": "Service Bus",
+ "severity": "Low",
+ "text": "Use customer-managed key option in data at rest encryption when required",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "SAP",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
+ "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
+ "service": "Service Bus",
"severity": "Medium",
- "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+ "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "Service Bus Review Checklist",
+ "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+ "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
+ "service": "Service Bus",
"severity": "Medium",
- "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "text": "Avoid using root account when it is not necessary",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
- "service": "SAP",
- "severity": "High",
- "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "Service Bus Review Checklist",
+ "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
+ "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
+ "service": "Service Bus",
+ "severity": "Medium",
+ "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "Service Bus Review Checklist",
+ "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
+ "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
+ "service": "Service Bus",
"severity": "High",
- "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "text": "Use least privilege data plane RBAC",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
- "service": "SAP",
- "severity": "High",
- "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
+ "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
+ "service": "Service Bus",
+ "severity": "Medium",
+ "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Low",
- "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+ "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
+ "service": "Service Bus",
+ "severity": "Medium",
+ "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
- "service": "SAP",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "Service Bus Review Checklist",
+ "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+ "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
+ "service": "Service Bus",
"severity": "Medium",
- "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Functions",
"severity": "High",
- "text": "Use an Azure Key Vault per application per environment per region.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "text": "Select the right Function hosting plan based on your business & SLO requirements",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Functions",
"severity": "High",
- "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+ "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
- "service": "SAP",
- "severity": "High",
- "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Functions",
+ "severity": "Medium",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Functions",
"severity": "High",
- "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "service": "SAP",
- "severity": "Low",
- "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
- "service": "SAP",
- "severity": "Low",
- "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Functions",
"severity": "High",
- "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+ "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Low",
- "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Functions",
+ "severity": "Medium",
+ "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "Functions",
"severity": "Medium",
- "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Reliability"
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
+ "service": "Cognitive Services",
"severity": "Medium",
- "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
+ "text": "Leverage FTA HandBook for Cognitive Services",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Cognitive Services",
"severity": "Medium",
- "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
+ "text": "Backup Your Prompts",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Cognitive Services",
+ "severity": "High",
+ "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
+ "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
+ "service": "Cognitive Services",
"severity": "Medium",
- "text": "Use more than 1 app instance for your apps",
+ "text": "Backup Your ChatGPT conversations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
+ "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
+ "service": "Cognitive Services",
"severity": "Medium",
- "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
+ "text": "CI/CD for custom speech",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "Set up autoscaling in Spring Cloud Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "3687a046-7a1f-4893-9bda-43324f248116",
+ "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
+ "service": "Cognitive Services",
+ "severity": "Low",
+ "text": "Move a knowledge base using export-import",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Service",
"severity": "Low",
- "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
+ "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Service",
"severity": "Medium",
- "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
+ "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
"waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
- "severity": "Medium",
- "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
"waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Service",
"severity": "Medium",
- "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
+ "text": "Implement health checks",
"waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
- "severity": "Medium",
- "text": "Custom brand assets should be hosted on a CDN",
- "waf": "Performance"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Refer to backup and restore best practices for Azure App Service",
+ "waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Implement Azure App Service reliability best practices",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+ "service": "App Service",
"severity": "Low",
- "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
+ "text": "Familiarize with how to move an App Service app to another region During a disaster",
"waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Medium",
- "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Familiarize with reliability support in Azure App Service",
"waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "App Service",
"severity": "Medium",
- "text": "Don't replicate! Replication can create issues with directory synchronization",
+ "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
"waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Service",
"severity": "Medium",
- "text": "Have active-active for multi-regions",
+ "text": "Monitor App Service instances using Health checks",
"waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+ "service": "App Service",
"severity": "Medium",
- "text": "Add Azure AD Domain service stamps to additional regions and locations",
+ "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
"waf": "Reliability"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
- "severity": "Medium",
- "text": "Use Replica Sets for DR",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+ "service": "App Service",
+ "severity": "Low",
+ "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "Service Bus Review Checklist",
- "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
- "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
- "service": "Service Bus",
- "severity": "Low",
- "text": "Use customer-managed key option in data at rest encryption when required",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
+ "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Use Key Vault to store secrets",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "Service Bus Review Checklist",
- "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
- "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
- "service": "Service Bus",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
+ "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Use Managed Identity to connect to Key Vault",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Store the App Service TLS certificate in Key Vault.",
+ "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Use Key Vault to store TLS certificate.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
+ "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+ "service": "App Service",
"severity": "Medium",
- "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "text": "Isolate systems that process sensitive information",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "Service Bus Review Checklist",
- "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
- "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
- "service": "Service Bus",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
+ "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+ "service": "App Service",
"severity": "Medium",
- "text": "Avoid using root account when it is not necessary",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "text": "Do not store sensitive data on local disk",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "Service Bus Review Checklist",
- "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
- "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
- "service": "Service Bus",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
+ "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+ "service": "App Service",
"severity": "Medium",
- "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "Use an established Identity Provider for authentication",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "Service Bus Review Checklist",
- "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
- "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
- "service": "Service Bus",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
+ "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+ "service": "App Service",
"severity": "High",
- "text": "Use least privilege data plane RBAC",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "text": "Deploy from a trusted environment",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "Service Bus Review Checklist",
- "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
- "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
- "service": "Service Bus",
- "severity": "Medium",
- "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.",
+ "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Disable basic authentication",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "Service Bus Review Checklist",
- "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
- "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
- "service": "Service Bus",
- "severity": "Medium",
- "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
+ "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Use Managed Identity to connect to resources",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "Service Bus Review Checklist",
- "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
- "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
- "service": "Service Bus",
- "severity": "Medium",
- "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
+ "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Pull containers using a Managed Identity",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
+ "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+ "service": "App Service",
"severity": "Medium",
- "text": "Implement an error handling policy at the global level",
- "waf": "Operations"
+ "text": "Send App Service runtime logs to Log Analytics",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
- "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
+ "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "service": "App Service",
"severity": "Medium",
- "text": "Ensure all APIs policies include a element.",
- "waf": "Operations"
+ "text": "Send App Service activity logs to Log Analytics",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
- "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.",
+ "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+ "service": "App Service",
"severity": "Medium",
- "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
- "waf": "Operations"
+ "text": "Outbound network access should be controlled",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
- "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
- "service": "APIM",
- "severity": "Medium",
- "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
- "waf": "Operations"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
+ "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+ "service": "App Service",
+ "severity": "Low",
+ "text": "Ensure a stable IP for outbound communications towards internet addresses",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
+ "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Service",
"severity": "High",
- "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
- "waf": "Operations"
+ "text": "Inbound network access should be controlled",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
- "service": "APIM",
- "severity": "Medium",
- "text": "Enable Application Insights for more detailed telemetry",
- "waf": "Operations"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.",
+ "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Use a WAF in front of App Service",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
+ "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Service",
"severity": "High",
- "text": "Configure alerts on the most critical metrics",
- "waf": "Operations"
+ "text": "Avoid for WAF to be bypassed",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+ "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+ "service": "App Service",
+ "severity": "Medium",
+ "text": "Set minimum TLS policy to 1.2",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
+ "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+ "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+ "service": "App Service",
"severity": "High",
- "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+ "text": "Use HTTPS only",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
+ "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+ "service": "App Service",
"severity": "High",
- "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+ "text": "Wildcards must not be used for CORS",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
- "service": "APIM",
- "severity": "Medium",
- "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+ "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+ "service": "App Service",
+ "severity": "High",
+ "text": "Turn off remote debugging",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
+ "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+ "service": "App Service",
"severity": "Medium",
- "text": "Create appropriate groups to control the visibility of the products",
+ "text": "Enable Defender for Cloud - Defender for App Service",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "06862505-2d9a-4874-9491-2837b00a3475",
- "link": "https://learn.microsoft.com/azure/api-management/backends",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
+ "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "App Service",
"severity": "Medium",
- "text": "Use Backends feature to eliminate redundant API backend configurations",
- "waf": "Operations"
+ "text": "Enable DDOS Protection Standard on the WAF VNet",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
+ "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+ "service": "App Service",
"severity": "Medium",
- "text": "Use Named Values to store common values that can be used in policies",
- "waf": "Operations"
+ "text": "Pull containers over a Virtual Network",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
+ "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "service": "App Service",
"severity": "Medium",
- "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
+ "text": "Conduct a penetration test",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
- "link": "https://learn.microsoft.com/azure/api-management/high-availability",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+ "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+ "service": "App Service",
"severity": "Medium",
- "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
+ "text": "Deploy validated code",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+ "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+ "service": "App Service",
"severity": "High",
- "text": "Ensure there is an automated backup routine",
+ "text": "Use up-to-date platforms, languages, protocols and frameworks",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
- "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+ "service": "Storage",
"severity": "Medium",
- "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
+ "text": "Consider the 'Azure security baseline for storage'",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
- "service": "APIM",
- "severity": "Low",
- "text": "If you need to log at high performance levels, consider Event Hubs policy",
- "waf": "Operations"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Consider using private endpoints for Azure Storage",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+ "service": "Storage",
"severity": "Medium",
- "text": "Apply throttling policies to control the number of requests per second",
- "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
- "waf": "Performance"
+ "text": "Ensure older storage accounts are not using 'classic deployment model'",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
- "service": "APIM",
- "severity": "Medium",
- "text": "Configure autoscaling to scale out the number of instances when the load increases",
- "waf": "Performance"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Enable Microsoft Defender for all of your storage accounts",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+ "service": "Storage",
"severity": "Medium",
- "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
- "waf": "Performance"
+ "text": "Enable 'soft delete' for blobs",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
- "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Storage",
"severity": "Medium",
- "text": "Use the premium tier for production workloads.",
+ "text": "Disable 'soft delete' for blobs",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
- "service": "APIM",
- "severity": "Medium",
- "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Enable 'soft delete' for containers",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
- "service": "APIM",
- "severity": "High",
- "text": "Be aware of APIM's limits",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Storage",
+ "severity": "Medium",
+ "text": "Disable 'soft delete' for containers",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
- "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Storage",
"severity": "High",
- "text": "Ensure that the self-hosted gateway deployments are resilient.",
+ "text": "Enable resource locks on storage accounts",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "7519e385-a88b-4d34-966b-6269d686e890",
- "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
- "service": "APIM",
- "severity": "Medium",
- "text": "Use Azure Front Door in front of APIM for multi-region deployment",
- "waf": "Performance"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Consider immutable blobs",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
- "service": "APIM",
- "severity": "Medium",
- "text": "Deploy the service within a Virtual Network (VNet)",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Require HTTPS, i.e. disable port 80 on the storage account",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
- "service": "APIM",
- "severity": "Medium",
- "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+ "service": "Storage",
+ "severity": "High",
+ "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+ "service": "Storage",
"severity": "Medium",
- "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+ "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "AAD tokens should be favored over shared access signatures, wherever possible",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+ "service": "Storage",
"severity": "High",
- "text": "Disable Public Network Access",
+ "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
- "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+ "service": "Storage",
"severity": "Medium",
- "text": "Simplify management with PowerShell automation scripts",
- "waf": "Operations"
+ "text": "Least privilege in IaM permissions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
- "service": "APIM",
- "severity": "Medium",
- "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
- "waf": "Operations"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+ "service": "Storage",
+ "severity": "High",
+ "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
- "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
- "service": "APIM",
- "severity": "Medium",
- "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
- "waf": "Operations"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
- "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
- "service": "APIM",
- "severity": "Medium",
- "text": "Implement DevOps and CI/CD in your workflow",
- "waf": "Operations"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "b6439493-426a-45f3-9697-cf65baee208d",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Storage",
"severity": "Medium",
- "text": "Secure APIs using client certificate authentication",
+ "text": "When using storage account keys, consider enabling a 'key expiration policy'",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2a67d143-1033-4c0a-8732-680896478f08",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Storage",
"severity": "Medium",
- "text": "Secure backend services using client certificate authentication",
+ "text": "Consider configuring an SAS expiration policy",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
- "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Storage",
"severity": "Medium",
- "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
+ "text": "Consider linking SAS to a stored access policy",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
- "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Storage",
"severity": "Medium",
- "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
+ "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Storage",
"severity": "High",
- "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
+ "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8af3d94-1d2b-4070-846f-849197524258",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Storage",
"severity": "High",
- "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
+ "text": "Strive for short validity periods for ad-hoc SAS",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "791abd8b-7706-4e31-9569-afefde724be3",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
- "service": "APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Storage",
"severity": "Medium",
- "text": "Use managed identities to authenticate to other Azure resources whenever possible",
+ "text": "Apply a narrow scope to a SAS",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
- "service": "APIM",
- "severity": "High",
- "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Storage",
+ "severity": "Medium",
+ "text": "Consider scoping SAS to a specific client IP address, wherever possible",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Storage",
"severity": "Low",
- "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
+ "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Storage",
+ "severity": "High",
+ "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Storage",
"severity": "Medium",
- "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
+ "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Storage",
"severity": "High",
- "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
+ "text": "Avoid overly broad CORS policies",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Storage",
"severity": "Medium",
- "text": "Implement health checks",
+ "text": "Determine which/if platform encryption should be used.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
- "service": "App Service",
- "severity": "High",
- "text": "Refer to backup and restore best practices for Azure App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Storage",
+ "severity": "Medium",
+ "text": "Determine which/if client-side encryption should be used.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Storage",
"severity": "High",
- "text": "Implement Azure App Service reliability best practices",
+ "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
- "service": "App Service",
- "severity": "Low",
- "text": "Familiarize with how to move an App Service app to another region During a disaster",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
+ "service": "Storage",
+ "severity": "High",
+ "text": "Leverage a storagev2 account type for better performance and reliability",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Storage",
"severity": "High",
- "text": "Familiarize with reliability support in Azure App Service",
+ "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
+ "service": "Storage",
"severity": "Medium",
- "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
+ "text": "For write operation after failover, use customer-Managed Failover ",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
+ "service": "Storage",
"severity": "Medium",
- "text": "Monitor App Service instances using Health checks",
+ "text": "Understand Microsoft-Managed Failover details",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
- "service": "App Service",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+ "service": "Storage",
"severity": "Medium",
- "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
+ "text": "Enable Soft Delete",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
- "service": "App Service",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+ "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+ "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+ "service": "Event Hubs",
"severity": "Low",
- "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
+ "text": "Use customer-managed key option in data at rest encryption when required",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
- "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Service",
- "severity": "High",
- "text": "Use Key Vault to store secrets",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
+ "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
- "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Service",
- "severity": "High",
- "text": "Use Managed Identity to connect to Key Vault",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Avoid using root account when it is not necessary",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Store the App Service TLS certificate in Key Vault.",
- "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
- "service": "App Service",
- "severity": "High",
- "text": "Use Key Vault to store TLS certificate.",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
+ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
- "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
- "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
- "service": "App Service",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
+ "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+ "service": "Event Hubs",
+ "severity": "High",
+ "text": "Use least privilege data plane RBAC",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
+ "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+ "service": "Event Hubs",
"severity": "Medium",
- "text": "Isolate systems that process sensitive information",
+ "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
- "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
- "service": "App Service",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+ "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+ "service": "Event Hubs",
"severity": "Medium",
- "text": "Do not store sensitive data on local disk",
+ "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
- "guid": "919ca0b2-c121-459e-814b-933df574eccc",
- "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
- "service": "App Service",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+ "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+ "service": "Event Hubs",
"severity": "Medium",
- "text": "Use an established Identity Provider for authentication",
+ "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
- "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
- "service": "App Service",
- "severity": "High",
- "text": "Deploy from a trusted environment",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Leverage FTA Resillency HandBook",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.",
- "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
- "service": "App Service",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
+ "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+ "service": "Event Hubs",
"severity": "High",
- "text": "Disable basic authentication",
+ "text": "Leverage Availability Zones if regionally applicable",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
- "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
- "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
- "service": "App Service",
- "severity": "High",
- "text": "Use Managed Identity to connect to resources",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+ "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Use the Premium or Dedicated SKUs for predicable performance",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
- "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
- "service": "App Service",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
+ "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+ "service": "Event Hubs",
"severity": "High",
- "text": "Pull containers using a Managed Identity",
+ "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
- "guid": "47768314-c115-4775-a2ea-55b46ad48408",
- "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
- "service": "App Service",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
+ "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+ "service": "Event Hubs",
"severity": "Medium",
- "text": "Send App Service runtime logs to Log Analytics",
+ "text": "For Business Critical Applications, use Active Active configuration",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
- "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
- "service": "App Service",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+ "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+ "service": "Event Hubs",
"severity": "Medium",
- "text": "Send App Service activity logs to Log Analytics",
+ "text": "Design Resilient Event Hubs",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.",
- "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
- "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
- "service": "App Service",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Outbound network access should be controlled",
- "waf": "Reliability"
+ "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
- "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
- "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
- "service": "App Service",
- "severity": "Low",
- "text": "Ensure a stable IP for outbound communications towards internet addresses",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+ "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Ensure you are using Application Gateway v2 SKU",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
- "guid": "0725769e-e669-41a4-a34a-c932223ece80",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Service",
- "severity": "High",
- "text": "Inbound network access should be controlled",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+ "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Load Balancer",
+ "severity": "Medium",
+ "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.",
- "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
- "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
- "service": "App Service",
- "severity": "High",
- "text": "Use a WAF in front of App Service",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+ "service": "Load Balancer",
+ "severity": "Medium",
+ "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
- "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Service",
- "severity": "High",
- "text": "Avoid for WAF to be bypassed",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+ "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
- "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
- "service": "App Service",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
+ "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Set minimum TLS policy to 1.2",
+ "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
- "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
- "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
- "service": "App Service",
- "severity": "High",
- "text": "Use HTTPS only",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
- "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
- "service": "App Service",
- "severity": "High",
- "text": "Wildcards must not be used for CORS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+ "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Configure autoscaling with a minimum amount of instances of two.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
- "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
- "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
- "service": "App Service",
- "severity": "High",
- "text": "Turn off remote debugging",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+ "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+ "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Deploy Application Gateway across Availability Zones",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
- "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
- "service": "App Service",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Enable Defender for Cloud - Defender for App Service",
+ "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
- "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "App Service",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Enable DDOS Protection Standard on the WAF VNet",
+ "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
- "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
- "service": "App Service",
- "severity": "Medium",
- "text": "Pull containers over a Virtual Network",
+ "ammp": true,
+ "arm-service": "microsoft.network/trafficManagerProfiles",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Traffic Manager",
+ "severity": "High",
+ "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
- "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
- "service": "App Service",
- "severity": "Medium",
- "text": "Conduct a penetration test",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
+ "severity": "Low",
+ "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
- "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
- "service": "App Service",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
"severity": "Medium",
- "text": "Deploy validated code",
+ "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
- "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
- "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
- "service": "App Service",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "Front Door",
"severity": "High",
- "text": "Use up-to-date platforms, languages, protocols and frameworks",
+ "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
- "severity": "Medium",
- "text": "Leverage Flexible Server",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "Front Door",
"severity": "High",
- "text": "Leverage Availability Zones where regionally applicable",
+ "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
- "severity": "Medium",
- "text": "Leverage Data-in replication for cross-region DR scenarios",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+ "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "Front Door",
+ "severity": "Low",
+ "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
- "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
- "service": "Data Explorer",
- "text": "Leverage External Tables and Continuous data export overview to reduce costs",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
- "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
- "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
- "service": "Data Explorer",
- "text": "To share data, explore Leader-follower cluster configuration",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+ "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "Front Door",
+ "severity": "Low",
+ "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
- "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
- "service": "Data Explorer",
- "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
+ "ammp": true,
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+ "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "Load Balancer",
+ "severity": "High",
+ "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
- "service": "Data Explorer",
- "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
- "waf": "Reliability"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+ "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
- "service": "Data Explorer",
- "text": "Ingest data into each cluster in parallel",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
- "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
- "service": "Data Explorer",
- "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
- "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
- "service": "Data Explorer",
- "text": "For critical applications, create Active-Active configuration in two paired regions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
- "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
- "service": "Data Explorer",
- "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
- "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
- "service": "Data Explorer",
- "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
- "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Data Explorer",
- "text": "Wrap DevOps and source control around all your code",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Data Explorer",
- "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
- "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Data Explorer",
- "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
- "service": "Redis",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+ "service": "Front Door",
"severity": "High",
- "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
+ "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
- "service": "Redis",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
+ "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
- "service": "Redis",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
+ "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
- "service": "Redis",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
+ "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
- "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
- "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+ "service": "Front Door",
"severity": "Low",
- "text": "Use customer-managed key option in data at rest encryption when required",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
- "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
- "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
- "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
- "service": "Event Hubs",
- "severity": "Medium",
- "text": "Avoid using root account when it is not necessary",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+ "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+ "service": "AppGW",
+ "severity": "High",
+ "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
- "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
- "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
- "service": "Event Hubs",
- "severity": "Medium",
- "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "AppGW",
+ "severity": "High",
+ "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
- "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
- "service": "Event Hubs",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+ "service": "AppGW",
"severity": "High",
- "text": "Use least privilege data plane RBAC",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
- "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
- "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
- "service": "Event Hubs",
- "severity": "Medium",
- "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AppGW",
+ "severity": "High",
+ "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
- "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
- "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
- "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
- "service": "Event Hubs",
- "severity": "Medium",
- "text": "Leverage FTA Resillency HandBook",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+ "service": "AppGW",
+ "severity": "Low",
+ "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
- "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
- "service": "Event Hubs",
- "severity": "High",
- "text": "Leverage Availability Zones if regionally applicable",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
- "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Use the Premium or Dedicated SKUs for predicable performance",
+ "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
- "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
- "service": "Event Hubs",
- "severity": "High",
- "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
- "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "Front Door",
"severity": "Medium",
- "text": "For Business Critical Applications, use Active Active configuration",
- "waf": "Reliability"
+ "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
- "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Design Resilient Event Hubs",
- "waf": "Reliability"
+ "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
- "service": "AVS",
- "severity": "High",
- "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "75089c20-990d-4927-b105-885576f76fc2",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
- "waf": "Reliability"
+ "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
- "service": "AVS",
- "severity": "High",
- "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Use WAF Policies instead of the legacy WAF configuration.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+ "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
- "service": "AVS",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+ "service": "Front Door",
"severity": "Medium",
- "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+ "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+ "service": "AppGW",
"severity": "High",
- "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+ "text": "You should encrypt traffic to the backend servers.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
- "service": "AVS",
- "severity": "Medium",
- "text": "Has an RBAC model been created for use within VMware vSphere",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+ "service": "AppGW",
+ "severity": "High",
+ "text": "You should use a Web Application Firewall.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+ "service": "AppGW",
"severity": "Medium",
- "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+ "text": "Redirect HTTP to HTTPS",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
- "service": "AVS",
- "severity": "High",
- "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+ "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+ "service": "AppGW",
"severity": "High",
- "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+ "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
- "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
- "service": "AVS",
- "severity": "High",
- "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
- "service": "AVS",
- "severity": "High",
- "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+ "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+ "service": "AppGW",
+ "severity": "Low",
+ "text": "Create custom error pages to display a personalized user experience",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+ "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
- "waf": "Operations"
+ "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "AppGW",
"severity": "Medium",
- "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
- "waf": "Operations"
- },
+ "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
+ "waf": "Performance"
+ },
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
- "service": "AVS",
- "severity": "High",
- "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
- "waf": "Operations"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Use transport layer load balancing",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
- "service": "AVS",
- "severity": "High",
- "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+ "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
- "service": "AVS",
- "severity": "High",
- "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+ "service": "AppGW",
+ "severity": "Medium",
+ "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
- "service": "AVS",
- "severity": "Medium",
- "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+ "service": "AppGW",
+ "severity": "Low",
+ "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+ "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+ "service": "Logic Apps",
"severity": "High",
- "text": "Limit use of CloudAdmin account to emergency access only",
+ "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
- "service": "AVS",
- "severity": "Medium",
- "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+ "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "Logic Apps",
+ "severity": "High",
+ "text": "Protect logic apps from region failures with zone redundancy and availability zones",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
- "service": "AVS",
- "severity": "Medium",
- "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+ "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Logic Apps",
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+ "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+ "service": "Logic Apps",
"severity": "High",
- "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+ "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+ "service": "Logic Apps",
"severity": "Medium",
- "text": "Is East-West traffic filtering implemented within NSX-T",
- "waf": "Reliability"
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+ "service": "OpenAI",
"severity": "High",
- "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
- "waf": "Reliability"
+ "text": "Follow Metaprompting guardrails for resonsible AI",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+ "link": "https://github.com/Azure-Samples/AI-Gateway",
+ "service": "OpenAI",
"severity": "High",
- "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
- "service": "AVS",
- "severity": "Medium",
- "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
- "waf": "Reliability"
+ "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "334fdf91-c234-4182-a652-75269440b4be",
- "service": "AVS",
- "severity": "Medium",
- "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Enable monitoring for your AOAI instances",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
- "service": "AVS",
- "severity": "Medium",
- "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Monitor token usage to prevent service disruptions due to capacity",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
- "waf": "Reliability"
+ "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+ "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+ "service": "OpenAI",
"severity": "Low",
- "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
- "waf": "Reliability"
+ "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
- "service": "AVS",
- "severity": "Low",
- "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+ "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5ac94222-3e13-4810-9230-81a941741583",
- "service": "AVS",
- "severity": "Medium",
- "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+ "service": "OpenAI",
"severity": "High",
- "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
- "waf": "Reliability"
+ "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d88408f3-7273-44c8-96ba-280214590146",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "68889535-e327-4897-b31b-67d67be5962a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+ "service": "OpenAI",
"severity": "High",
- "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
- "waf": "Reliability"
+ "text": "Evaluate usage of Provisioned throughput model ",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+ "service": "OpenAI",
"severity": "High",
- "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
- "waf": "Reliability"
+ "text": "Review and implement Azure AI content safety",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
- "waf": "Operations"
+ "text": "Improve latency of the system by limiting token sizes, streaming options",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
- "waf": "Cost"
+ "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
- "service": "AVS",
- "severity": "Low",
- "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
- "waf": "Cost"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
- "waf": "Reliability"
+ "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+ "service": "OpenAI",
"severity": "High",
- "text": "Ensure all required resource reside within the same Azure availability zone(s)",
+ "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
"waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
- "waf": "Reliability"
+ "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "OpenAI",
+ "severity": "Low",
+ "text": "Deploy multiple OAI instances across regions",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "OpenAI",
"severity": "High",
- "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
- "waf": "Operations"
+ "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
- "waf": "Operations"
+ "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+ "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+ "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
+ "text": "Deploy separate fine tuned models across regions if finetuning is employed",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+ "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
+ "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "OpenAI",
"severity": "High",
- "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
+ "text": "Azure AI search service tiers should be choosen to have a SLA ",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
- "service": "AVS",
- "severity": "High",
- "text": "Are data processing implications (service provider / service consumer model) clear and documented",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+ "link": "https://learn.microsoft.com/purview/purview",
+ "service": "OpenAI",
+ "severity": "Low",
+ "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "547c1747-dc56-4068-a714-435cd19dd244",
- "service": "AVS",
- "severity": "Medium",
- "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+ "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+ "service": "OpenAI",
"severity": "High",
- "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
- "waf": "Operations"
+ "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
- "service": "AVS",
- "severity": "High",
- "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
- "service": "AVS",
- "severity": "High",
- "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "OpenAI",
"severity": "High",
- "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
- "waf": "Operations"
+ "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
- "service": "AVS",
- "severity": "Low",
- "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
- "waf": "Operations"
+ "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+ "service": "OpenAI",
"severity": "High",
- "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
- "waf": "Operations"
+ "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+ "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
- "waf": "Operations"
+ "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Implement Prompt shields and groundedness detection using Content Safety ",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+ "link": "https://learn.microsoft.com/azure/compliance/",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
- "waf": "Operations"
+ "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
+ "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+ "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
- "service": "AVS",
- "severity": "Medium",
- "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+ "service": "OpenAI",
"severity": "High",
- "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
+ "text": "Configure private endpoint for AI services to restrict service access within your network",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8255461e-2aee-4345-9aec-8339248b262d",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+ "service": "OpenAI",
"severity": "High",
- "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+ "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+ "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
+ "text": "Use prompt compression tools like LLMLingua or gprtrim",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+ "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+ "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Deploy your backup solution outside of vSan, on Azure native components",
+ "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "service": "OpenAI",
"severity": "Low",
- "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
- "waf": "Reliability"
+ "text": "Azure AI Services are properly tagged for better management",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "service": "OpenAI",
"severity": "Low",
- "text": "For manual deployments, all configuration and deployments must be documented",
+ "text": "Azure AI Service accounts follows organizational naming conventions",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
- "service": "AVS",
- "severity": "Low",
- "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Diagnostic logs in Azure AI services resources should be enabled",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
- "service": "AVS",
- "severity": "Low",
- "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
- "service": "AVS",
- "severity": "Low",
- "text": "For automated deployments, request or reserve quota prior to starting the deployment",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
- "service": "AVS",
- "severity": "Low",
- "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
- "service": "AVS",
- "severity": "Low",
- "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+ "link": "https://github.com/openai/tiktoken",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "255461e2-aee3-4553-afc8-339248b262d6",
- "service": "AVS",
- "severity": "Low",
- "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+ "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
- "service": "AVS",
- "severity": "Low",
- "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+ "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
- "service": "AVS",
- "severity": "Low",
- "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+ "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
- "waf": "Performance"
+ "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "OpenAI",
+ "severity": "High",
+ "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
- "waf": "Performance"
+ "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "166cd072-af9b-4141-a898-a535e737897e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
- "waf": "Performance"
+ "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
- "waf": "Performance"
+ "text": "Review the guidance provided on setting up AI search for Reliability",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+ "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
- "waf": "Performance"
+ "text": "Plan and manage AI Search Vector storage",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+ "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "service": "OpenAI",
"severity": "High",
- "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "Reliability"
+ "text": "Evaluate usage of billing models - PAYG vs PTU",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "severity": "High",
- "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+ "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
- "waf": "Performance"
+ "text": "Evaluate the quality of prompts and applications when switching between model versions",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e614658d-d457-4e92-9139-b821102cad6e",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
- "waf": "Performance"
+ "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
- "waf": "Reliability"
+ "text": "Evaluate your Azure AI Search results based on different search parameters",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
- "waf": "Reliability"
+ "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
- "waf": "Reliability"
+ "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "service": "OpenAI",
"severity": "Medium",
- "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "AVS",
- "severity": "High",
- "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "AVS",
- "severity": "High",
- "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
+ "text": "Red team your GenAI applications",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "AVS",
- "severity": "High",
- "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+ "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "service": "OpenAI",
+ "severity": "Medium",
+ "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "OpenAI",
"severity": "High",
- "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
- "waf": "Reliability"
+ "text": "Consider Quota management practices",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
- "severity": "High",
- "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+ "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "service": "OpenAI",
+ "severity": "Medium",
+ "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+ "waf": "Operations"
},
{
"arm-service": "Microsoft.Devices/IotHubs",
@@ -4425,4292 +4436,4281 @@
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
- "service": "OpenAI",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "Container Apps Review",
+ "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
+ "service": "Container Apps",
"severity": "High",
- "text": "Follow Metaprompting guardrails for resonsible AI",
- "waf": "Operations"
+ "text": "Leverage Availability Zones if regionally applicable",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
- "link": "https://github.com/Azure-Samples/AI-Gateway",
- "service": "OpenAI",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "Container Apps Review",
+ "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
+ "service": "Container Apps",
"severity": "High",
- "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
- "waf": "Operations"
+ "text": "Use more than one replica and enable Zone Redundancy.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
- "service": "OpenAI",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "Container Apps Review",
+ "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Container Apps",
"severity": "High",
- "text": "Enable monitoring for your AOAI instances",
- "waf": "Operations"
+ "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
- "service": "OpenAI",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "Container Apps Review",
+ "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Container Apps",
"severity": "High",
- "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
- "waf": "Operations"
+ "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "OpenAI",
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
+ "service": "PostgreSQL",
+ "severity": "Medium",
+ "text": "Leverage Flexible Server",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
+ "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
+ "service": "PostgreSQL",
"severity": "High",
- "text": "Monitor token usage to prevent service disruptions due to capacity",
- "waf": "Operations"
+ "text": "Leverage Availability Zones where regionally applicable",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "OpenAI",
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "31b67c67-be59-4519-8083-845d587cb391",
+ "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
+ "service": "PostgreSQL",
"severity": "Medium",
- "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
- "waf": "Operations"
+ "text": "Leverage cross-region read replicas for BCDR",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
- "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
"severity": "Low",
- "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
- "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
- "service": "OpenAI",
- "severity": "High",
- "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4350d092-d234-4292-a752-8537a551c5bf",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "OpenAI",
- "severity": "High",
- "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
+ "text": "If required for AKS Windows workloads HostProcess containers can be used",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
- "service": "OpenAI",
- "severity": "High",
- "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "68889535-e327-4897-b31b-67d67be5962a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
- "service": "OpenAI",
- "severity": "High",
- "text": "Evaluate usage of Provisioned throughput model ",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use KEDA if running event-driven workloads",
"waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
- "service": "OpenAI",
- "severity": "High",
- "text": "Review and implement Azure AI content safety",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use Dapr to ease microservice development",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
"severity": "High",
- "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Improve latency of the system by limiting token sizes, streaming options",
- "waf": "Performance"
+ "text": "Use the SLA-backed AKS offering",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
- "waf": "Performance"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use Disruption Budgets in your pod and deployment definitions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5bda4332-4f24-4811-9331-82ba51752694",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
"severity": "High",
- "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
- "waf": "Performance"
+ "text": "If using a private registry, configure region replication to store images in multiple regions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
- "waf": "Performance"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use an external application such as kubecost to allocate costs to different users",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
- "service": "OpenAI",
- "severity": "High",
- "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
- "waf": "Performance"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use scale down mode to delete/deallocate nodes",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
"severity": "Medium",
- "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
- "waf": "Performance"
+ "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
"severity": "Low",
- "text": "Deploy multiple OAI instances across regions",
- "waf": "Reliability"
+ "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "OpenAI",
- "severity": "High",
- "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"severity": "Medium",
- "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+ "text": "Separate applications from the control plane with user/system node pools",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
- "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
- "waf": "Operations"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Add taint to your system nodepool to make it dedicated",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
"severity": "Medium",
- "text": "Deploy separate fine tuned models across regions if finetuning is employed",
+ "text": "Use a private registry for your images, such as ACR",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
- "link": "https://learn.microsoft.com/azure/backup/backup-overview",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
"severity": "Medium",
- "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
+ "text": "Scan your images for vulnerabilities",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
"severity": "High",
- "text": "Azure AI search service tiers should be choosen to have a SLA ",
+ "text": "Define app separation requirements (namespace/nodepool/cluster)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
- "link": "https://learn.microsoft.com/purview/purview",
- "service": "OpenAI",
- "severity": "Low",
- "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
"severity": "High",
- "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+ "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
- "link": "https://learn.microsoft.com/azure/search/search-security-overview",
- "service": "OpenAI",
- "severity": "High",
- "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "If required add Key Management Service etcd encryption",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "OpenAI",
- "severity": "High",
- "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required consider using Confidential Compute for AKS",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
"severity": "Medium",
- "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+ "text": "Consider using Defender for Containers",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
"severity": "High",
- "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+ "text": "Use managed identities instead of Service Principals",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
- "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
"severity": "Medium",
- "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+ "text": "Integrate authentication with AAD (using the managed integration)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
- "service": "OpenAI",
- "severity": "High",
- "text": "Implement Prompt shields and groundedness detection using Content Safety ",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
- "link": "https://learn.microsoft.com/azure/compliance/",
- "service": "OpenAI",
- "severity": "High",
- "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Limit access to admin kubeconfig (get-credentials --admin)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
"severity": "Medium",
- "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+ "text": "Integrate authorization with AAD RBAC",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
"severity": "High",
- "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
+ "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
"severity": "Medium",
- "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
+ "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
"severity": "Medium",
- "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
+ "text": "For AKS non-interactive logins use kubelogin (preview)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
- "service": "OpenAI",
- "severity": "High",
- "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Disable AKS local accounts",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "OpenAI",
- "severity": "High",
- "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Configure if required Just-in-time cluster access",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
- "service": "OpenAI",
- "severity": "High",
- "text": "Configure private endpoint for AI services to restrict service access within your network",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Configure if required AAD conditional access for AKS",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
- "service": "OpenAI",
- "severity": "High",
- "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required for Windows AKS workloads configure gMSA ",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
- "service": "OpenAI",
- "severity": "High",
- "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "For finer control consider using a managed Kubelet Identity",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
- "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "service": "AKS",
"severity": "Medium",
- "text": "Use prompt compression tools like LLMLingua or gprtrim",
- "waf": "Cost"
+ "text": "If using AGIC, do not share an AppGW across clusters",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
"severity": "High",
- "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
+ "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "service": "AKS",
"severity": "Medium",
- "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
+ "text": "For Windows workloads use Accelerated Networking",
+ "waf": "Performance"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Use the standard ALB (as opposed to the basic one)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "service": "AKS",
"severity": "Medium",
- "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+ "text": "If using Azure CNI, consider using different Subnets for NodePools",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "service": "AKS",
"severity": "Medium",
- "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+ "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
- "service": "OpenAI",
- "severity": "Low",
- "text": "Azure AI Services are properly tagged for better management",
- "waf": "Operations"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
- "service": "OpenAI",
- "severity": "Low",
- "text": "Azure AI Service accounts follows organizational naming conventions",
- "waf": "Operations"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "High",
+ "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "High",
- "text": "Diagnostic logs in Azure AI services resources should be enabled",
- "waf": "Operations"
+ "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/ai-services/authentication",
- "service": "OpenAI",
- "severity": "High",
- "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "High",
- "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+ "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "OpenAI",
- "severity": "High",
- "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required add your own CNI plugin",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "adfe27be-e297-401a-a352-baaab79b088d",
- "link": "https://github.com/openai/tiktoken",
- "service": "OpenAI",
- "severity": "High",
- "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
- "waf": "Cost"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required configure Public IP per node in AKS",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
- "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
- "service": "OpenAI",
- "severity": "High",
- "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
- "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
- "service": "OpenAI",
- "severity": "High",
- "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e29711b1-352b-4eee-879b-588defc4972c",
- "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
- "service": "OpenAI",
- "severity": "High",
- "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "service": "AKS",
"severity": "Medium",
- "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
- "waf": "Cost"
+ "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "service": "AKS",
"severity": "High",
- "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
- "waf": "Cost"
+ "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "service": "AKS",
"severity": "Medium",
- "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
- "waf": "Cost"
+ "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "166cd072-af9b-4141-a898-a535e737897e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
- "waf": "Cost"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Use private clusters if your requirements mandate it",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
- "link": "https://learn.microsoft.com/azure/search/search-reliability",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "Medium",
- "text": "Review the guidance provided on setting up AI search for Reliability",
- "waf": "Operations"
+ "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
- "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Plan and manage AI Search Vector storage",
- "waf": "Operations"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
- "waf": "Operations"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Use Kubernetes network policies to increase intra-cluster security",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "High",
- "text": "Evaluate usage of billing models - PAYG vs PTU",
- "waf": "Cost"
+ "text": "Use a WAF for web workloads (UIs or APIs)",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
- "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "service": "AKS",
"severity": "Medium",
- "text": "Evaluate the quality of prompts and applications when switching between model versions",
- "waf": "Operations"
+ "text": "Use DDoS Standard in the AKS Virtual Network",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3418db61-2712-4650-9bb4-7a393a080327",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
- "waf": "Operations"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required add company HTTP Proxy",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "294798b1-578b-4219-a46c-eb5443513592",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "service": "AKS",
"severity": "Medium",
- "text": "Evaluate your Azure AI Search results based on different search parameters",
- "waf": "Operations"
+ "text": "Consider using a service mesh for advanced microservice communication management",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2744293b-b628-4537-a551-19b08e8f5854",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Check regularly Azure Advisor for recommendations on your cluster",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e737897e-71ca-47da-acfa-962a1594946d",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Red team your GenAI applications",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Enable AKS auto-certificate rotation",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
- "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "service": "AKS",
"severity": "High",
- "text": "Consider Quota management practices",
- "waf": "Cost"
+ "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
- "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
- "service": "OpenAI",
- "severity": "Medium",
- "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
- "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
- "service": "Purview",
- "severity": "Medium",
- "text": "Leverage FTA Resillency Handbook",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
- "severity": "High",
- "text": "Plan for Data Center level outage",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Consider using AKS command invoke on private clusters",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
- "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
- "severity": "Medium",
- "text": "Practice Failover for BCDR",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "For planned events consider using Node Auto Drain",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
+ "service": "AKS",
"severity": "High",
- "text": "Plan a backup strategy and take regular backups",
- "waf": "Reliability"
+ "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
- "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
"severity": "Low",
- "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
- "waf": "Reliability"
+ "text": "Use custom Node RG (aka 'Infra RG') name",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
- "link": "https://learn.microsoft.com/purview/deployment-best-practices",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
+ "service": "AKS",
"severity": "Medium",
- "text": "Follow Purview accounts architectures and deployment best practices",
- "waf": "Reliability"
+ "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Collection Architectures and best practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Taint Windows nodes",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Assest lifecycle best practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Keep windows containers patch level in sync with host patch level",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow automation best practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "Via Diagnostic Settings at the cluster level",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Backup and Migration Best practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required use nodePool snapshots",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Purview Glossary Best Practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Consider spot node pools for non time-sensitive workloads",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
- "link": "https://learn.microsoft.com/purview/concept-workflow",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
"severity": "Low",
- "text": "Leverage Workflows ",
- "waf": "Reliability"
+ "text": "Consider AKS virtual node for quick bursting",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Purview Security Best Practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Purview Data Lineage Best Practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+ "service": "AKS",
"severity": "Medium",
- "text": "Follow Best Practices for Scanning Registered Sources",
- "waf": "Reliability"
+ "text": "Monitor CPU and memory utilization of the nodes",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "Medium",
- "text": "Follow Classification Best Practices in Governance Portal",
- "waf": "Reliability"
+ "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
- "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+ "service": "AKS",
"severity": "Medium",
- "text": "Perform Sensitivity Labelling in the Purview Data Map",
- "waf": "Reliability"
+ "text": "Monitor OS disk queue depth in nodes",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
- "link": "https://learn.microsoft.com/purview/concept-data-share",
- "service": "Purview",
- "severity": "Low",
- "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
- "link": "https://learn.microsoft.com/purview/concept-insights",
- "service": "Purview",
- "severity": "Low",
- "text": "Leverage Data Estate Insights",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Subscribe to resource health notifications for your AKS cluster",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
- "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
- "service": "Purview",
- "severity": "Low",
- "text": "Use Data stewardship and Catalog adoption",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Configure requests and limits in your pod specs",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
- "link": "https://learn.microsoft.com/purview/concept-insights",
- "service": "Purview",
- "severity": "Low",
- "text": "Use Inventory and Ownership",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Enforce resource quotas for namespaces",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
- "link": "https://learn.microsoft.com/purview/glossary-insights",
- "service": "Purview",
- "severity": "Low",
- "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
- "link": "https://learn.microsoft.com/purview/compliance-manager",
- "service": "Purview",
- "severity": "Medium",
- "text": "Generate assessment scores",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
- "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
- "service": "Purview",
- "severity": "Medium",
- "text": "Profiling- get summaries of data content",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
- "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
- "service": "Purview",
- "severity": "Low",
- "text": "Follow Microsoft Purview Data Owner access policies",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
- "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
- "service": "Purview",
- "severity": "Low",
- "text": "Follow Self-service access policies",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
- "link": "https://learn.microsoft.com/purview/concept-policies-devops",
- "service": "Purview",
- "severity": "Low",
- "text": "Follow DevOps policies",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Ensure your subscription has enough quota to scale out your nodepools",
+ "waf": "Operations"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
+ "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
"service": "AKS",
- "severity": "Low",
- "text": "If required for AKS Windows workloads HostProcess containers can be used",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Configure Liveness and Readiness probes for all deployments",
+ "waf": "Operations"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"service": "AKS",
- "severity": "Low",
- "text": "Use KEDA if running event-driven workloads",
+ "severity": "Medium",
+ "text": "Use the Cluster Autoscaler",
"waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
"service": "AKS",
"severity": "Low",
- "text": "Use Dapr to ease microservice development",
- "waf": "Operations"
+ "text": "Customize node configuration for AKS node pools",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"service": "AKS",
- "severity": "High",
- "text": "Use the SLA-backed AKS offering",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Use the Horizontal Pod Autoscaler when required",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
"service": "AKS",
- "severity": "Low",
- "text": "Use Disruption Budgets in your pod and deployment definitions",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
"severity": "High",
- "text": "If using a private registry, configure region replication to store images in multiple regions",
- "waf": "Reliability"
+ "text": "Consider an appropriate node size, not too large or too small",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
"service": "AKS",
"severity": "Low",
- "text": "Use an external application such as kubecost to allocate costs to different users",
- "waf": "Cost"
+ "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
"service": "AKS",
"severity": "Low",
- "text": "Use scale down mode to delete/deallocate nodes",
- "waf": "Cost"
+ "text": "Consider subscribing to EventGrid Events for AKS automation",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
"service": "AKS",
- "severity": "Medium",
- "text": "When required use multi-instance partitioning GPU on AKS Clusters",
- "waf": "Cost"
+ "severity": "Low",
+ "text": "For long running operation on an AKS cluster consider event termination",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
"service": "AKS",
"severity": "Low",
- "text": "If running a Dev/Test cluster use NodePool Start/Stop",
- "waf": "Cost"
+ "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"service": "AKS",
- "severity": "Medium",
- "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Use ephemeral OS disks",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"service": "AKS",
- "severity": "Medium",
- "text": "Separate applications from the control plane with user/system node pools",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
"service": "AKS",
"severity": "Low",
- "text": "Add taint to your system nodepool to make it dedicated",
- "waf": "Reliability"
+ "text": "For hyper performance storage option use Ultra Disks on AKS",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"service": "AKS",
"severity": "Medium",
- "text": "Use a private registry for your images, such as ACR",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
- "severity": "Medium",
- "text": "Scan your images for vulnerabilities",
- "waf": "Reliability"
+ "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
"service": "AKS",
- "severity": "High",
- "text": "Define app separation requirements (namespace/nodepool/cluster)",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"service": "AKS",
"severity": "Medium",
- "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
- "waf": "Reliability"
+ "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
- "service": "AKS",
- "severity": "High",
- "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "service": "Monitor",
+ "severity": "Medium",
+ "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
- "service": "AKS",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "45901365-d38e-443f-abcb-d868266abca2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Backup",
"severity": "Medium",
- "text": "If required add Key Management Service etcd encryption",
- "waf": "Reliability"
+ "text": "check backup instances with the underlying datasource not found",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
- "service": "AKS",
- "severity": "Low",
- "text": "If required consider using Confidential Compute for AKS",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
- "service": "AKS",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Backup",
"severity": "Medium",
- "text": "Consider using Defender for Containers",
- "waf": "Reliability"
+ "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
- "service": "AKS",
- "severity": "High",
- "text": "Use managed identities instead of Service Principals",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "service": "Monitor",
+ "severity": "Medium",
+ "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
- "service": "AKS",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Monitor",
"severity": "Medium",
- "text": "Integrate authentication with AAD (using the managed integration)",
- "waf": "Reliability"
+ "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
"severity": "Medium",
- "text": "Limit access to admin kubeconfig (get-credentials --admin)",
- "waf": "Reliability"
+ "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
"severity": "Medium",
- "text": "Integrate authorization with AAD RBAC",
- "waf": "Reliability"
+ "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
- "service": "AKS",
- "severity": "High",
- "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Make sure advisor is configured for VM right sizing ",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "description": "check by searching the Meter Category Licenses in the Cost analysys",
+ "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "service": "VM",
"severity": "Medium",
- "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
- "waf": "Reliability"
+ "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "VM",
"severity": "Medium",
- "text": "For AKS non-interactive logins use kubelogin (preview)",
- "waf": "Reliability"
+ "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "VM",
"severity": "Medium",
- "text": "Disable AKS local accounts",
- "waf": "Reliability"
+ "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
+ "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "Low",
- "text": "Configure if required Just-in-time cluster access",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "Low",
- "text": "Configure if required AAD conditional access for AKS",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Only larger disks can be reserved => 1 TiB -",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
- "service": "AKS",
- "severity": "Low",
- "text": "If required for Windows AKS workloads configure gMSA ",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "After the right-sizing optimization",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
- "service": "AKS",
+ "arm-service": "Microsoft.Sql/servers",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Azure SQL",
"severity": "Medium",
- "text": "For finer control consider using a managed Kubelet Identity",
- "waf": "Reliability"
+ "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "VM",
"severity": "Medium",
- "text": "If using AGIC, do not share an AppGW across clusters",
- "waf": "Reliability"
+ "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
- "service": "AKS",
- "severity": "High",
- "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Consider using a VMSS to match demand rather than flat sizing",
+ "waf": "Cost"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
"service": "AKS",
"severity": "Medium",
- "text": "For Windows workloads use Accelerated Networking",
- "waf": "Performance"
+ "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
- "severity": "High",
- "text": "Use the standard ALB (as opposed to the basic one)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Backup",
+ "severity": "Medium",
+ "text": "Move recovery points to vault-archive where applicable (Validate)",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
- "service": "AKS",
+ "arm-service": "Microsoft.Databricks/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+ "service": "Databricks",
"severity": "Medium",
- "text": "If using Azure CNI, consider using different Subnets for NodePools",
- "waf": "Reliability"
+ "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+ "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+ "service": "Functions",
"severity": "Medium",
- "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
- "waf": "Reliability"
+ "text": "Functions - Reuse connections",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "High",
- "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+ "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "service": "Functions",
+ "severity": "Medium",
+ "text": "Functions - Cache data locally",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "High",
- "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
- "waf": "Performance"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Functions",
+ "severity": "Medium",
+ "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "High",
- "text": "If using Azure CNI, check the maximum pods/node (default 30)",
- "waf": "Performance"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "Functions",
+ "severity": "Medium",
+ "text": "Functions - Keep your functions warm",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
- "service": "AKS",
- "severity": "Low",
- "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Functions",
+ "severity": "Medium",
+ "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "High",
- "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+ "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+ "service": "Functions",
+ "severity": "Medium",
+ "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
- "service": "AKS",
- "severity": "Low",
- "text": "If required add your own CNI plugin",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+ "service": "Functions",
+ "severity": "Medium",
+ "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
- "service": "AKS",
- "severity": "Low",
- "text": "If required configure Public IP per node in AKS",
- "waf": "Performance"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
- "service": "AKS",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
- "waf": "Reliability"
+ "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
- "service": "AKS",
- "severity": "Low",
- "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+ "service": "Storage",
+ "severity": "Medium",
+ "text": "Consider archiving tiers for less used data",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "VM",
"severity": "Medium",
- "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
- "waf": "Reliability"
+ "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
- "service": "AKS",
- "severity": "High",
- "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "Storage",
+ "severity": "Medium",
+ "text": "Consider using standard SSD rather than Premium or Ultra where possible",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "Storage",
"severity": "Medium",
- "text": "If using a public API endpoint, restrict the IP addresses that can access it",
- "waf": "Reliability"
+ "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
- "service": "AKS",
- "severity": "High",
- "text": "Use private clusters if your requirements mandate it",
- "waf": "Reliability"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "Site Recovery",
+ "severity": "Medium",
+ "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+ "service": "Storage",
"severity": "Medium",
- "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
- "waf": "Reliability"
+ "text": "Storage accounts: check hot tier and/or GRS necessary",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Export cost data to a storage account for additional data analysis.",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Create multiple Apache Spark pool definitions of various sizes.",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Right-sizing all VMs",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Swap VM sized with normalized and most recent sizes",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Containerizing an application can improve VM density and save money on scaling it",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
"severity": "High",
- "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+ "text": "Enable 2 replicas to have 99.9% availability for read operations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "High",
- "text": "Use Kubernetes network policies to increase intra-cluster security",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "severity": "Medium",
+ "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+ "service": "Cognitive Search",
"severity": "High",
- "text": "Use a WAF for web workloads (UIs or APIs)",
+ "text": "Leverage Availability Zones by enabling read and/or write replicas",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+ "service": "Cognitive Search",
"severity": "Medium",
- "text": "Use DDoS Standard in the AKS Virtual Network",
+ "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
- "service": "AKS",
- "severity": "Low",
- "text": "If required add company HTTP Proxy",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+ "service": "Cognitive Search",
+ "severity": "Medium",
+ "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
- "service": "AKS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+ "service": "Cognitive Search",
"severity": "Medium",
- "text": "Consider using a service mesh for advanced microservice communication management",
+ "text": "Use Azure Traffic Manager to coordinate requests",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
- "service": "AKS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+ "service": "Cognitive Search",
"severity": "High",
- "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
- "waf": "Operations"
+ "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
- "service": "AKS",
- "severity": "Low",
- "text": "Check regularly Azure Advisor for recommendations on your cluster",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
+ "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
+ "service": "Data Explorer",
+ "text": "Leverage External Tables and Continuous data export overview to reduce costs",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
- "service": "AKS",
- "severity": "Low",
- "text": "Enable AKS auto-certificate rotation",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
+ "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
+ "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
+ "service": "Data Explorer",
+ "text": "To share data, explore Leader-follower cluster configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
- "service": "AKS",
- "severity": "High",
- "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
+ "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
+ "service": "Data Explorer",
+ "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
- "service": "AKS",
- "severity": "High",
- "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
+ "service": "Data Explorer",
+ "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
- "service": "AKS",
- "severity": "High",
- "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
+ "service": "Data Explorer",
+ "text": "Ingest data into each cluster in parallel",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
+ "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
+ "service": "Data Explorer",
+ "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider using AKS command invoke on private clusters",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
+ "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
+ "service": "Data Explorer",
+ "text": "For critical applications, create Active-Active configuration in two paired regions",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
- "service": "AKS",
- "severity": "Low",
- "text": "For planned events consider using Node Auto Drain",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
+ "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
+ "service": "Data Explorer",
+ "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
- "service": "AKS",
- "severity": "High",
- "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
+ "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
+ "service": "Data Explorer",
+ "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "Low",
- "text": "Use custom Node RG (aka 'Infra RG') name",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
+ "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Data Explorer",
+ "text": "Wrap DevOps and source control around all your code",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Data Explorer",
+ "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Data Explorer",
+ "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "waf": "Reliability"
+ },
+ {
+ "checklist": "Identity Review Checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
"severity": "Medium",
- "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
- "waf": "Operations"
+ "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
+ "severity": "Medium",
+ "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
+ "waf": "Reliability"
+ },
+ {
+ "checklist": "Identity Review Checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
+ "severity": "Medium",
+ "text": "Custom brand assets should be hosted on a CDN",
+ "waf": "Performance"
+ },
+ {
+ "checklist": "Identity Review Checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
"severity": "Low",
- "text": "Taint Windows nodes",
- "waf": "Operations"
+ "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
- "service": "AKS",
- "severity": "Low",
- "text": "Keep windows containers patch level in sync with host patch level",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "Medium",
+ "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "Via Diagnostic Settings at the cluster level",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
- "severity": "Low",
- "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "Medium",
+ "text": "Don't replicate! Replication can create issues with directory synchronization",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
- "severity": "Low",
- "text": "If required use nodePool snapshots",
- "waf": "Cost"
+ "checklist": "Identity Review Checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "Medium",
+ "text": "Have active-active for multi-regions",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider spot node pools for non time-sensitive workloads",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
+ "severity": "Medium",
+ "text": "Add Azure AD Domain service stamps to additional regions and locations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider AKS virtual node for quick bursting",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
+ "severity": "Medium",
+ "text": "Use Replica Sets for DR",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
- "severity": "High",
- "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
- "waf": "Operations"
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
+ "service": "CosmosDB",
+ "severity": "Medium",
+ "text": "FTA Resiliency Playbook",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+ "service": "CosmosDB",
"severity": "High",
- "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
- "waf": "Operations"
+ "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "Monitor CPU and memory utilization of the nodes",
- "waf": "Operations"
+ "text": "Run multiple replicas of the database (>1 ) in Prod",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
+ "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
- "waf": "Operations"
+ "text": "Leverage Multi-Region Writes",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Span Cosmos account across two or more regions with multi-region writes",
+ "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "Monitor OS disk queue depth in nodes",
- "waf": "Operations"
+ "text": "Distribute your data globally",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
+ "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
+ "service": "CosmosDB",
+ "severity": "High",
+ "text": "Choose from several well-defined consistency models",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
+ "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
- "waf": "Operations"
+ "text": "Enable Service managed failover",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
+ "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "Subscribe to resource health notifications for your AKS cluster",
- "waf": "Operations"
+ "text": "Enable Automatic Backups",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "High",
- "text": "Configure requests and limits in your pod specs",
- "waf": "Operations"
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
+ "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
+ "service": "CosmosDB",
+ "severity": "Medium",
+ "text": "Perform Periodic Backups",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
+ "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "Enforce resource quotas for namespaces",
- "waf": "Operations"
+ "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
+ "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
- "severity": "High",
- "text": "Ensure your subscription has enough quota to scale out your nodepools",
+ "checklist": "SAP Checklist",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
"waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
- "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
- "service": "AKS",
- "severity": "High",
- "text": "Configure Liveness and Readiness probes for all deployments",
+ "checklist": "SAP Checklist",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
+ "training": "https://github.com/Azure/sap-automation",
"waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use the Cluster Autoscaler",
- "waf": "Performance"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
- "severity": "Low",
- "text": "Customize node configuration for AKS node pools",
- "waf": "Performance"
+ "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use the Horizontal Pod Autoscaler when required",
- "waf": "Performance"
+ "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "SAP",
"severity": "High",
- "text": "Consider an appropriate node size, not too large or too small",
- "waf": "Performance"
+ "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
- "severity": "Low",
- "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider subscribing to EventGrid Events for AKS automation",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "SAP",
"severity": "Low",
- "text": "For long running operation on an AKS cluster consider event termination",
- "waf": "Performance"
+ "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
- "severity": "Low",
- "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "High",
- "text": "Use ephemeral OS disks",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"severity": "High",
- "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
- "waf": "Performance"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
- "severity": "Low",
- "text": "For hyper performance storage option use Ultra Disks on AKS",
- "waf": "Performance"
+ "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
- "severity": "Medium",
- "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "service": "SAP",
+ "severity": "High",
+ "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
- "severity": "Medium",
- "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
- "severity": "Medium",
- "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "service": "SAP",
"severity": "High",
- "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+ "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Key Vault",
- "severity": "Medium",
- "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
+ "checklist": "SAP Checklist",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
- "service": "Key Vault",
- "severity": "Medium",
- "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+ "checklist": "SAP Checklist",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "service": "SAP",
+ "severity": "High",
+ "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
- "service": "Key Vault",
- "severity": "Medium",
- "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+ "checklist": "SAP Checklist",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "service": "SAP",
+ "severity": "High",
+ "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
- "service": "Key Vault",
- "severity": "Medium",
- "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "checklist": "SAP Checklist",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "service": "SAP",
"severity": "High",
- "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
+ "text": "Make sure the Floating IP is enabled on the Load balancer",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "Key Vault",
- "severity": "Low",
- "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
+ "checklist": "SAP Checklist",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
- "service": "Key Vault",
- "severity": "Low",
- "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
+ "checklist": "SAP Checklist",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "SAP",
+ "severity": "High",
+ "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
- "service": "Key Vault",
- "severity": "Low",
- "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "checklist": "SAP Checklist",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "service": "SAP",
"severity": "Medium",
- "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
+ "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Storage",
- "severity": "Medium",
- "text": "Consider the 'Azure security baseline for storage'",
+ "checklist": "SAP Checklist",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "High",
+ "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "High",
- "text": "Consider using private endpoints for Azure Storage",
+ "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Storage",
- "severity": "Medium",
- "text": "Ensure older storage accounts are not using 'classic deployment model'",
+ "checklist": "SAP Checklist",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "High",
- "text": "Enable Microsoft Defender for all of your storage accounts",
+ "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
"severity": "Medium",
- "text": "Enable 'soft delete' for blobs",
+ "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "Medium",
- "text": "Disable 'soft delete' for blobs",
+ "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "High",
- "text": "Enable 'soft delete' for containers",
+ "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Storage",
- "severity": "Medium",
- "text": "Disable 'soft delete' for containers",
+ "checklist": "SAP Checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
+ "severity": "High",
+ "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
"severity": "High",
- "text": "Enable resource locks on storage accounts",
+ "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"severity": "High",
- "text": "Consider immutable blobs",
+ "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Automate SAP System Start-Stop to manage costs.",
+ "waf": "Cost"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
+ "waf": "Cost"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
+ "waf": "Cost"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
"severity": "High",
- "text": "Require HTTPS, i.e. disable port 80 on the storage account",
+ "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Storage",
- "severity": "High",
- "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
+ "checklist": "SAP Checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"severity": "Medium",
- "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
+ "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "AAD tokens should be favored over shared access signatures, wherever possible",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Storage",
- "severity": "High",
- "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+ "checklist": "SAP Checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
"severity": "Medium",
- "text": "Least privilege in IaM permissions",
+ "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Storage",
- "severity": "High",
- "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+ "checklist": "SAP Checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Storage",
- "severity": "High",
- "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+ "checklist": "SAP Checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
- "service": "Storage",
- "severity": "High",
- "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+ "checklist": "SAP Checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
"severity": "Medium",
- "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+ "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider configuring an SAS expiration policy",
+ "text": "Implement SSO to SAP HANA",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider linking SAS to a stored access policy",
+ "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
+ "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
- "service": "Storage",
- "severity": "High",
- "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+ "checklist": "SAP Checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Storage",
- "severity": "High",
- "text": "Strive for short validity periods for ad-hoc SAS",
+ "checklist": "SAP Checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Implement SSO to SAP BTP",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
"severity": "Medium",
- "text": "Apply a narrow scope to a SAS",
+ "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider scoping SAS to a specific client IP address, wherever possible",
- "waf": "Reliability"
+ "text": "enforce existing Management Group policies to SAP Subscriptions",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
- "service": "Storage",
- "severity": "Low",
- "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "High",
- "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
- "waf": "Reliability"
+ "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
- "service": "Storage",
- "severity": "Medium",
- "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "waf": "Operations"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
"severity": "High",
- "text": "Avoid overly broad CORS policies",
- "waf": "Reliability"
+ "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"severity": "High",
- "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
- "service": "Storage",
- "severity": "Medium",
- "text": "Determine which/if platform encryption should be used.",
- "waf": "Reliability"
+ "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
"severity": "Medium",
- "text": "Determine which/if client-side encryption should be used.",
- "waf": "Reliability"
+ "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "High",
- "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
+ "text": "Help protect your HANA database by using the Azure Backup service.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
- "service": "Storage",
- "severity": "High",
- "text": "Leverage a storagev2 account type for better performance and reliability",
+ "checklist": "SAP Checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"severity": "High",
- "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
- "waf": "Reliability"
+ "text": "Ensure time-zone matches between the operating system and the SAP system.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
"severity": "Medium",
- "text": "For write operation after failover, use customer-Managed Failover ",
+ "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
+ "waf": "Cost"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Understand Microsoft-Managed Failover details",
- "waf": "Reliability"
+ "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Enable Soft Delete",
- "waf": "Reliability"
+ "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachineScaleSets",
- "checklist": "Resiliency Review",
- "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
- "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
- "service": "VMSS",
+ "checklist": "SAP Checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
"severity": "Low",
- "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
- "waf": "Reliability"
+ "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
- "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
- "service": "VM",
- "severity": "High",
- "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
- "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
"severity": "High",
- "text": "Use Premium or Ultra disks for production VMs",
- "waf": "Reliability"
+ "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
- "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
- "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
- "service": "VM",
- "severity": "High",
- "text": "Ensure Managed Disks are used for all VMs",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
- "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
- "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
- "waf": "Reliability"
+ "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
- "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
"severity": "Medium",
- "text": "Leverage Availability Zones for your VMs in regions where they are supported",
- "waf": "Reliability"
+ "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
- "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
+ "severity": "High",
+ "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "waf": "Performance"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
"severity": "Medium",
- "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+ "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
- "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "VM",
- "severity": "High",
- "text": "Avoid running a production workload on a single VM",
+ "checklist": "SAP Checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
- "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
- "severity": "High",
- "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
- "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
- "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
"severity": "Low",
- "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
- "waf": "Reliability"
+ "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
- "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
- "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "Medium",
- "text": "Increase quotas in DR region before testing failover with ASR",
+ "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
- "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
- "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.",
+ "waf": "Performance"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
"severity": "Low",
- "text": "Utilize Scheduled Events to prepare for VM maintenance",
- "waf": "Reliability"
+ "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Resiliency Review",
- "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
- "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
"severity": "Medium",
- "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
- "waf": "Reliability"
+ "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Resiliency Review",
- "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
- "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Storage",
- "severity": "Low",
- "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Resiliency Review",
- "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
- "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Storage",
- "severity": "Low",
- "text": "Enable soft delete for Storage Account Containers",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Resiliency Review",
- "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
- "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Storage",
- "severity": "Low",
- "text": "Enable soft delete for blobs",
+ "checklist": "SAP Checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Resiliency Review",
- "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
- "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
- "service": "Backup",
+ "checklist": "SAP Checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "Medium",
- "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
- "waf": "Reliability"
+ "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Resiliency Review",
- "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
- "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
- "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
- "service": "Backup",
- "severity": "Low",
- "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Resiliency Review",
- "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
- "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
- "service": "Backup",
- "severity": "Low",
- "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+ "checklist": "SAP Checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Resiliency Review",
- "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
- "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
- "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
- "service": "DNS",
- "severity": "Low",
- "text": "Implement DNS Failover using Azure DNS Private Resolvers",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
+ "severity": "High",
+ "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
+ "training": "https://me.sap.com/notes/2731110",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.PowerBI/gateways",
- "checklist": "Resiliency Review",
- "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
- "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
- "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
- "service": "Data Gateways",
+ "checklist": "SAP Checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+ "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "waf": "Operations"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "waf": "Operations"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "Operations"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Public IP assignment to VM running SAP Workload is not recommended.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
- "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
+ "checklist": "SAP Checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
"severity": "High",
- "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
- "waf": "Reliability"
+ "text": "Consider reserving IP address on DR side when configuring ASR",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Front Door",
- "severity": "Medium",
- "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
+ "checklist": "SAP Checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
- "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
"severity": "Medium",
- "text": "Ensure you are using Application Gateway v2 SKU",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Reliability"
+ "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
- "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+ "service": "SAP",
"severity": "Medium",
- "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
+ "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+ "service": "SAP",
"severity": "Medium",
- "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
+ "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
- "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
- "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+ "checklist": "SAP Checklist",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "AppGW",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
- "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Configure autoscaling with a minimum amount of instances of two.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Reliability"
+ "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
- "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
- "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "SAP",
"severity": "Medium",
- "text": "Deploy Application Gateway across Availability Zones",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Performance"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "SAP",
"severity": "Medium",
- "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
"waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/trafficManagerProfiles",
- "checklist": "Azure Application Delivery Networking",
- "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Traffic Manager",
+ "checklist": "SAP Checklist",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "High",
- "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Reliability"
+ "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Performance"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
- "severity": "Low",
- "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+ "waf": "Performance"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
- "severity": "Medium",
- "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
+ "severity": "High",
+ "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "High",
- "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
- "waf": "Reliability"
+ "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Cost"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+ "service": "SAP",
"severity": "High",
- "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
+ "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Performance"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
"waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "High",
- "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
- "waf": "Reliability"
+ "text": "Review SAP HANA database backups for Azure VMs.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
- "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "Front Door",
- "severity": "Low",
- "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review Site Recovery built-in monitoring, where used for SAP.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+ "waf": "Operations"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+ "service": "SAP",
"severity": "Medium",
- "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
- "waf": "Reliability"
+ "text": "Review Oracle Database in Azure Linux VM backup strategies.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
- "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "Front Door",
- "severity": "Low",
- "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+ "waf": "Operations"
},
{
- "ammp": true,
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
- "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "Load Balancer",
- "severity": "High",
- "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review the use of Automated Backup v2 for Azure VMs.",
+ "waf": "Operations"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
- "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+ "service": "SAP",
"severity": "High",
- "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
+ "text": "Enabling Write accelerator for M series when using premium disks(V1)",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "service": "SAP",
"severity": "Medium",
- "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
- "waf": "Operations"
+ "text": "Test availability zone latency.",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
- "service": "Front Door",
- "severity": "High",
- "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Activate SAP EarlyWatch Alert for all SAP components.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
- "waf": "Reliability"
+ "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
+ "training": "https://me.sap.com/notes/0002879613",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
- "service": "Front Door",
- "severity": "High",
- "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review SQL Server performance monitoring using CCMS.",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
- "service": "Front Door",
- "severity": "High",
- "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
+ "training": "https://me.sap.com/notes/1100926/E",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "Front Door",
- "severity": "High",
- "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review SAP HANA studio alerts.",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
- "service": "Front Door",
- "severity": "High",
- "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
- "service": "Front Door",
- "severity": "High",
- "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
+ "checklist": "SAP Checklist",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+ "checklist": "SAP Checklist",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+ "checklist": "SAP Checklist",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
+ "training": "https://me.sap.com/notes/3019299/E",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
- "service": "Front Door",
- "severity": "Low",
- "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+ "checklist": "SAP Checklist",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "SAP",
"severity": "Medium",
- "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+ "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
"waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
- "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "SAP",
"severity": "High",
- "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
+ "text": "Use Azure Key Vault to store your secrets and credentials",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "AppGW",
- "severity": "High",
- "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
+ "checklist": "SAP Checklist",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
"waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
- "service": "AppGW",
- "severity": "High",
- "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
+ "checklist": "SAP Checklist",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "service": "SAP",
"severity": "High",
- "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
+ "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+ "checklist": "SAP Checklist",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "High",
+ "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+ "checklist": "SAP Checklist",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"severity": "Low",
- "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+ "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
- "service": "AppGW",
+ "checklist": "SAP Checklist",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "service": "SAP",
"severity": "Medium",
- "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+ "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "checklist": "SAP Checklist",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use an Azure Key Vault per application per environment per region.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
- "waf": "Operations"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "service": "SAP",
+ "severity": "High",
+ "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Use WAF Policies instead of the legacy WAF configuration.",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
+ "checklist": "SAP Checklist",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
- "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
+ "checklist": "SAP Checklist",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
- "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
- "service": "AppGW",
- "severity": "High",
- "text": "You should encrypt traffic to the backend servers.",
+ "checklist": "SAP Checklist",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
- "service": "AppGW",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+ "service": "Redis",
"severity": "High",
- "text": "You should use a Web Application Firewall.",
+ "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
- "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
- "service": "AppGW",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+ "service": "Redis",
"severity": "Medium",
- "text": "Redirect HTTP to HTTPS",
+ "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
- "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
- "service": "AppGW",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+ "service": "Redis",
"severity": "Medium",
- "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
- "waf": "Operations"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
- "service": "AppGW",
- "severity": "High",
- "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
+ "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
- "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
- "service": "AppGW",
- "severity": "Low",
- "text": "Create custom error pages to display a personalized user experience",
- "waf": "Operations"
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+ "service": "Redis",
+ "severity": "Medium",
+ "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
- "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
- "service": "AppGW",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+ "service": "Data Factory",
"severity": "Medium",
- "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
+ "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "AppGW",
- "severity": "Medium",
- "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
- "waf": "Performance"
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Data Factory",
+ "severity": "High",
+ "text": "Use zone redundant pipelines in regions that support Availability Zones",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "AppGW",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+ "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+ "service": "Data Factory",
"severity": "Medium",
- "text": "Use transport layer load balancing",
- "waf": "Performance"
+ "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
- "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
- "service": "AppGW",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Data Factory",
"severity": "Medium",
- "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
+ "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
- "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
- "service": "AppGW",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Data Factory",
"severity": "Medium",
- "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
+ "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
- "service": "AppGW",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
+ "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Data Factory",
"severity": "Low",
- "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
+ "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "PostgreSQL Review Checklist",
- "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
- "service": "PostgreSQL",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
"severity": "Medium",
"text": "Leverage Flexible Server",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "PostgreSQL Review Checklist",
- "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
- "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
- "service": "PostgreSQL",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
"severity": "High",
"text": "Leverage Availability Zones where regionally applicable",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "PostgreSQL Review Checklist",
- "guid": "31b67c67-be59-4519-8083-845d587cb391",
- "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
- "service": "PostgreSQL",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
"severity": "Medium",
- "text": "Leverage cross-region read replicas for BCDR",
+ "text": "Leverage Data-in replication for cross-region DR scenarios",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
- "service": "Data Factory",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "High",
+ "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Key Vault",
"severity": "Medium",
- "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
+ "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Data Factory",
- "severity": "High",
- "text": "Use zone redundant pipelines in regions that support Availability Zones",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
+ "service": "Key Vault",
+ "severity": "Medium",
+ "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
- "link": "https://learn.microsoft.com/azure/data-factory/source-control",
- "service": "Data Factory",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
+ "service": "Key Vault",
+ "severity": "Medium",
+ "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
+ "service": "Key Vault",
"severity": "Medium",
- "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
+ "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Data Factory",
- "severity": "Medium",
- "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "Key Vault",
+ "severity": "High",
+ "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Data Factory",
- "severity": "Medium",
- "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "Key Vault",
+ "severity": "Low",
+ "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
- "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Data Factory",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+ "service": "Key Vault",
"severity": "Low",
- "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
+ "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
- "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
- "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
- "service": "ACR",
- "severity": "High",
- "text": "Disable Azure Container Registry image export",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+ "service": "Key Vault",
+ "severity": "Low",
+ "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
- "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
- "service": "ACR",
- "severity": "High",
- "text": "Enable Azure Policies for Azure Container Registry",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
+ "service": "Key Vault",
+ "severity": "Medium",
+ "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
- "guid": "d345293c-7639-4637-a551-c5c04e401955",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
- "service": "ACR",
- "severity": "High",
- "text": "Sign and Verify containers with notation (Notary v2)",
+ "arm-service": "Microsoft.Compute/virtualMachineScaleSets",
+ "checklist": "Resiliency Review",
+ "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
+ "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
+ "service": "VMSS",
+ "severity": "Low",
+ "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
- "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
- "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
- "service": "ACR",
- "severity": "Medium",
- "text": "Encrypt registry with a customer managed key",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
+ "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
+ "service": "VM",
+ "severity": "High",
+ "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
- "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
- "service": "ACR",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
+ "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "VM",
"severity": "High",
- "text": "Use Managed Identities to connect instead of Service Principals",
+ "text": "Use Premium or Ultra disks for production VMs",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
- "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
- "service": "ACR",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
+ "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
+ "service": "VM",
"severity": "High",
- "text": "Disable local authentication for management plane access",
+ "text": "Ensure Managed Disks are used for all VMs",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
- "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
- "service": "ACR",
- "severity": "High",
- "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
+ "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Disable anonymous pull/push access",
- "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
- "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
- "service": "ACR",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
+ "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "VM",
"severity": "Medium",
- "text": "Disable Anonymous pull access",
+ "text": "Leverage Availability Zones for your VMs in regions where they are supported",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
- "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
- "service": "ACR",
- "severity": "High",
- "text": "Disable repository-scoped access tokens",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
+ "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
- "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
- "service": "ACR",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
+ "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "VM",
"severity": "High",
- "text": "Deploy images from a trusted environment",
+ "text": "Avoid running a production workload on a single VM",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
- "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
- "service": "ACR",
- "severity": "Medium",
- "text": "Disable Azure ARM audience tokens for authentication",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
+ "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "VM",
+ "severity": "High",
+ "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
- "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
- "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
- "service": "ACR",
- "severity": "Medium",
- "text": "Enable diagnostics logging",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
+ "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
+ "service": "VM",
+ "severity": "Low",
+ "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
- "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
- "service": "ACR",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
+ "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
+ "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
+ "service": "VM",
"severity": "Medium",
- "text": "Control inbound network access with Private Link",
+ "text": "Increase quotas in DR region before testing failover with ASR",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Disable public network access if inbound network access is secured using Private Link",
- "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
- "service": "ACR",
- "severity": "Medium",
- "text": "Disable Public Network access",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
+ "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
+ "service": "VM",
+ "severity": "Low",
+ "text": "Utilize Scheduled Events to prepare for VM maintenance",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Only the ACR Premium SKU supports Private Link access",
- "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
- "service": "ACR",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Resiliency Review",
+ "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
+ "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Storage",
"severity": "Medium",
- "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
+ "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
- "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
- "service": "ACR",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Resiliency Review",
+ "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
+ "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Storage",
"severity": "Low",
- "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
+ "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
- "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
- "service": "ACR",
- "severity": "Medium",
- "text": "Deploy validated container images",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Resiliency Review",
+ "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
+ "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Storage",
+ "severity": "Low",
+ "text": "Enable soft delete for Storage Account Containers",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
- "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
- "service": "ACR",
- "severity": "High",
- "text": "Use up-to-date platforms, languages, protocols and frameworks",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Resiliency Review",
+ "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
+ "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Storage",
+ "severity": "Low",
+ "text": "Enable soft delete for blobs",
"waf": "Reliability"
},
- {
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "service": "Monitor",
- "severity": "Medium",
- "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Cost"
- },
{
"arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "45901365-d38e-443f-abcb-d868266abca2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "checklist": "Resiliency Review",
+ "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
+ "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
"service": "Backup",
"severity": "Medium",
- "text": "check backup instances with the underlying datasource not found",
- "waf": "Cost"
- },
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "VM",
- "severity": "Medium",
- "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
- "waf": "Cost"
+ "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "checklist": "Resiliency Review",
+ "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
+ "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
+ "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
"service": "Backup",
- "severity": "Medium",
- "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
- "waf": "Cost"
- },
- {
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
- "service": "Monitor",
- "severity": "Medium",
- "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
- "waf": "Cost"
- },
- {
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Monitor",
- "severity": "Medium",
- "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "Cost"
- },
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "VM",
- "severity": "Medium",
- "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "Cost"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
- "severity": "Medium",
- "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "waf": "Cost"
+ "severity": "Low",
+ "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "VM",
- "severity": "Medium",
- "text": "Make sure advisor is configured for VM right sizing ",
- "waf": "Cost"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Resiliency Review",
+ "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
+ "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
+ "service": "Backup",
+ "severity": "Low",
+ "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "description": "check by searching the Meter Category Licenses in the Cost analysys",
- "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
- "service": "VM",
- "severity": "Medium",
- "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
- "waf": "Cost"
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Resiliency Review",
+ "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
+ "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
+ "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
+ "service": "DNS",
+ "severity": "Low",
+ "text": "Implement DNS Failover using Azure DNS Private Resolvers",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "VM",
+ "arm-service": "Microsoft.PowerBI/gateways",
+ "checklist": "Resiliency Review",
+ "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
+ "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
+ "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
+ "service": "Data Gateways",
"severity": "Medium",
- "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
- "waf": "Cost"
+ "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "VM",
- "severity": "Medium",
- "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
- "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
- "waf": "Cost"
+ "checklist": "Resiliency Review",
+ "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
+ "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
+ "severity": "High",
+ "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
- "service": "VM",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
+ "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
+ "service": "Purview",
"severity": "Medium",
- "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
- "waf": "Cost"
+ "text": "Leverage FTA Resillency Handbook",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "service": "VM",
- "severity": "Medium",
- "text": "Only larger disks can be reserved => 1 TiB -",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "severity": "High",
+ "text": "Plan for Data Center level outage",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
- "service": "VM",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
+ "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
"severity": "Medium",
- "text": "After the right-sizing optimization",
- "waf": "Cost"
+ "text": "Practice Failover for BCDR",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Sql/servers",
- "checklist": "Cost Optimization Checklist",
- "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Azure SQL",
- "severity": "Medium",
- "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "severity": "High",
+ "text": "Plan a backup strategy and take regular backups",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "VM",
- "severity": "Medium",
- "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
+ "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "VM",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
+ "link": "https://learn.microsoft.com/purview/deployment-best-practices",
+ "service": "Purview",
"severity": "Medium",
- "text": "Consider using a VMSS to match demand rather than flat sizing",
- "waf": "Cost"
+ "text": "Follow Purview accounts architectures and deployment best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Cost Optimization Checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "AKS",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
+ "service": "Purview",
"severity": "Medium",
- "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
- "waf": "Cost"
+ "text": "Follow Collection Architectures and best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Backup",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
+ "service": "Purview",
"severity": "Medium",
- "text": "Move recovery points to vault-archive where applicable (Validate)",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Cost"
+ "text": "Follow Assest lifecycle best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Databricks/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
- "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
- "service": "Databricks",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
+ "service": "Purview",
"severity": "Medium",
- "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
- "waf": "Cost"
+ "text": "Follow automation best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
- "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
- "service": "Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
"severity": "Medium",
- "text": "Functions - Reuse connections",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
- "waf": "Cost"
+ "text": "Follow Backup and Migration Best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
- "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "service": "Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
+ "service": "Purview",
"severity": "Medium",
- "text": "Functions - Cache data locally",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
- "waf": "Cost"
+ "text": "Follow Purview Glossary Best Practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Functions",
- "severity": "Medium",
- "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
+ "link": "https://learn.microsoft.com/purview/concept-workflow",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Leverage Workflows ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
+ "service": "Purview",
"severity": "Medium",
- "text": "Functions - Keep your functions warm",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Cost"
+ "text": "Follow Purview Security Best Practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
+ "service": "Purview",
"severity": "Medium",
- "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
- "waf": "Cost"
+ "text": "Follow Purview Data Lineage Best Practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
- "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
- "service": "Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
+ "service": "Purview",
"severity": "Medium",
- "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
- "waf": "Cost"
+ "text": "Follow Best Practices for Scanning Registered Sources",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
- "service": "Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
+ "service": "Purview",
"severity": "Medium",
- "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
- "waf": "Cost"
+ "text": "Follow Classification Best Practices in Governance Portal",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Front Door",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
+ "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
+ "service": "Purview",
"severity": "Medium",
- "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
- "waf": "Cost"
+ "text": "Perform Sensitivity Labelling in the Purview Data Map",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
+ "link": "https://learn.microsoft.com/purview/concept-data-share",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
- "service": "Storage",
- "severity": "Medium",
- "text": "Consider archiving tiers for less used data",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
+ "link": "https://learn.microsoft.com/purview/concept-insights",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Leverage Data Estate Insights",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "VM",
- "severity": "Medium",
- "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
+ "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Use Data stewardship and Catalog adoption",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "Storage",
- "severity": "Medium",
- "text": "Consider using standard SSD rather than Premium or Ultra where possible",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
+ "link": "https://learn.microsoft.com/purview/concept-insights",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Use Inventory and Ownership",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "Storage",
- "severity": "Medium",
- "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
+ "link": "https://learn.microsoft.com/purview/glossary-insights",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "Site Recovery",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
+ "link": "https://learn.microsoft.com/purview/compliance-manager",
+ "service": "Purview",
"severity": "Medium",
- "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
- "waf": "Cost"
+ "text": "Generate assessment scores",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
- "service": "Storage",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
+ "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
+ "service": "Purview",
"severity": "Medium",
- "text": "Storage accounts: check hot tier and/or GRS necessary",
- "waf": "Cost"
+ "text": "Profiling- get summaries of data content",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "VM",
- "severity": "Medium",
- "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
+ "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Follow Microsoft Purview Data Owner access policies",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
+ "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Follow Self-service access policies",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Export cost data to a storage account for additional data analysis.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
+ "link": "https://learn.microsoft.com/purview/concept-policies-devops",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Follow DevOps policies",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "Device Update Review",
+ "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
+ "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+ "service": "Device Update for IoT Hub",
+ "severity": "High",
+ "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "Device Update Review",
+ "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
+ "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+ "service": "Device Update for IoT Hub",
+ "severity": "High",
+ "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Create multiple Apache Spark pool definitions of various sizes.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "Device Update Review",
+ "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Device Update for IoT Hub",
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "Device Update Review",
+ "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Device Update for IoT Hub",
+ "severity": "High",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "VM",
- "severity": "Medium",
- "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
+ "severity": "High",
+ "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "VM",
- "severity": "Medium",
- "text": "Right-sizing all VMs",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
+ "severity": "High",
+ "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "VM",
- "severity": "Medium",
- "text": "Swap VM sized with normalized and most recent sizes",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "severity": "Medium",
- "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
+ "severity": "High",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
"severity": "Medium",
- "text": "Containerizing an application can improve VM density and save money on scaling it",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Cost"
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "waf": "Operations"
},
{
"aprlGuid": "bb6deb9d-24fa-4ee8-bc23-ac3ebc7fdf8e",
@@ -24305,7 +24305,7 @@
],
"metadata": {
"name": "WAF checklist",
- "timestamp": "August 05, 2024"
+ "timestamp": "August 08, 2024"
},
"severities": [
{
diff --git a/checklists/checklist.en.master.json b/checklists/checklist.en.master.json
index 6e9043a0d..9c9631f09 100644
--- a/checklists/checklist.en.master.json
+++ b/checklists/checklist.en.master.json
@@ -1,22617 +1,20264 @@
{
"items": [
{
- "category": "BC and DR",
- "checklist": "Device Provisioning Service Review",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
+ "category": "Governance",
+ "checklist": "Azure API Management Review",
+ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "service": "APIM",
+ "services": [
+ "APIM",
+ "AzurePolicy"
+ ],
+ "severity": "Medium",
+ "subcategory": "Development best practices",
+ "text": "Implement an error handling policy at the global level",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Device Provisioning Service Review",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Protect logic apps from region failures with zone redundancy and availability zones",
- "waf": "Reliability"
+ "category": "Governance",
+ "checklist": "Azure API Management Review",
+ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "service": "APIM",
+ "services": [
+ "APIM",
+ "AzurePolicy"
+ ],
+ "severity": "Medium",
+ "subcategory": "Development best practices",
+ "text": "Ensure all APIs policies include a element.",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Device Provisioning Service Review",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "category": "Governance",
+ "checklist": "Azure API Management Review",
+ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+ "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "service": "APIM",
+ "services": [
+ "APIM",
+ "AzurePolicy",
+ "ACR"
+ ],
+ "severity": "Medium",
+ "subcategory": "Development best practices",
+ "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Device Provisioning Service Review",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
+ "category": "Governance",
+ "checklist": "Azure API Management Review",
+ "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+ "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "service": "APIM",
"services": [
- "AppSvc"
+ "APIM"
+ ],
+ "severity": "Medium",
+ "subcategory": "Monetization",
+ "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
+ "waf": "Operations"
+ },
+ {
+ "category": "Governance",
+ "checklist": "Azure API Management Review",
+ "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "service": "APIM",
+ "services": [
+ "APIM",
+ "Monitor"
],
"severity": "High",
- "subcategory": "High Availability",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "subcategory": "Monitoring",
+ "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+ "waf": "Operations"
},
{
- "category": "Application Deployment",
- "checklist": "Device Provisioning Service Review",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure API Management Review",
+ "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "service": "APIM",
+ "services": [
+ "APIM",
+ "Monitor"
+ ],
"severity": "Medium",
- "subcategory": "CI/CD",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "subcategory": "Monitoring",
+ "text": "Enable Application Insights for more detailed telemetry",
"waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "DNS Review Checklist",
- "guid": "a96b96ad-8840-48f3-9273-4c876ba28021",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency",
+ "category": "Governance",
+ "checklist": "Azure API Management Review",
+ "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "service": "APIM",
"services": [
- "DNS",
- "VNet"
+ "APIM",
+ "Monitor"
],
"severity": "High",
- "subcategory": "Azure Private DNS",
- "text": "Verify that Zones are linked to Vnets in multiple regions",
- "waf": "Reliability"
+ "subcategory": "Monitoring",
+ "text": "Configure alerts on the most critical metrics",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "DNS Review Checklist",
- "guid": "45901465-d38e-453f-accb-d969266acca2",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency",
+ "category": "Identity and Access Management",
+ "checklist": "Azure API Management Review",
+ "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "service": "APIM",
"services": [
- "DNS"
+ "Entra",
+ "AKV",
+ "APIM"
],
"severity": "High",
- "subcategory": "Azure Private DNS",
- "text": "If different Zones are used between regions, verify a plan for making sure that Zones are up to date in a DR failover situation",
- "waf": "Reliability"
+ "subcategory": "Data protection",
+ "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "DNS Review Checklist",
- "guid": "74faa19b-f39d-495d-94c7-c8919ca1f6d5",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-traffic-manager?toc=%2Fazure%2Fdns%2Ftoc.json",
+ "category": "Identity and Access Management",
+ "checklist": "Azure API Management Review",
+ "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "service": "APIM",
"services": [
- "DNS",
- "TrafficManager",
- "ASR"
+ "Entra",
+ "APIM"
],
- "severity": "Medium",
- "subcategory": "Azure DNS",
- "text": "Plan for disaster recovery with Azure DNS and Traffic Manager",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Identity",
+ "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "DNS Review Checklist",
- "guid": "315ae524-ba34-4d45-a5e1-2139bd7bb012",
- "link": "https://learn.microsoft.com/azure/dns/private-resolver-reliability#availability-zones",
+ "category": "Identity and Access Management",
+ "checklist": "Azure API Management Review",
+ "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "service": "APIM",
"services": [
- "DNS"
+ "Entra",
+ "APIM"
],
"severity": "Medium",
- "subcategory": "Azure DNS Resolver",
- "text": "Enable availability zones with Private Resolver",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "DNS Review Checklist",
- "guid": "f7b95e06-e154-4e2a-a359-2828e6e20517",
- "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
+ "category": "Identity and Access Management",
+ "checklist": "Azure API Management Review",
+ "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "service": "APIM",
"services": [
- "DNS",
- "ASR"
+ "Entra",
+ "APIM"
],
"severity": "Medium",
- "subcategory": "Azure DNS Resolver",
- "text": "Plan for failover with Private Resolvers in a Disaster Recovery",
- "waf": "Reliability"
+ "subcategory": "Privileged access",
+ "text": "Create appropriate groups to control the visibility of the products",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "DNS Review Checklist",
- "guid": "2676ae46-691e-4883-9ad9-42223e138105",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-virtual-machines?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json&tabs=graph",
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+ "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "service": "APIM",
"services": [
- "DNS",
- "VM"
+ "APIM"
],
"severity": "Medium",
- "subcategory": "VM Based DNS Service",
- "text": "Follow VM Guidance for resillency of VM",
- "waf": "Reliability"
+ "subcategory": "Best practices",
+ "text": "Use Backends feature to eliminate redundant API backend configurations",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "DNS Review Checklist",
- "guid": "23081a94-1741-4583-9ff7-ad7c6d373316",
- "link": "https://www.windows-active-directory.com/azure-ad-dns-for-custom-domain-names-with-advanced-dns-settings.html",
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "service": "APIM",
"services": [
- "DNS",
- "VM",
- "Entra"
+ "APIM",
+ "AzurePolicy"
],
"severity": "Medium",
- "subcategory": "VM Based DNS Service",
- "text": "IF AD based DNS, follow the Identity -> Windows Server AD path",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Device Update Review",
- "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
- "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
- "service": "Device Update for IoT Hub",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Device Update Review",
- "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
- "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
- "service": "Device Update for IoT Hub",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
- "waf": "Reliability"
+ "subcategory": "Best practices",
+ "text": "Use Named Values to store common values that can be used in policies",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Device Update Review",
- "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Device Update for IoT Hub",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "service": "APIM",
+ "services": [
+ "ASR",
+ "APIM",
+ "ACR"
+ ],
+ "severity": "Medium",
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "Device Update Review",
- "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Device Update for IoT Hub",
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+ "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "service": "APIM",
"services": [
- "AppSvc"
+ "ASR",
+ "APIM"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "severity": "Medium",
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "Logic Apps checklist",
- "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
- "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
- "service": "Logic Apps",
- "services": [],
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+ "service": "APIM",
+ "services": [
+ "Backup",
+ "APIM",
+ "ASR"
+ ],
"severity": "High",
- "subcategory": "High Availability",
- "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "Ensure there is an automated backup routine",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "Logic Apps checklist",
- "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
- "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "Logic Apps",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+ "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+ "service": "APIM",
+ "services": [
+ "APIM",
+ "AzurePolicy"
+ ],
+ "severity": "Medium",
+ "subcategory": "Failover and Caching",
+ "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "Logic Apps checklist",
- "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
- "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Logic Apps",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "f96ddac5-77ec-4fa9-8833-4327f052059e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external",
+ "services": [
+ "APIM",
+ "AzurePolicy"
+ ],
+ "severity": "Medium",
+ "subcategory": "Performance and scalability",
+ "text": "Consider using a external cache policy for APIs that can benefit from caching",
+ "training": "https://learn.microsoft.com/training/modules/improve-api-performance-with-apim-caching-policy/"
},
{
- "category": "BC and DR",
- "checklist": "Logic Apps checklist",
- "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
- "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
- "service": "Logic Apps",
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+ "service": "APIM",
"services": [
- "AppSvc"
+ "EventHubs",
+ "APIM",
+ "AzurePolicy"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Performance and scalability",
+ "text": "If you need to log at high performance levels, consider Event Hubs policy",
+ "waf": "Operations"
},
{
- "category": "Application Deployment",
- "checklist": "Logic Apps checklist",
- "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
- "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
- "service": "Logic Apps",
- "services": [],
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+ "service": "APIM",
+ "services": [
+ "APIM",
+ "AzurePolicy"
+ ],
"severity": "Medium",
- "subcategory": "CI/CD",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
- "waf": "Operations"
+ "subcategory": "Performance and scalability",
+ "text": "Apply throttling policies to control the number of requests per second",
+ "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+ "waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Bot Service",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
- "services": [],
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+ "service": "APIM",
+ "services": [
+ "APIM"
+ ],
"severity": "Medium",
- "subcategory": "High Availablity",
- "text": "Follow reliability support recommendations in Azure Bot Service",
- "waf": "Reliability"
+ "subcategory": "Performance and scalability",
+ "text": "Configure autoscaling to scale out the number of instances when the load increases",
+ "waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Bot Service",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
- "services": [],
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+ "service": "APIM",
+ "services": [
+ "APIM"
+ ],
"severity": "Medium",
- "subcategory": "High Availablity",
- "text": "Deploying bots with local data residency and regional compliance",
- "waf": "Reliability"
+ "subcategory": "Performance and scalability",
+ "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
+ "waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Bot Service",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
- "services": [],
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+ "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+ "service": "APIM",
+ "services": [
+ "APIM"
+ ],
"severity": "Medium",
- "subcategory": "High Availablity",
- "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
+ "subcategory": "Premium Tier",
+ "text": "Use the premium tier for production workloads.",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
- "service": "CosmosDB",
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+ "service": "APIM",
"services": [
- "CosmosDB"
+ "APIM",
+ "AzurePolicy"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "FTA Resiliency Playbook",
+ "subcategory": "Request Routing",
+ "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
- "service": "CosmosDB",
- "services": [
- "CosmosDB"
- ],
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+ "service": "APIM",
+ "services": [
+ "Entra",
+ "APIM"
+ ],
"severity": "High",
- "subcategory": "High Availability",
- "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+ "subcategory": "Resource Limits",
+ "text": "Be aware of APIM's limits",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
- "service": "CosmosDB",
+ "category": "Management",
+ "checklist": "Azure API Management Review",
+ "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+ "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+ "service": "APIM",
"services": [
- "CosmosDB"
+ "APIM"
],
- "severity": "Medium",
- "subcategory": "High Availability",
- "text": "Run multiple replicas of the database (>1 ) in Prod",
+ "severity": "High",
+ "subcategory": "Self-Hosted",
+ "text": "Ensure that the self-hosted gateway deployments are resilient.",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
- "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure API Management Review",
+ "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+ "service": "APIM",
"services": [
- "ACR",
- "CosmosDB"
+ "Entra",
+ "APIM",
+ "FrontDoor"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Leverage Multi-Region Writes",
- "waf": "Reliability"
+ "subcategory": "Connectivity",
+ "text": "Use Azure Front Door in front of APIM for multi-region deployment",
+ "waf": "Performance"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "description": "Span Cosmos account across two or more regions with multi-region writes",
- "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure API Management Review",
+ "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+ "service": "APIM",
"services": [
- "ACR",
- "CosmosDB"
+ "VNet",
+ "APIM"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Distribute your data globally",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "Deploy the service within a Virtual Network (VNet)",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
- "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
- "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure API Management Review",
+ "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+ "service": "APIM",
"services": [
- "CosmosDB"
+ "Entra",
+ "APIM",
+ "VNet",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Choose from several well-defined consistency models",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
- "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
- "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure API Management Review",
+ "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+ "service": "APIM",
"services": [
- "CosmosDB"
+ "Entra",
+ "APIM",
+ "PrivateLink",
+ "VNet"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Enable Service managed failover",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
- "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
- "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure API Management Review",
+ "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+ "service": "APIM",
"services": [
- "Storage",
- "Backup",
- "CosmosDB"
+ "APIM"
],
- "severity": "Medium",
- "subcategory": "Backup Strategy",
- "text": "Enable Automatic Backups",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Disable Public Network Access",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
- "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
- "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
- "service": "CosmosDB",
+ "category": "Platform automation and DevOps",
+ "checklist": "Azure API Management Review",
+ "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+ "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+ "service": "APIM",
"services": [
- "Backup",
- "CosmosDB"
+ "APIM"
],
"severity": "Medium",
- "subcategory": "Backup Strategy",
- "text": "Perform Periodic Backups",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Reliability"
+ "subcategory": "Automation",
+ "text": "Simplify management with PowerShell automation scripts",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "CosmosDB Review Checklist",
- "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
- "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
- "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
- "service": "CosmosDB",
+ "category": "Platform automation and DevOps",
+ "checklist": "Azure API Management Review",
+ "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+ "service": "APIM",
"services": [
- "Backup",
- "CosmosDB"
+ "Entra",
+ "APIM"
],
"severity": "Medium",
- "subcategory": "Backup Strategy",
- "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
- "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
- "waf": "Reliability"
+ "subcategory": "Best practices",
+ "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
+ "waf": "Operations"
},
{
- "category": "Version Control",
- "checklist": "Azure DevOps",
- "description": "Implement branching policy in Azure DevOps",
- "guid": "eda1dae2-cc85-4c47-a6b7-81cca0e6c465",
- "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-policies-overview?view=azure-devops",
+ "category": "Platform automation and DevOps",
+ "checklist": "Azure API Management Review",
+ "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+ "service": "APIM",
"services": [
- "AzurePolicy"
+ "Entra",
+ "APIM"
],
- "severity": "High",
- "subcategory": "Branching Policy",
- "text": "Branch Policies",
+ "severity": "Medium",
+ "subcategory": "Best practices",
+ "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
"waf": "Operations"
},
{
- "category": "Version Control",
- "checklist": "Azure DevOps",
- "description": "Understand branch strategy such as GitFlow or GitHub Flow",
- "guid": "bc288bec-6a16-4ca7-8444-51e1add34529",
- "link": "https://learn.microsoft.com/azure/devops/repos/git/git-branching-guidance?view=azure-devops",
+ "category": "Platform automation and DevOps",
+ "checklist": "Azure API Management Review",
+ "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+ "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+ "service": "APIM",
"services": [
- "AzurePolicy"
+ "APIM"
],
- "severity": "High",
- "subcategory": "Branching Policy",
- "text": "Branching strategy",
+ "severity": "Medium",
+ "subcategory": "DevOps",
+ "text": "Implement DevOps and CI/CD in your workflow",
"waf": "Operations"
},
{
- "category": "Version Control",
- "checklist": "Azure DevOps",
- "description": "Understand how teams work with git",
- "guid": "ec723823-7a15-41c5-ab4e-401914387e5c",
- "link": "https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow",
+ "category": "Security",
+ "checklist": "Azure API Management Review",
+ "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+ "service": "APIM",
"services": [
- "AzurePolicy"
+ "APIM"
],
- "severity": "High",
- "subcategory": "Branching Policy",
- "text": "Understand GitFlow Branch Strategy",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "APIs",
+ "text": "Secure APIs using client certificate authentication",
+ "waf": "Security"
},
{
- "category": "Version Control",
- "checklist": "Azure DevOps",
- "description": "Merge into higher branches after two or more reviewers in a PR",
- "guid": "a9c26c9c-32ab-45bd-8c69-98a246e33899",
- "link": "https://learn.microsoft.com/azure/devops/repos/git/review-pull-requests?view=azure-devops&tabs=browser",
+ "category": "Security",
+ "checklist": "Azure API Management Review",
+ "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+ "service": "APIM",
"services": [
- "AzurePolicy"
+ "APIM"
],
- "severity": "High",
- "subcategory": "Branching Policy",
- "text": "Pull Request Review",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "APIs",
+ "text": "Secure backend services using client certificate authentication",
+ "waf": "Security"
},
{
- "category": "Version Control",
- "checklist": "Azure DevOps",
- "description": "Implement access control to the branches",
- "guid": "7e41c77d-68cb-46a2-8ac1-9f916d697d8e",
- "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-permissions?view=azure-devops",
+ "category": "Security",
+ "checklist": "Azure API Management Review",
+ "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+ "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+ "service": "APIM",
"services": [
- "AzurePolicy"
+ "APIM"
],
"severity": "Medium",
- "subcategory": "Branching Policy",
- "text": "Access Control to the Branch",
- "waf": "Operations"
- },
- {
- "category": "Version Control",
- "checklist": "Azure DevOps",
- "description": "Perform SAST code scan",
- "guid": "adfd27bd-e187-401a-a252-baa9b68a088c",
- "link": "https://devblogs.microsoft.com/devops/integrate-security-into-your-developer-workflow-with-github-advanced-security-for-azure-devops/",
- "services": [],
- "severity": "High",
- "subcategory": "Security",
- "text": "Code Scan",
+ "subcategory": "APIs",
+ "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
"waf": "Security"
},
{
- "category": "Version Control",
- "checklist": "Azure DevOps",
- "description": "Understand TFVC as Code Repo",
- "guid": "9a8f822b-8eb9-4d1b-a77f-26e5e6beba8e",
- "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops",
- "services": [],
- "severity": "Low",
- "subcategory": "Practice",
- "text": "TFVC as Code Repository",
- "waf": "Operations"
+ "category": "Security",
+ "checklist": "Azure API Management Review",
+ "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+ "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+ "service": "APIM",
+ "services": [
+ "APIM"
+ ],
+ "severity": "Medium",
+ "subcategory": "APIs",
+ "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
+ "waf": "Security"
},
{
- "category": "Version Control",
- "checklist": "Azure DevOps",
- "description": "Compare Git vs TFVC for your project",
- "guid": "d4f3437b-c336-4d71-9f27-a71eee0b9b5d",
- "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops",
- "services": [],
- "severity": "Low",
- "subcategory": "Practice",
- "text": "Choose Right version control",
- "waf": "Operations"
+ "category": "Security",
+ "checklist": "Azure API Management Review",
+ "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+ "service": "APIM",
+ "services": [
+ "APIM"
+ ],
+ "severity": "High",
+ "subcategory": "Ciphers",
+ "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
+ "waf": "Security"
},
{
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "Set up your team management",
- "guid": "8defd5d7-21d4-41d2-900c-807bf9eab40f",
- "link": "https://learn.microsoft.com/azure/devops/organizations/settings/manage-teams?view=azure-devops",
- "services": [],
+ "category": "Security",
+ "checklist": "Azure API Management Review",
+ "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+ "service": "APIM",
+ "services": [
+ "AKV",
+ "APIM"
+ ],
"severity": "High",
- "subcategory": "Team Planning",
- "text": "Configure your teams",
- "waf": "Operations"
+ "subcategory": "Data protection",
+ "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
+ "waf": "Security"
},
{
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "Start scheduling sprints",
- "guid": "9ed5b354-78d4-447a-a26c-2863c00f1cac",
- "link": "https://learn.microsoft.com/azure/devops/boards/sprints/define-sprints?view=azure-devops",
- "services": [],
+ "category": "Security",
+ "checklist": "Azure API Management Review",
+ "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+ "service": "APIM",
+ "services": [
+ "Entra",
+ "APIM"
+ ],
"severity": "Medium",
- "subcategory": "Team Planning",
- "text": "Configure your sprints",
- "waf": "Operations"
- },
- {
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "Set up your work item heirarchy",
- "guid": "699ef1d5-a83d-4e5d-b36c-1c81870a0bc5",
- "link": "https://learn.microsoft.com/azure/devops/organizations/settings/work/customize-process-work-item-type?view=azure-devops",
- "services": [],
- "severity": "Low",
- "subcategory": "Team Planning",
- "text": "Choose Work Item types",
- "waf": "Operations"
+ "subcategory": "Identities",
+ "text": "Use managed identities to authenticate to other Azure resources whenever possible",
+ "waf": "Security"
},
{
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "WIT Processes available in Azure DevOps",
- "guid": "c1e43a18-658d-4285-aed6-7179b825546d",
- "link": "https://learn.microsoft.com/azure/devops/boards/work-items/guidance/choose-process?view=azure-devops&tabs=agile-process",
- "services": [],
+ "category": "Security",
+ "checklist": "Azure API Management Review",
+ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+ "service": "APIM",
+ "services": [
+ "Entra",
+ "APIM",
+ "AppGW",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Team Planning",
- "text": "Select a WIT Process",
- "waf": "Operations"
+ "subcategory": "Network",
+ "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
+ "waf": "Security"
},
{
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "Use Azure Boards with GitHub",
- "guid": "f2aee455-3afc-4833-a248-726dd68c5b5c",
- "link": "https://learn.microsoft.com/azure/devops/cross-service/github-integration?view=azure-devops",
+ "category": "Application Deployment",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
"services": [],
- "severity": "Low",
- "subcategory": "Tool Integration",
- "text": "GitHub Integration",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "DevOps",
+ "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
+ "waf": "Reliability"
},
{
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "Understand the methologies",
- "guid": "2925394b-69b9-4d37-aac4-3bc68d1d7665",
- "link": "https://www.atlassian.com/agile/scrum/agile-vs-scrum",
- "services": [],
+ "category": "BC and DR",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
+ "services": [
+ "TrafficManager",
+ "ASR",
+ "FrontDoor"
+ ],
"severity": "Medium",
- "subcategory": "Process Planning",
- "text": "Understand Agile Vs Scrum",
- "waf": "Operations"
+ "subcategory": "Disaster Recovery",
+ "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
+ "waf": "Reliability"
},
{
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "Create Dashboard and PowerBI reports",
- "guid": "7246b448-564b-44dd-94a7-59c7633bd2a1",
- "link": "https://learn.microsoft.com/azure/devops/report/dashboards/overview?view=azure-devops",
- "services": [],
+ "category": "BC and DR",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
+ "services": [
+ "ACR"
+ ],
"severity": "Medium",
- "subcategory": "Reporting",
- "text": "Dashboard",
- "waf": "Operations"
+ "subcategory": "High Availability",
+ "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
+ "waf": "Reliability"
},
{
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "Set up backlog",
- "guid": "a27a764a-90be-40e3-98ee-293c1bd363ca",
- "link": "https://learn.microsoft.com/azure/devops/boards/backlogs/set-up-your-backlog?view=azure-devops",
+ "category": "BC and DR",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
"services": [],
"severity": "Medium",
- "subcategory": "Reporting",
- "text": "Refine your backlog",
- "waf": "Operations"
+ "subcategory": "High Availability",
+ "text": "Use more than 1 app instance for your apps",
+ "waf": "Reliability"
},
{
- "category": "Azure Boards",
- "checklist": "Azure DevOps",
- "description": "Link your work items",
- "guid": "aab75719-49ab-4919-9dc9-fc9d1bb84b37",
- "link": "https://learn.microsoft.com/azure/devops/boards/queries/link-work-items-support-traceability?view=azure-devops&tabs=browser",
- "services": [],
+ "category": "Operations",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
+ "services": [
+ "Monitor"
+ ],
"severity": "Medium",
- "subcategory": "Reporting",
- "text": "Visualize Relationships",
- "waf": "Operations"
+ "subcategory": "Monitoring",
+ "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
+ "waf": "Reliability"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "View the velocity report",
- "guid": "b5a67fcb-9ed5-4b35-978d-447a826c2863",
- "link": "https://learn.microsoft.com/azure/devops/report/dashboards/team-velocity?view=azure-devops&tabs=in-context",
- "services": [],
- "severity": "Low",
- "subcategory": "Reporting",
- "text": "Review Team Velocity",
- "waf": "Operations"
- },
- {
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Create your first pipeline",
- "guid": "c00f1cac-699e-4f1d-9a83-de5de36c1c81",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Ctfs-2018-2%2Cbrowser",
- "services": [],
- "severity": "High",
- "subcategory": "Continuous Integration",
- "text": "Set up pipeline",
- "waf": "Operations"
- },
- {
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Specify events that trigger pipelines",
- "guid": "870a0bc5-c1e4-43a1-a658-d2858ed67179",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/build/triggers?view=azure-devops",
+ "category": "Operations",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
"services": [],
- "severity": "High",
- "subcategory": "Continuous Integration",
- "text": "Set Build triggers",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Scalability",
+ "text": "Set up autoscaling in Spring Cloud Gateway",
+ "waf": "Reliability"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Use YAML to create build pipeline",
- "guid": "b825546d-f2ae-4e45-93af-c8339248726d",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/customize-pipeline?view=azure-devops",
+ "category": "Operations",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
"services": [],
"severity": "Low",
- "subcategory": "Continuous Integration",
- "text": "Customize YAML Pipeline",
- "waf": "Operations"
+ "subcategory": "Scalability",
+ "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
+ "waf": "Reliability"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Use classic GUI editor to set up pipeline",
- "guid": "d68c5b5c-2925-4394-a69b-9d379ac43bc6",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/get-started/pipelines-get-started?view=azure-devops&source=recommendations#define-pipelines-using-the-classic-interface",
+ "category": "Operations",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
"services": [],
"severity": "Medium",
- "subcategory": "Continuous Integration",
- "text": "Use GUI for pipeline",
- "waf": "Operations"
+ "subcategory": "Support",
+ "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
+ "waf": "Reliability"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Set up templates, parameters and expressions",
- "guid": "8d1d7665-7246-4b44-a564-b4dd74a759c7",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/process/templates?view=azure-devops&pivots=templates-includes",
- "services": [],
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS",
+ "Subscriptions"
+ ],
+ "severity": "High",
+ "subcategory": "Identity",
+ "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
+ "waf": "Security"
+ },
+ {
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "75089c20-990d-4927-b105-885576f76fc2",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS"
+ ],
"severity": "Medium",
- "subcategory": "Continuous Integration",
- "text": "Configure Templates",
- "waf": "Operations"
+ "subcategory": "Identity",
+ "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Set up jobs, stages and dependencies",
- "guid": "633bd2a1-a27a-4764-a90b-e0e378ee293c",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/process/stages?view=azure-devops&tabs=yaml",
- "services": [],
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS"
+ ],
"severity": "High",
- "subcategory": "Continuous Integration",
- "text": "Jobs",
- "waf": "Operations"
+ "subcategory": "Identity",
+ "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Set up conditions and Demands",
- "guid": "1bd363ca-aab7-4571-a49a-b9193dc9fc9d",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/process/conditions?view=azure-devops&tabs=yaml%2Cstages",
- "services": [],
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS"
+ ],
"severity": "Medium",
- "subcategory": "Continuous Integration",
- "text": "Conditions and Demands",
- "waf": "Operations"
+ "subcategory": "Identity",
+ "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Define Variables",
- "guid": "1bb84b37-b5a6-47fc-a9ed-5b35478d447a",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch",
- "services": [],
- "severity": "High",
- "subcategory": "Continuous Integration",
- "text": "Variables",
- "waf": "Operations"
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS"
+ ],
+ "severity": "Medium",
+ "subcategory": "Identity",
+ "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Set up your deployment pipeline",
- "guid": "826c2863-c00f-41ca-a699-ef1d5a83de5d",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/process/create-multistage-pipeline?view=azure-devops",
- "services": [],
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS"
+ ],
"severity": "High",
- "subcategory": "Continuous Deployment",
- "text": "Deployment Pipeline",
- "waf": "Operations"
+ "subcategory": "Identity",
+ "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Select correct branches to deploy from",
- "guid": "e36c1c81-870a-40bc-9c1e-43a18658d285",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deploy-multiple-branches?view=azure-devops",
- "services": [],
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "RBAC",
+ "AVS"
+ ],
"severity": "Medium",
- "subcategory": "Continuous Deployment",
- "text": "Release branch",
- "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
- "waf": "Operations"
+ "subcategory": "Identity",
+ "text": "Has an RBAC model been created for use within VMware vSphere",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "use relevant template to deploy to azure",
- "guid": "8ed67179-b825-4546-bf2a-ee4553afc833",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/overview-azure?view=azure-devops",
- "services": [],
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "RBAC",
+ "AVS"
+ ],
"severity": "Medium",
- "subcategory": "Continuous Deployment",
- "text": "Deploy to Azure",
- "waf": "Operations"
+ "subcategory": "Identity",
+ "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Define Release Approvals and pre deployment checks",
- "guid": "9248726d-d68c-45b5-a292-5394b69b9d37",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass",
- "services": [],
- "severity": "Medium",
- "subcategory": "Continuous Deployment",
- "text": "Approvals and Checks",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Operations"
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "RBAC",
+ "AVS"
+ ],
+ "severity": "High",
+ "subcategory": "Identity",
+ "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Define Gates and post deployment checks",
- "guid": "9ac43bc6-8d1d-4766-9724-6b448564b4dd",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/release/approvals/?view=azure-devops&tabs=yaml",
- "services": [],
- "severity": "Medium",
- "subcategory": "Continuous Deployment",
- "text": "Gates",
- "waf": "Operations"
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "RBAC",
+ "AVS"
+ ],
+ "severity": "High",
+ "subcategory": "Identity",
+ "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Define Azure Function and REST API Checks",
- "guid": "74a759c7-633b-4d2a-8a27-a764a90be0e3",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/process/invoke-checks?view=azure-devops",
- "services": [],
- "severity": "Low",
- "subcategory": "Continuous Deployment",
- "text": "Azure Function Checks",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Operations"
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+ "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+ "service": "AVS",
+ "services": [
+ "AVS"
+ ],
+ "severity": "High",
+ "subcategory": "Architecture",
+ "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
+ "waf": "Performance"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Review pipeline reports",
- "guid": "78ee293c-1bd3-463c-aaab-7571949ab919",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/reports/pipelinereport?view=azure-devops",
- "services": [],
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+ "service": "AVS",
+ "services": [
+ "NetworkWatcher",
+ "AVS",
+ "VPN",
+ "Monitor",
+ "ExpressRoute"
+ ],
"severity": "High",
- "subcategory": "Continuous Deployment",
- "text": "Pipline Reports",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "subcategory": "Monitoring",
+ "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
"waf": "Operations"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "configure Trend Result widget",
- "guid": "3dc9fc9d-1bb8-44b3-9b5a-67fcb9ed5b35",
- "link": "https://learn.microsoft.com/azure/devops/report/dashboards/analytics-widgets?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&view=azure-devops#test-results-trend-advanced",
- "services": [],
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+ "service": "AVS",
+ "services": [
+ "NetworkWatcher",
+ "AVS",
+ "VM",
+ "Monitor",
+ "ExpressRoute"
+ ],
"severity": "Medium",
- "subcategory": "Analytics",
- "text": "Pipeline Result Trend",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "subcategory": "Monitoring",
+ "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
"waf": "Operations"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Connect with WIT to visualize work",
- "guid": "478d447a-826c-4286-9c00-f1cac699ef1d",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/integrations/configure-pipelines-work-tracking?view=azure-devops&tabs=yaml",
- "services": [],
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+ "service": "AVS",
+ "services": [
+ "Monitor",
+ "AVS",
+ "VM",
+ "NetworkWatcher"
+ ],
"severity": "Medium",
- "subcategory": "Analytics",
- "text": "Work Tracking with Pipeline",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "subcategory": "Monitoring",
+ "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
"waf": "Operations"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Understand agent pools",
- "guid": "5a83de5d-e36c-41c8-8870-a0bc5c1e43a1",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=yaml%2Cbrowser",
- "services": [],
- "severity": "Medium",
- "subcategory": "Continuous Deployment",
- "text": " Agents and agent pools",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+ "service": "AVS",
+ "services": [
+ "ARS",
+ "AVS"
+ ],
+ "severity": "High",
+ "subcategory": "Routing",
+ "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
"waf": "Operations"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Understand and provision Deployment Groups when required",
- "guid": "8658d285-8ed6-4717-ab82-5546df2aee45",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deployment-groups/?view=azure-devops",
- "services": [],
- "severity": "Low",
- "subcategory": "Continuous Deployment",
- "text": "Deployment Groups",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Operations"
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "RBAC",
+ "AVS"
+ ],
+ "severity": "High",
+ "subcategory": "Security (identity)",
+ "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Understand Kubernetes Deployment",
- "guid": "53afc833-9248-4726-bd68-c5b5c2925394",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/ecosystems/kubernetes/deploy?view=azure-devops",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+ "service": "AVS",
"services": [
- "AKS"
+ "Entra",
+ "RBAC",
+ "AVS"
],
- "severity": "Low",
- "subcategory": "Continuous Deployment",
- "text": "Deploy to Kubernetes",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Security (identity)",
+ "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Perform Dynamic Security Testing",
- "guid": "b69b9d37-9ac4-43bc-98d1-d76657246b44",
- "link": "https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS"
+ ],
"severity": "Medium",
- "subcategory": "Security",
- "text": "DAST Scan",
- "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "subcategory": "Security (identity)",
+ "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
"waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Manage Service Connections",
- "guid": "8564b4dd-74a7-459c-9633-bd2a1a27a764",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS"
+ ],
+ "severity": "High",
+ "subcategory": "Security (identity)",
+ "text": "Limit use of CloudAdmin account to emergency access only",
+ "waf": "Security"
+ },
+ {
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "RBAC",
+ "AVS"
+ ],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Service Connections",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "subcategory": "Security (identity)",
+ "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
"waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Set data retention policies for CI and CD",
- "guid": "a90be0e3-78ee-4293-a1bd-363caaab7571",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/retention?view=azure-devops&tabs=yaml",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+ "service": "AVS",
"services": [
- "AzurePolicy"
+ "Entra",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Retention Policies",
- "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+ "subcategory": "Security (identity)",
+ "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
"waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Set up and pay for concurrent pipelines",
- "guid": "949ab919-3dc9-4fc9-b1bb-84b37b5a67fc",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops&tabs=ms-hosted",
- "services": [],
- "severity": "Low",
- "subcategory": "Administration",
- "text": "Parallel Pipelines",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "Operations"
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "AVS",
+ "VM"
+ ],
+ "severity": "High",
+ "subcategory": "Security (identity)",
+ "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
+ "waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Set pipeline permissions",
- "guid": "b9ed5b35-478d-4447-a826-c2863c00f1ca",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/permissions?view=azure-devops",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+ "service": "AVS",
+ "services": [
+ "AVS"
+ ],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Pipeline Permissions",
- "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/",
+ "subcategory": "Security (network)",
+ "text": "Is East-West traffic filtering implemented within NSX-T",
"waf": "Security"
},
{
- "category": "Azure Pipelines",
- "checklist": "Azure DevOps",
- "description": "Add users to pipeline",
- "guid": "c699ef1d-5a83-4de5-be36-c1c81870a0bc",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/set-permissions?view=azure-devops",
- "services": [],
- "severity": "Low",
- "subcategory": "Security",
- "text": "Pipeline Users",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "AppGW",
+ "Firewall"
+ ],
+ "severity": "High",
+ "subcategory": "Security (network)",
+ "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
"waf": "Security"
},
{
- "category": "Azure Artifact",
- "checklist": "Azure DevOps",
- "description": "Configure Artifacts",
- "guid": "5c1e43a1-8658-4d28-98ed-67179b825546",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/artifacts-overview?view=azure-devops&tabs=nuget",
- "services": [],
- "severity": "Medium",
- "subcategory": "Configuration",
- "text": "Artifact In Pipeline",
- "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
- "waf": "Operations"
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+ "service": "AVS",
+ "services": [
+ "AVS"
+ ],
+ "severity": "High",
+ "subcategory": "Security (network)",
+ "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
+ "waf": "Security"
},
{
- "category": "Azure Artifact",
- "checklist": "Azure DevOps",
- "description": "Publish and consume artifact in pipeline",
- "guid": "df2aee45-53af-4c83-9924-8726dd68c5b5",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/pipeline-artifacts?view=azure-devops&tabs=yaml",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "Monitor"
+ ],
"severity": "Medium",
- "subcategory": "Configuration",
- "text": "Publish and download Artifact",
- "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
- "waf": "Operations"
- },
- {
- "category": "Azure Artifact",
- "checklist": "Azure DevOps",
- "description": "Publish NuGet packages with artifacts",
- "guid": "c2925394-b69b-49d3-99ac-43bc68d1d766",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/nuget?view=azure-devops&tabs=yaml",
- "services": [],
- "severity": "Low",
- "subcategory": "Configuration",
- "text": "NuGet",
- "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
- "waf": "Operations"
- },
- {
- "category": "Azure Artifact",
- "checklist": "Azure DevOps",
- "description": "Publish Maven packages with artifacts",
- "guid": "57246b44-8564-4b4d-b74a-759c7633bd2a",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/publish-maven-artifacts?view=azure-devops",
- "services": [],
- "severity": "Low",
- "subcategory": "Configuration",
- "text": "Maven",
- "waf": "Operations"
- },
- {
- "category": "Azure Artifact",
- "checklist": "Azure DevOps",
- "description": "Publish NPM packages with artifacts",
- "guid": "1a27a764-a90b-4e0e-978e-e293c1bd363c",
- "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/npm?view=azure-devops&tabs=yaml",
- "services": [],
- "severity": "Low",
- "subcategory": "Configuration",
- "text": "NPM",
- "waf": "Operations"
+ "subcategory": "Security (network)",
+ "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
+ "waf": "Security"
},
{
- "category": "Azure Artifact",
- "checklist": "Azure DevOps",
- "description": "Best Practices to work with Azure Artifact",
- "guid": "aaab7571-949a-4b91-a3dc-9fc9d1bb84b3",
- "link": "https://learn.microsoft.com/azure/devops/artifacts/concepts/best-practices?view=azure-devops",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "334fdf91-c234-4182-a652-75269440b4be",
+ "service": "AVS",
+ "services": [
+ "DDoS",
+ "AVS",
+ "VPN",
+ "ExpressRoute",
+ "VNet"
+ ],
"severity": "Medium",
- "subcategory": "Configuration",
- "text": "Best Practices",
- "waf": "Operations"
+ "subcategory": "Security (network)",
+ "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
+ "waf": "Security"
},
{
- "category": "DevOps Practice",
- "checklist": "Azure DevOps",
- "description": "What is monitoring?",
- "guid": "7b5a67fc-b9ed-45b3-9478-d447a826c286",
- "link": "https://learn.microsoft.com/devops/operate/what-is-monitoring",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+ "service": "AVS",
"services": [
- "Monitor"
+ "AVS"
],
- "severity": "High",
- "subcategory": "Practice",
- "text": "What to monitor?",
- "waf": "Operations"
- },
- {
- "category": "DevOps Practice",
- "checklist": "Azure DevOps",
- "description": "Progressive Exposure Strategy",
- "guid": "3c00f1ca-c699-4ef1-b5a8-3de5de36c1c8",
- "link": "https://learn.microsoft.com/devops/operate/safe-deployment-practices",
- "services": [],
"severity": "Medium",
- "subcategory": "Practice",
- "text": "Safe Deployment Practices",
- "waf": "Operations"
+ "subcategory": "Security (network)",
+ "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
+ "waf": "Security"
},
{
- "category": "DevOps Practice",
- "checklist": "Azure DevOps",
- "description": "Microsoft runs reliable systems with DevOps",
- "guid": "1870a0bc-5c1e-443a-8865-8d2858ed6717",
- "link": "https://learn.microsoft.com/devops/operate/how-microsoft-operates-devops",
- "services": [],
- "severity": "Low",
- "subcategory": "Practice",
- "text": "Case Study",
- "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "waf": "Operations"
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "Defender"
+ ],
+ "severity": "Medium",
+ "subcategory": "Security (guest/VM)",
+ "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
+ "waf": "Security"
},
{
- "category": "DevOps Practice",
- "checklist": "Azure DevOps",
- "description": "Security in DevOps",
- "guid": "9b825546-df2a-4ee4-953a-fc8339248726",
- "link": "https://learn.microsoft.com/devops/operate/security-in-devops",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "Arc"
+ ],
"severity": "Medium",
- "subcategory": "Practice",
- "text": "DevSecOps",
+ "subcategory": "Security (guest/VM)",
+ "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
"waf": "Security"
},
{
- "category": "DevOps Practice",
- "checklist": "Azure DevOps",
- "description": "Enable DevSecops with Azure And GitHub",
- "guid": "dd68c5b5-c292-4539-9b69-b9d379ac43bc",
- "link": "https://learn.microsoft.com/devops/devsecops/enable-devsecops-azure-github",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "SQL"
+ ],
"severity": "Low",
- "subcategory": "Practice",
- "text": "DevSecops",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "subcategory": "Security (guest/VM)",
+ "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
"waf": "Security"
},
{
- "category": "DevOps Practice",
- "checklist": "Azure DevOps",
- "description": "Mirror RBAC in DevOps",
- "guid": "68d1d766-5724-46b4-9856-4b4dd74a759c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/secure/best-practices/end-to-end-governance",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+ "service": "AVS",
"services": [
- "RBAC"
+ "AKV",
+ "AVS"
],
"severity": "Low",
- "subcategory": "Practice",
- "text": "Secure DevOps Govenance",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "subcategory": "Security (guest/VM)",
+ "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
"waf": "Security"
},
{
- "category": "DevOps Practice",
- "checklist": "Azure DevOps",
- "description": "Governance when using CI/CD",
- "guid": "7633bd2a-1a27-4a76-9a90-be0e378ee293",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/governance/end-to-end-governance-in-azure",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5ac94222-3e13-4810-9230-81a941741583",
+ "service": "AVS",
+ "services": [
+ "AVS"
+ ],
"severity": "Medium",
- "subcategory": "Practice",
- "text": "Azure DevOps Governance",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "subcategory": "Security (guest/VM)",
+ "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
"waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+ "service": "AVS",
+ "services": [
+ "AVS"
+ ],
"severity": "High",
- "subcategory": "High Availablity",
- "text": "Enable 2 replicas to have 99.9% availability for read operations",
+ "subcategory": "Governance (platform)",
+ "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "services": [],
- "severity": "Medium",
- "subcategory": "High Availablity",
- "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d88408f3-7273-44c8-96ba-280214590146",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "AzurePolicy",
+ "Storage"
+ ],
+ "severity": "High",
+ "subcategory": "Governance (platform)",
+ "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
- "service": "Cognitive Search",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "ASR"
+ ],
"severity": "High",
- "subcategory": "High Availablity",
- "text": "Leverage Availability Zones by enabling read and/or write replicas",
+ "subcategory": "Governance (platform)",
+ "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
- "service": "Cognitive Search",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+ "service": "AVS",
"services": [
- "ACR"
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Georeplication",
- "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
- "waf": "Reliability"
+ "subcategory": "Governance (platform)",
+ "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
- "service": "Cognitive Search",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+ "service": "AVS",
"services": [
- "ACR"
+ "AVS",
+ "AzurePolicy"
],
"severity": "Medium",
- "subcategory": "Georeplication",
- "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
- "waf": "Reliability"
+ "subcategory": "Governance (platform)",
+ "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
- "service": "Cognitive Search",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+ "service": "AVS",
"services": [
- "TrafficManager"
+ "AVS",
+ "Cost"
],
"severity": "Medium",
- "subcategory": "Georeplication",
- "text": "Use Azure Traffic Manager to coordinate requests",
- "waf": "Reliability"
+ "subcategory": "Governance (platform)",
+ "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
+ "waf": "Cost"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
- "service": "Cognitive Search",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+ "service": "AVS",
"services": [
- "Storage",
- "Backup",
- "ASR"
+ "AVS",
+ "Cost"
],
- "severity": "High",
- "subcategory": "Disaster Recovery",
- "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
- "service": "Cognitive Services",
- "services": [],
- "severity": "Medium",
- "subcategory": "Best Practice",
- "text": "Leverage FTA HandBook for Cognitive Services",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Governance (platform)",
+ "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
+ "waf": "Cost"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Cognitive Services",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+ "service": "AVS",
"services": [
- "Backup"
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Backup",
- "text": "Backup Your Prompts",
- "waf": "Reliability"
+ "subcategory": "Governance (platform)",
+ "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Cognitive Services",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+ "service": "AVS",
"services": [
- "Backup",
- "ASR"
+ "AVS"
],
"severity": "High",
- "subcategory": "Backup",
- "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
- "waf": "Reliability"
+ "subcategory": "Governance (platform)",
+ "text": "Ensure all required resource reside within the same Azure availability zone(s)",
+ "waf": "Performance"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
- "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
- "service": "Cognitive Services",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+ "service": "AVS",
"services": [
- "Backup"
+ "AVS",
+ "VM",
+ "Defender"
],
"severity": "Medium",
- "subcategory": "Backup",
- "text": "Backup Your ChatGPT conversations",
- "waf": "Reliability"
+ "subcategory": "Governance (guest/VM)",
+ "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
- "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
- "service": "Cognitive Services",
- "services": [],
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "VM",
+ "Arc"
+ ],
"severity": "Medium",
- "subcategory": "DevOps",
- "text": "CI/CD for custom speech",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "3687a046-7a1f-4893-9bda-43324f248116",
- "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
- "service": "Cognitive Services",
- "services": [],
- "severity": "Low",
- "subcategory": "QnA Service",
- "text": "Move a knowledge base using export-import",
- "waf": "Reliability"
+ "subcategory": "Governance (guest/VM)",
+ "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.",
- "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1",
- "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+ "service": "AVS",
"services": [
- "Subscriptions",
- "AVD",
- "VM",
- "ASR"
+ "AVS"
],
"severity": "High",
- "subcategory": "Compute",
- "text": "Determine the expected High Availability SLA for applications/desktops published through AVD",
- "waf": "Reliability"
+ "subcategory": "Governance (guest/VM)",
+ "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.",
- "guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
+ "AVS",
"VM",
- "ASR"
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Compute",
- "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools",
- "waf": "Reliability"
- },
- {
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.",
- "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
- "services": [
- "AVD",
- "ASR"
- ],
- "severity": "Low",
- "subcategory": "Compute",
- "text": "Separate critical applications in different AVD Host Pools",
- "waf": "Reliability"
- },
- {
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.",
- "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
- "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262",
- "services": [
- "ACR",
- "AVD",
- "ASR"
- ],
- "severity": "High",
- "subcategory": "Compute",
- "text": "Plan the best resiliency option for AVD Host Pool deployment",
- "waf": "Reliability"
+ "subcategory": "Governance (guest/VM)",
+ "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.",
- "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+ "service": "AVS",
"services": [
"VM",
- "AVD",
+ "AVS",
"Backup",
- "ASR"
+ "AzurePolicy"
],
"severity": "Medium",
- "subcategory": "Compute",
- "text": "Assess the requirement to backup AVD Session Host VMs",
- "waf": "Reliability"
+ "subcategory": "Governance (guest/VM)",
+ "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.",
- "guid": "5da58639-ca3a-4961-890b-29663c5e10d",
- "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+ "service": "AVS",
"services": [
- "VM",
- "ASR",
- "AVD",
- "Cost",
- "Backup"
+ "AVS",
+ "Defender",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Compute",
- "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts",
- "waf": "Reliability"
- },
- {
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.",
- "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
- "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery",
- "services": [
- "Storage",
- "VM",
- "ASR",
- "ACR",
- "AVD"
- ],
- "severity": "Low",
- "subcategory": "Dependencies",
- "text": "Plan for Golden Image cross-region availability",
- "waf": "Reliability"
+ "subcategory": "Compliance",
+ "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.",
- "guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+ "service": "AVS",
"services": [
- "AVD",
- "ASR"
+ "AVS",
+ "Defender"
],
"severity": "Medium",
- "subcategory": "Dependencies",
- "text": "Assess Infrastructure & Application dependencies ",
- "waf": "Reliability"
+ "subcategory": "Compliance",
+ "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).",
- "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
- "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
- "ASR"
+ "AVS"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "Assess which data need to be protected in the Profile and Office Containers",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Compliance",
+ "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).",
- "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+ "service": "AVS",
"services": [
- "AzurePolicy",
- "Storage",
- "ASR",
- "AVD",
- "Backup"
+ "AVS"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "Build a backup protection strategy for Profile and Office Containers",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Compliance",
+ "text": "Are data processing implications (service provider / service consumer model) clear and documented",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.",
- "guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
+ "category": "Governance",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
- "ASR"
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose",
- "waf": "Reliability"
+ "subcategory": "Compliance",
+ "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.",
- "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
- "link": "https://docs.microsoft.com/azure/backup/backup-afs",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
- "Backup",
- "ASR"
+ "AVS",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "Review Azure Files disaster recovery strategy",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Monitoring",
+ "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ",
- "guid": "10d4e875-d502-4142-a795-f2b6eff34f88",
- "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
- "ASR"
+ "AVS",
+ "Monitor"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency",
- "waf": "Reliability"
+ "subcategory": "Monitoring",
+ "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "Azure Virtual Desktop Review",
- "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.",
- "guid": "23429db7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+ "service": "AVS",
"services": [
- "Storage",
- "ASR",
- "ACR",
- "AVD",
- "Backup"
+ "AVS",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "Review Azure NetApp Files disaster recovery strategy",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Monitoring",
+ "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
+ "waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.",
- "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "Monitor"
],
"severity": "High",
- "subcategory": "Golden Images",
- "text": "Determine how applications will be deployed in AVD Host Pools",
+ "subcategory": "Monitoring",
+ "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
"waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.",
- "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+ "service": "AVS",
"services": [
- "AVD"
+ "Monitor",
+ "AVS",
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Golden Images",
- "text": "Estimate the number of golden images that will be required",
+ "subcategory": "Monitoring",
+ "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
"waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images",
- "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Golden Images",
- "text": "Determine which OS image/s you will use for Host Pool deployment",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Monitoring",
+ "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
+ "waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.",
- "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
- "VM"
+ "AVS",
+ "VM",
+ "AzurePolicy",
+ "Storage"
],
- "severity": "Low",
- "subcategory": "Golden Images",
- "text": "Select the proper store for custom images",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Operations",
+ "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
+ "waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.",
- "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS"
],
- "severity": "Low",
- "subcategory": "Golden Images",
- "text": "Design your build process for custom images",
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
"waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.",
- "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "Backup",
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Golden Images",
- "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image",
+ "subcategory": "Operations",
+ "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
"waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.",
- "guid": "ed5c9027-dd1a-4343-86ca-52b199223186",
- "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "Arc"
],
- "severity": "High",
- "subcategory": "Golden Images",
- "text": "Include the latest version of FSLogix in the golden image update process",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
+ "waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ",
- "guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
- "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+ "service": "AVS",
"services": [
- "RBAC",
- "AVD"
+ "AVS",
+ "Monitor"
],
- "severity": "Low",
- "subcategory": "Golden Images",
- "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+ "waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.",
- "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD"
+ "AVS"
],
- "severity": "Low",
- "subcategory": "Golden Images",
- "text": "Determine if Microsoft OneDrive will be part of AVD deployment",
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
"waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.",
- "guid": "b5887953-5d22-4788-9d30-b66c67be5951",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "AzurePolicy",
+ "Monitor"
],
- "severity": "Low",
- "subcategory": "Golden Images",
- "text": "Determine if Microsoft Teams will be part of AVD deployment",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+ "waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.",
- "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "Defender"
],
- "severity": "Low",
- "subcategory": "Golden Images",
- "text": "Assess the requirement to support multiple languages",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
+ "waf": "Security"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ",
- "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+ "service": "AVS",
"services": [
- "Cost",
- "Storage",
- "AVD"
+ "AVS",
+ "Backup"
],
"severity": "Medium",
- "subcategory": "MSIX & AppAttach",
- "text": "Do not use the same storage account/share as FSLogix profiles",
- "waf": "Performance"
+ "subcategory": "Backup",
+ "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+ "waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.",
- "guid": "241addce-5793-477b-adb3-751ab2ac1fad",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "ASR"
],
"severity": "Medium",
- "subcategory": "MSIX & AppAttach",
- "text": "Review performance considerations for MSIX",
- "waf": "Performance"
+ "subcategory": "Disaster Recovery",
+ "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
+ "waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.",
- "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+ "service": "AVS",
"services": [
- "RBAC",
- "Storage",
- "AVD",
- "VM"
+ "AVS",
+ "ASR"
],
"severity": "Medium",
- "subcategory": "MSIX & AppAttach",
- "text": "Check proper session host permissions for MSIX share",
- "waf": "Security"
+ "subcategory": "Disaster Recovery",
+ "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+ "waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.",
- "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "ASR"
],
- "severity": "Low",
- "subcategory": "MSIX & AppAttach",
- "text": "MSIX packages for 3rd-party applications",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Disaster Recovery",
+ "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
+ "waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.",
- "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "ASR"
],
- "severity": "Low",
- "subcategory": "MSIX & AppAttach",
- "text": "Disable auto-update for MSIX packages",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Disaster Recovery",
+ "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
+ "waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.",
- "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "ASR"
],
- "severity": "Medium",
- "subcategory": "MSIX & AppAttach",
- "text": "Review operating systems support",
+ "severity": "High",
+ "subcategory": "Disaster Recovery",
+ "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
"waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.",
- "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
- "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+ "service": "AVS",
"services": [
- "AVD",
- "VM"
+ "AVS",
+ "ASR",
+ "NVA",
+ "ExpressRoute"
],
"severity": "Medium",
- "subcategory": "Session Host",
- "text": "Evaluate the usage of Gen2 VM for Host Pool deployment",
- "waf": "Performance"
+ "subcategory": "Disaster Recovery",
+ "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
+ "waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Azure Virtual Desktop Review",
- "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.",
- "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "Backup"
],
- "severity": "Low",
- "subcategory": "Session Host",
- "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Business Continuity",
+ "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+ "waf": "Reliability"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.",
- "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+ "service": "AVS",
"services": [
- "AVD",
- "VM"
+ "AVS",
+ "Backup"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "Determine the Host Pool type to use",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Business Continuity",
+ "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+ "waf": "Reliability"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.",
- "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+ "service": "AVS",
"services": [
- "AVD",
- "VM"
+ "AVS",
+ "Backup"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "Estimate the number of different Host Pools to deploy ",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Business Continuity",
+ "text": "Deploy your backup solution outside of vSan, on Azure native components",
+ "waf": "Reliability"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.",
- "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS"
],
"severity": "Low",
- "subcategory": "Capacity Planning",
- "text": "For Personal Host Pool type, select the proper assignment type",
- "waf": "Operations"
+ "subcategory": "Business Continuity",
+ "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+ "waf": "Reliability"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.",
- "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS"
],
"severity": "Low",
- "subcategory": "Capacity Planning",
- "text": "For Pooled Host Pool type, select the best load balancing method",
- "waf": "Performance"
+ "subcategory": "Deployment strategy",
+ "text": "For manual deployments, all configuration and deployments must be documented",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host",
- "guid": "b3724959-4943-4577-a3a9-e10ff6345f24",
- "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+ "service": "AVS",
"services": [
- "AVD",
- "VM"
+ "AVS"
],
- "severity": "Medium",
- "subcategory": "Capacity Planning",
- "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores",
- "waf": "Performance"
+ "severity": "Low",
+ "subcategory": "Deployment strategy",
+ "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.",
- "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD"
+ "AVS"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Automated Deployment",
+ "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.",
- "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+ "service": "AVS",
"services": [
- "ACR",
- "AVD",
- "Entra"
+ "AVS"
],
- "severity": "Medium",
- "subcategory": "Capacity Planning",
- "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Automated Deployment",
+ "text": "For automated deployments, request or reserve quota prior to starting the deployment",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.",
- "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "AzurePolicy"
],
"severity": "Low",
- "subcategory": "Capacity Planning",
- "text": "Estimate the number of Applications for each Application Group",
- "waf": "Reliability"
+ "subcategory": "Automated Deployment",
+ "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.",
- "guid": "38b19ab6-0693-4992-9394-5590883916ec",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
- "VM"
+ "AKV",
+ "AVS"
],
"severity": "Low",
- "subcategory": "Capacity Planning",
- "text": "Evaluate the usage of FSLogix for Personal Host Pools",
- "waf": "Reliability"
+ "subcategory": "Automated Connectivity",
+ "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)",
- "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
- "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+ "service": "AVS",
"services": [
- "AVD",
- "VM"
+ "AKV",
+ "AVS",
+ "ExpressRoute"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "Run workload performance test to determine the best Azure VM SKU and size to use",
- "waf": "Performance"
+ "severity": "Low",
+ "subcategory": "Automated Connectivity",
+ "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ",
- "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD"
+ "AVS"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "Verify AVD scalability limits for the environment",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Automated Connectivity",
+ "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.",
- "guid": "c936667e-13c0-4056-94b1-e945a459837e",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS"
],
"severity": "Low",
- "subcategory": "Capacity Planning",
- "text": "Determine if Session Hosts will require GPU",
- "waf": "Performance"
+ "subcategory": "Automated Connectivity",
+ "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.",
- "guid": "b47a393a-0803-4272-a479-8b1578b219a4",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+ "service": "AVS",
"services": [
- "AVD",
- "VM"
+ "AVS",
+ "Subscriptions"
],
- "severity": "Low",
- "subcategory": "Capacity Planning",
- "text": "Use Azure VM SKUs able to leverage Accelerated Networking",
+ "severity": "Medium",
+ "subcategory": "Automated Scale",
+ "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
"waf": "Performance"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.",
- "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "AzurePolicy",
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Clients & Users",
- "text": "Assess how many users will connect to AVD and from which regions",
+ "subcategory": "Automated Scale",
+ "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
"waf": "Performance"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.",
- "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+ "service": "AVS",
"services": [
- "ExpressRoute",
- "VPN",
- "AVD",
- "Storage"
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Clients & Users",
- "text": "Assess external dependencies for each Host Pool",
+ "subcategory": "Automated Scale",
+ "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
"waf": "Performance"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.",
- "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS"
],
- "severity": "Low",
- "subcategory": "Clients & Users",
- "text": "Review user client OS used and AVD client type",
+ "severity": "Medium",
+ "subcategory": "Automated Scale",
+ "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
"waf": "Performance"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.",
- "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e",
- "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS"
],
- "severity": "High",
- "subcategory": "Clients & Users",
- "text": "Run a PoC to validate end-to-end user experience and impact of network latency",
+ "severity": "Medium",
+ "subcategory": "Automated Scale",
+ "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
"waf": "Performance"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.",
- "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
+ "category": "Platform Automation",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "Monitor"
],
- "severity": "Low",
- "subcategory": "Clients & Users",
- "text": "Assess and document RDP settings for all user groups",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Automated Scale",
+ "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+ "waf": "Operations"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.",
- "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9",
- "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop",
+ "category": "Migration",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS",
+ "VM"
],
"severity": "High",
- "subcategory": "General",
- "text": "Determine in which Azure regions AVD Host Pools will be deployed.",
- "waf": "Performance"
+ "subcategory": "Architecture",
+ "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "waf": "Reliability"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.",
- "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations",
+ "category": "Migration",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
"services": [
- "AVD"
+ "AVS"
],
- "severity": "Medium",
- "subcategory": "General",
- "text": "Determine metadata location for AVD service",
+ "severity": "High",
+ "subcategory": "Architecture",
+ "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "Reliability"
},
{
- "category": "Foundation",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.",
- "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
- "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "category": "Migration",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
- "VM"
+ "VPN",
+ "AVS"
],
- "severity": "Low",
- "subcategory": "General",
- "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
+ "waf": "Performance"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.",
- "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
- "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "category": "Migration",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+ "service": "AVS",
"services": [
- "Storage",
- "Entra",
- "AVD",
- "VNet"
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Active Directory",
- "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool",
- "waf": "Reliability"
+ "subcategory": "Networking",
+ "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
+ "waf": "Performance"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ",
- "guid": "6db55f57-9603-4334-adf9-cc23418db612",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
+ "category": "Migration",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+ "service": "AVS",
"services": [
- "AVD",
- "Entra"
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Active Directory",
- "text": "Create a specific OU in Active Directory for each Host Pool",
- "waf": "Operations"
+ "subcategory": "Process",
+ "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ",
- "guid": "7126504b-b47a-4393-a080-327294798b15",
- "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
+ "category": "Data Storage",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AVS",
"services": [
- "AVD",
- "Entra"
+ "AVS",
+ "VM",
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Active Directory",
- "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities",
- "waf": "Operations"
+ "subcategory": "Architecture",
+ "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column",
- "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f",
- "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates",
+ "category": "Data Storage",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "AVS",
"services": [
- "AVD",
- "Entra"
+ "AVS",
+ "ExpressRoute",
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Active Directory",
- "text": "Configure FSLogix settings using the built-in provided GPO ADMX template",
- "waf": "Operations"
+ "subcategory": "Architecture",
+ "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.",
- "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts",
+ "category": "Data Storage",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "AVS",
"services": [
- "AVD",
- "VM",
- "Entra"
+ "AVS",
+ "ExpressRoute",
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Active Directory",
- "text": "Create a dedicated user account with only permissions to join VM to the domain",
- "waf": "Security"
+ "subcategory": "Architecture",
+ "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ",
- "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
+ "category": "Stretched Cluster",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "AVS",
"services": [
- "AVD",
- "Entra"
+ "AVS",
+ "ASR"
],
- "severity": "Medium",
- "subcategory": "Active Directory",
- "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Architecture",
+ "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.",
- "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
- "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
+ "category": "Stretched Cluster",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "AVS",
"services": [
- "Storage",
- "AzurePolicy",
- "AVD",
- "Entra"
+ "AVS"
],
"severity": "High",
- "subcategory": "Active Directory",
- "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration",
- "waf": "Security"
+ "subcategory": "Architecture",
+ "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
- "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
+ "category": "Stretched Cluster",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "AVS",
"services": [
- "AVD",
- "Entra"
+ "AVS",
+ "ExpressRoute"
],
"severity": "High",
- "subcategory": "Active Directory",
- "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID",
+ "subcategory": "Architecture",
+ "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
"waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.",
- "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338",
- "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable",
+ "category": "Stretched Cluster",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "AVS",
"services": [
- "Storage",
- "AVD",
- "Entra"
+ "AVS",
+ "ExpressRoute"
],
- "severity": "Medium",
- "subcategory": "Microsoft Entra ID",
- "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Architecture",
+ "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.",
- "guid": "6ceb5443-5125-4922-9442-93bb628537a5",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
+ "category": "Stretched Cluster",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
"services": [
- "VNet",
- "Entra",
- "AVD",
- "Subscriptions"
+ "AVS"
],
"severity": "High",
- "subcategory": "Requirements",
- "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked",
+ "subcategory": "Architecture",
+ "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
"waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.",
- "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
+ "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
+ "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
+ "service": "ACR",
"services": [
- "AVD",
- "Entra"
+ "ACR"
],
"severity": "High",
- "subcategory": "Requirements",
- "text": "Review and document your identity scenario",
+ "subcategory": "Data Protection",
+ "text": "Disable Azure Container Registry image export",
"waf": "Security"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.",
- "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
+ "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
+ "service": "ACR",
"services": [
- "AVD",
- "Entra"
+ "AzurePolicy",
+ "ACR"
],
- "severity": "Medium",
- "subcategory": "Requirements",
- "text": "Assess User Account types and requirements",
+ "severity": "High",
+ "subcategory": "Data Protection",
+ "text": "Enable Azure Policies for Azure Container Registry",
"waf": "Security"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.",
- "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
+ "guid": "d345293c-7639-4637-a551-c5c04e401955",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
+ "service": "ACR",
"services": [
- "AVD",
- "Entra"
+ "AKV",
+ "ACR"
],
- "severity": "Medium",
- "subcategory": "Requirements",
- "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Data Protection",
+ "text": "Sign and Verify containers with notation (Notary v2)",
+ "waf": "Security"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.",
- "guid": "ea962a15-9394-46da-a7cc-3923266b2258",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
+ "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
+ "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
+ "service": "ACR",
"services": [
- "AVD",
- "VM",
- "Entra"
+ "AKV",
+ "ACR"
],
- "severity": "High",
- "subcategory": "Requirements",
- "text": "Select the proper AVD Session Host domain join type",
+ "severity": "Medium",
+ "subcategory": "Data Protection",
+ "text": "Encrypt registry with a customer managed key",
"waf": "Security"
},
{
- "category": "Identity",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)",
- "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
- "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
+ "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+ "service": "ACR",
"services": [
- "AVD",
- "Entra"
+ "Entra",
+ "RBAC",
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Requirements",
- "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Identity and Access Control",
+ "text": "Use Managed Identities to connect instead of Service Principals",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.",
- "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
+ "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+ "service": "ACR",
"services": [
- "Monitor",
- "AVD",
- "Entra"
+ "Entra",
+ "RBAC",
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Use built-in provided administrative templates for AVD settings configuration",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Identity and Access Control",
+ "text": "Disable local authentication for management plane access",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.",
- "guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/management",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
+ "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
+ "service": "ACR",
"services": [
- "Monitor",
- "AVD",
- "VM"
+ "Entra",
+ "RBAC",
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Plan AVD Session Hosts configuration management strategy",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Identity and Access Control",
+ "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the More Info column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.",
- "guid": "63a08be1-6004-4b4a-a79b-f3239faae113",
- "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable anonymous pull/push access",
+ "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
+ "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
+ "service": "ACR",
"services": [
- "Monitor",
- "AVD"
+ "Entra",
+ "ACR"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Evaluate Intune for AVD Session Hosts management",
- "waf": "Operations"
+ "subcategory": "Identity and Access Control",
+ "text": "Disable Anonymous pull access",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.",
- "guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
+ "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
+ "service": "ACR",
"services": [
- "Cost",
- "Monitor",
- "AVD",
- "VM"
+ "Entra",
+ "ACR"
],
- "severity": "Medium",
- "subcategory": "Management",
- "text": "Assess the requirements for host pool auto-scaling capability",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Identity and Access Control",
+ "text": "Disable repository-scoped access tokens",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.",
- "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
+ "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
+ "service": "ACR",
"services": [
- "Cost",
- "Monitor",
- "AVD",
- "VM"
+ "Entra",
+ "EventHubs",
+ "PrivateLink",
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Consider the usage of Start VM on Connect for Personal Host Pools",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Identity and Access Control",
+ "text": "Deploy images from a trusted environment",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.",
- "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
+ "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
+ "service": "ACR",
"services": [
+ "Entra",
"AzurePolicy",
- "Monitor",
- "VM",
- "AVD",
- "Cost"
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Identity and Access Control",
+ "text": "Disable Azure ARM audience tokens for authentication",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ",
- "guid": "51bcafca-476a-48fa-9b91-9645a7679f20",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
+ "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
+ "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
+ "service": "ACR",
"services": [
- "DNS",
- "ExpressRoute",
- "VPN",
+ "Entra",
"Monitor",
- "Storage",
- "VWAN",
- "AVD",
- "Cost"
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Logging and Monitoring",
+ "text": "Enable diagnostics logging",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.",
- "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
+ "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+ "service": "ACR",
"services": [
- "Cost",
- "Monitor",
- "AVD",
- "Entra"
+ "PrivateLink",
+ "VNet",
+ "Firewall",
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Periodically check Azure Advisor recommendations for AVD",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Network Security",
+ "text": "Control inbound network access with Private Link",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.",
- "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
- "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable public network access if inbound network access is secured using Private Link",
+ "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
+ "service": "ACR",
"services": [
- "Monitor",
- "AVD"
+ "PrivateLink",
+ "ACR"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Plan for a Session Host emergency patching and update strategy",
- "waf": "Operations"
+ "subcategory": "Network Security",
+ "text": "Disable Public Network access",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.",
- "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Only the ACR Premium SKU supports Private Link access",
+ "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
+ "service": "ACR",
"services": [
- "Monitor",
- "AVD"
+ "PrivateLink",
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Configure the Scheduled Agent Updates feature",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Network Security",
+ "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.",
- "guid": "d1e8c38e-c936-4667-913c-005674b1e944",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
+ "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+ "service": "ACR",
"services": [
- "Monitor",
- "AVD",
- "VM"
+ "Defender",
+ "ACR"
],
- "severity": "Medium",
- "subcategory": "Management",
- "text": "Create a validation (canary) Host Pool",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Network Security",
+ "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.",
- "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+ "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
+ "service": "ACR",
"services": [
- "Monitor",
- "AVD",
- "VM"
+ "ACR"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Determine Host Pool deployment strategy",
- "waf": "Operations"
+ "subcategory": "Vulnerability Management",
+ "text": "Deploy validated container images",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.",
- "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
+ "category": "Security",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+ "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
+ "service": "ACR",
"services": [
- "Monitor",
- "AVD",
- "VM"
+ "ACR"
],
- "severity": "Medium",
- "subcategory": "Management",
- "text": "Turn on Session Host VMs at least every 90 days for token refresh",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Vulnerability Management",
+ "text": "Use up-to-date platforms, languages, protocols and frameworks",
+ "waf": "Security"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.",
- "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/insights",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+ "guid": "976f32a7-30d1-6caa-c2a0-207fdc26571b",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
"services": [
- "Monitor",
- "AVD"
+ "AVS",
+ "Backup",
+ "Storage"
],
- "severity": "High",
- "subcategory": "Monitoring",
- "text": "Enable monitoring for AVD",
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
"waf": "Reliability"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ",
- "guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Microsoft backup service",
+ "guid": "fc8af7a1-c724-e255-c18d-4ca22a6f27f0",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
"services": [
- "Monitor",
- "AVD",
- "VM"
+ "AVS",
+ "Backup"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace",
+ "subcategory": "Business Continuity",
+ "text": "Use MABS as your backup solution",
"waf": "Reliability"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
- "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
- "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Best practice - this is Backup, not disaster recovery",
+ "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae",
+ "link": "Best practice to deploy backup in the same region as your AVS deployment",
"services": [
- "Storage",
- "Monitor",
- "AVD"
+ "AVS",
+ "Backup",
+ "ASR"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling",
+ "subcategory": "Business Continuity",
+ "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
"waf": "Reliability"
},
{
- "category": "Monitoring and Management",
- "checklist": "Azure Virtual Desktop Review",
- "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.",
- "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Best practice - in case AVS is unavailable",
+ "guid": "4d2f79a5-4ccf-0dfc-557c-49619b99a540",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
"services": [
- "Monitor",
- "AVD"
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Configure Azure Service Health for AVD alerts ",
+ "subcategory": "Business Continuity",
+ "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS",
"waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ",
- "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
- "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+ "guid": "ff431c40-962c-5182-d536-0c2f0c4ce9e0",
+ "link": "Will Disaster Recovery Site Recovery, HCX Disaster Recovery, SRM or back tools be used?",
"services": [
- "NVA",
- "ExpressRoute",
- "VPN",
- "AVD"
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Determine if hybrid connectivity is required to connect to on-premises environment",
+ "subcategory": "Business Continuity",
+ "text": "Escalation process with Microsoft in the event of a regional DR",
"waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.",
- "guid": "c8639648-a652-4d6c-85e5-02965388e5de",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Compare SRM with HCX",
+ "guid": "f379436d-3051-daa0-01fb-dc4e0e04d677",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager",
"services": [
- "VWAN",
- "AVD",
- "VNet"
+ "AVS",
+ "ASR"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool",
- "waf": "Performance"
+ "subcategory": "Disaster Recovery",
+ "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ",
- "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
- "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Recovery into Azure instead of Vmware solution",
+ "guid": "367f71d8-3cf6-51a0-91a5-3db3d570cc19",
+ "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure",
"services": [
- "VPN",
- "AVD"
+ "AVS",
+ "ASR"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Assess which on-premises resources are required from AVD Host Pools",
+ "subcategory": "Disaster Recovery",
+ "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
"waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.",
- "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
- "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Avoid manual tasks as much as possible",
+ "guid": "ee02ada0-1887-bb3a-b84c-423f45a09ef9",
+ "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure",
"services": [
- "NVA",
- "Firewall",
- "AVD",
- "VNet"
+ "AVS",
+ "ASR"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Need to control/restrict Internet outbound traffic for AVD hosts?",
- "waf": "Security"
+ "subcategory": "Disaster Recovery",
+ "text": "Use Automated recovery plans with either of the Disaster solutions,",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.",
- "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Any other datacenter in the same region",
+ "guid": "0c2b74e5-9c28-780d-1df3-12d3de4aaa76",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/connect-multiple-private-clouds-same-region",
"services": [
- "AVD"
+ "AVS",
+ "ASR"
],
- "severity": "High",
- "subcategory": "Networking",
- "text": "Ensure AVD control plane endpoints are accessible",
+ "severity": "Medium",
+ "subcategory": "Disaster Recovery",
+ "text": "Configure a secondary disaster recovery environment",
"waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.",
- "guid": "73676ae4-6691-4e88-95ad-a42223e13810",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+ "guid": "c2a34ec4-2933-4e6c-dc36-e20e67abbe3f",
+ "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
"services": [
- "Defender",
- "AVD"
+ "AVS",
+ "ASR"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ",
- "waf": "Security"
+ "subcategory": "Disaster Recovery",
+ "text": "Assign IP ranges unique to each region",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.",
- "guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
- "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
+ "category": "BCDR",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "ExpressRoute Global Reach can be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or routing must be done through network virtual appliances?",
+ "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c",
+ "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.",
"services": [
+ "AVS",
+ "ASR",
"NVA",
- "Firewall",
- "AVD",
- "VNet"
+ "ExpressRoute"
],
- "severity": "Low",
- "subcategory": "Networking",
- "text": "Review custom UDR and NSG for AVD Host Pool subnets",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Disaster Recovery",
+ "text": "Use Global Reach between DR regions",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.",
- "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "An ExR Global Reach connection will be established to the ExR circuit, no other connections",
+ "guid": "a2c12df2-07fa-3edd-2cec-fda0b55fb952",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud",
"services": [
- "AVD",
- "VM"
+ "AVS",
+ "VWAN"
],
- "severity": "High",
- "subcategory": "Networking",
- "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Direct (no vWAN, no H&S)",
+ "text": "Global Reach to ExR circuit - no Azure resources",
+ "waf": "Performance"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ",
- "guid": "516785c6-fa96-4c96-ad88-408f372734c8",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use ExR to connect on-premises (other) location to Azure",
+ "guid": "f62ce162-ba5a-429d-674e-fafa1af5f706",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud",
"services": [
- "AVD",
- "VM"
+ "AVS",
+ "ExpressRoute"
],
- "severity": "Low",
- "subcategory": "Networking",
- "text": "Check the network bandwidth required for each user and in total for the VM SKU",
+ "severity": "Medium",
+ "subcategory": "ExpressRoute",
+ "text": "Connect to Azure using ExR",
"waf": "Performance"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).",
- "guid": "ec27d589-9178-426d-8df2-ff60020f30a6",
- "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use the migration assesment tool and timeline to determine bandwidth required",
+ "guid": "cf01c73b-1247-0a7a-740c-e1ea29bda340",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction",
"services": [
- "Storage",
- "VNet",
- "AVD",
- "Cost",
- "PrivateLink"
+ "AVS",
+ "ExpressRoute"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Evaluate usage Private Endpoint for Azure Files share",
- "waf": "Security"
+ "subcategory": "ExpressRoute",
+ "text": "Bandwidth sizing",
+ "waf": "Performance"
},
{
- "category": "Networking",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.",
- "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "What traffic is routed through a firewall, what goes directly into Azure",
+ "guid": "aab216ee-8941-315e-eada-c7e1f2243bd1",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
"services": [
- "VPN",
- "AVD"
+ "AVS",
+ "ExpressRoute"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks",
+ "subcategory": "ExpressRoute",
+ "text": "Traffic routing ",
"waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.",
- "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "AVS to ExR circuit, no traffic inspection",
+ "guid": "1f956e45-f62d-5c95-3a95-3bab718907f8",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
"services": [
- "AVD"
+ "AVS",
+ "ExpressRoute"
],
"severity": "Medium",
- "subcategory": "Active Directory",
- "text": "Review Active Directory GPO to secure RDP sessions",
- "waf": "Security"
+ "subcategory": "ExpressRoute",
+ "text": "Global Reach ",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
- "guid": "b1172576-9ef6-4691-a483-5ac932223ece",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Name of the vNet and a unique address space /24 minimum",
+ "guid": "91f7a87b-21ac-d712-959c-8df2ba034253",
+ "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal",
"services": [
- "Defender",
- "AVD"
+ "AVS",
+ "VNet"
],
- "severity": "High",
- "subcategory": "Host Configuration",
- "text": "Ensure anti-virus and anti-malware solutions are used",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Hub & Spoke",
+ "text": "VNet name & address space",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
- "guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Subnet must be called GatewaySubnet",
+ "guid": "58a027e2-f37f-b540-45d5-e44843aba26b",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
"services": [
- "Storage",
- "AKV",
- "AVD",
- "VM"
+ "VPN",
+ "AVS",
+ "VNet",
+ "ExpressRoute"
],
- "severity": "Low",
- "subcategory": "Host Configuration",
- "text": "Assess disk encryption requirements for AVD Session Hosts",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Hub & Spoke",
+ "text": "Gateway subnet",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against bottom of the stack threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.",
- "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Create a VPN gateway on the hub Gateway subnet",
+ "guid": "d4806549-0913-3e79-b580-ac2d3706e65a",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
"services": [
- "Monitor",
- "AVD",
- "VM"
+ "VPN",
+ "AVS",
+ "VNet",
+ "ExpressRoute"
],
"severity": "Medium",
- "subcategory": "Host Configuration",
- "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts",
- "waf": "Security"
+ "subcategory": "Hub & Spoke",
+ "text": "VPN Gateway",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.",
- "guid": "135d3899-4b31-44d3-bc8f-028871a359d8",
- "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Create an ExR Gateway in the hub Gateway subnet.",
+ "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
"services": [
- "AVD",
- "VM"
+ "VPN",
+ "AVS",
+ "VNet",
+ "ExpressRoute"
],
- "severity": "High",
- "subcategory": "Host Configuration",
- "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Hub & Spoke",
+ "text": "ExR Gateway",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.",
- "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "How will Internet traffic be routes, Az Firewall, NVA, Secure Hub, On-Premises firewall?",
+ "guid": "cc2e11b9-7911-7da1-458c-d7fcef794aad",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/enable-public-internet-access",
"services": [
- "AVD"
+ "AVS",
+ "NVA"
],
- "severity": "Low",
- "subcategory": "Host Configuration",
- "text": "Consider enabling screen capture protection to prevent sensitive information from being captured",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Internet",
+ "text": "Egress point",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.",
- "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Allow remote connectivity to AVS via the portal, specifically to vCenter, NSX-T and HCX",
+ "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f",
+ "link": "https://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
"services": [
- "AVD"
+ "Bastion",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Host Configuration",
- "text": "Restrict device redirection and drive mapping",
- "waf": "Security"
+ "subcategory": "Jumpbox & Bastion",
+ "text": "Remote connectivity to AVS",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.",
- "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Name the jumpbox and identify the subnet where it will be hosted",
+ "guid": "6f8e93a2-44b1-bb1d-28a1-4d5b3c2ea857",
+ "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal",
"services": [
- "AVD"
+ "Bastion",
+ "AVS",
+ "VNet"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "When possible, prefer Remote Apps over Full Desktops (DAG)",
- "waf": "Security"
+ "subcategory": "Jumpbox & Bastion",
+ "text": "Configure a jumbox and Azure Bastion",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.",
- "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Provides secure / seamless RDP/SSH connectivity to your vm's directly through the portal.",
+ "guid": "ba430d58-4541-085c-3641-068c00be9bc5",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
"services": [
- "Defender",
- "AVD"
+ "Bastion",
+ "AVS",
+ "VM"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Need to control/restrict user Internet navigation from AVD session hosts?",
- "waf": "Security"
+ "subcategory": "Jumpbox & Bastion",
+ "text": "Security measure allowing RDP access via the portal",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.",
- "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Using a VPN to connect to Azure to enable VMware communications (HCX) (not recommended)",
+ "guid": "9988598f-2a9f-6b12-9b46-488415ceb325",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/configure-site-to-site-vpn-gateway",
"services": [
- "AVD"
+ "VPN",
+ "AVS"
],
- "severity": "High",
- "subcategory": "Management",
- "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "VPN",
+ "text": "Connect to Azure using a VPN",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.",
- "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use the migration assesment tool and timeline to determine bandwidth required (eg 3rd party tool in link)",
+ "guid": "956ce5e9-a862-fe2b-a50d-a22923569357",
+ "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed.",
"services": [
- "AKV",
- "Storage",
- "VM",
- "AVD",
- "Defender",
- "Subscriptions"
+ "VPN",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture",
- "waf": "Security"
+ "subcategory": "VPN",
+ "text": "Bandwidth sizing",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ",
- "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "What traffic is routed through a firewall, what goes directly into Azure",
+ "guid": "e095116f-0bdc-4b51-4d71-b9e469d56f59",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
"services": [
- "Monitor",
- "AVD",
- "Entra"
+ "VPN",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Enable diagnostic and audit logging",
- "waf": "Security"
+ "subcategory": "VPN",
+ "text": "Traffic routing ",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.",
- "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Name and unique address space for the vWAN, name for the vWAN hub",
+ "guid": "4dc480ac-cecd-39c4-fdc6-680b300716ab",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan",
"services": [
- "RBAC",
- "AVD",
- "Entra"
+ "AVS",
+ "VWAN"
],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Assess the requirement to use custom RBAC roles for AVD management",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "vWAN hub",
+ "text": "vWAN name, hub name and address space",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ",
- "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Select either boh or the appropriate connection type.",
+ "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal",
"services": [
- "Defender",
- "AVD"
+ "VPN",
+ "AVS",
+ "VWAN"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Restrict users from installing un-authorized applications",
- "waf": "Security"
+ "subcategory": "vWAN hub",
+ "text": "ExR and/or VPN gateway provisioned",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
- "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa",
+ "category": "Connectivity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Add Azure firewall to vWAN (recommended)",
+ "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal",
"services": [
- "AVD",
- "Entra"
+ "AVS",
+ "Firewall",
+ "VWAN"
],
"severity": "Medium",
- "subcategory": "Microsoft Entra ID",
- "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users",
+ "subcategory": "vWAN hub",
+ "text": "Secure vWAN",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.",
- "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43",
- "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Active directory or other identity provider servers",
+ "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
"services": [
- "AVD"
+ "Entra",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Zero Trust",
- "text": "Review and Apply Zero Trust principles and guidance",
+ "subcategory": "Access",
+ "text": "External Identity (user accounts)",
"waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.",
- "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Not required for LDAPS, required for Kerberos",
+ "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997",
+ "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
"services": [
- "Storage",
- "AVD"
+ "Entra",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Azure Files",
- "text": "Check best-practices for Azure Files",
- "waf": "Performance"
+ "subcategory": "Access",
+ "text": "If using AD domain, ensure Sites & Services has been configured",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.",
- "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369",
- "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Authentication for users, must be secure.",
+ "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
"services": [
- "Cost",
- "Storage",
- "ACR",
- "AVD"
+ "Entra",
+ "AVS"
],
- "severity": "Low",
- "subcategory": "Azure Files",
- "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Access",
+ "text": "Use LDAPS not ldap ( vCenter)",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "If a second region is required for DR purposes verify NetApp availability in there as well.",
- "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3",
- "link": "https://azure.microsoft.com/global-infrastructure/services/",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Authentication for users, must be secure.",
+ "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t",
"services": [
- "Storage",
- "AVD"
+ "Entra",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Azure NetApp Files",
- "text": "If NetApp Files storage is required, check storage service availability in your specific region.",
- "waf": "Reliability"
+ "subcategory": "Access",
+ "text": "Use LDAPS not ldap (NSX-T)",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.",
- "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "CN or SAN names, no wildcards, contains private key - CER or PFX",
+ "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c",
+ "link": "https://youtu.be/4jvfbsrhnEs",
"services": [
- "Storage",
- "AVD"
+ "Entra",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Azure NetApp Files",
- "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "Security certificate installed on LDAPS servers ",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.",
- "guid": "6647e977-db49-48a8-bc35-743f17499d42",
- "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Standard Azure Roles Based Access Controls",
+ "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity",
"services": [
- "Storage",
- "AVD",
- "VNet"
+ "Entra",
+ "RBAC",
+ "AVS"
],
- "severity": "High",
- "subcategory": "Azure NetApp Files",
- "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "RBAC applied to Azure roles",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ",
- "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
- "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Create roles in vCenter required to meet minimum viable access guidelines",
+ "guid": "b04ca129-83a9-3494-7512-347dd2d766db",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges",
"services": [
- "Storage",
- "AVD"
+ "Entra",
+ "RBAC",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "Capacity Planning",
- "text": "Determine which type of managed disk will be used for the Session Hosts",
- "waf": "Performance"
+ "subcategory": "Security",
+ "text": "RBAC model in vCenter",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.",
- "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+ "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb",
+ "link": "Best practice",
"services": [
- "Storage",
- "AVD",
- "VM"
+ "Entra",
+ "RBAC",
+ "AVS"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "Determine which storage backend solution will be used for FSLogix Profiles",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "CloudAdmin role usage",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.",
- "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "For roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+ "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
"services": [
- "Storage",
- "AVD"
+ "Entra",
+ "RBAC",
+ "AVS"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "Do not share storage and profiles between different Host Pools",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Security ",
+ "text": "Is Privileged Identity Management implemented",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.",
- "guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
- "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "For the Azure VMware Solution PIM roles",
+ "guid": "0842d45f-41a8-8274-1155-2f6ed554d315",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
"services": [
- "Storage",
- "AVD"
+ "Entra",
+ "RBAC",
+ "AVS"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "Verify storage scalability limits and Host Pool requirements",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Security ",
+ "text": "Is Privileged Identity Management audit reporting implemented",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.",
- "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
- "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Best practice, also see Monitoring/Alerts",
+ "guid": "915cbcd7-0640-eb7c-4162-9f33775de559",
+ "link": "Best practice",
"services": [
- "Cost",
- "Storage",
- "AVD"
+ "Entra",
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "Capacity Planning",
- "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Security ",
+ "text": "Limit use of CloudAdmin account to emergency access only",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
- "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
- "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers",
+ "category": "Identity",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Operational procedure",
+ "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal",
"services": [
- "Storage",
- "AVD",
- "ASR"
- ],
- "severity": "High",
- "subcategory": "FSLogix",
- "text": "Do not use Office Containers (ODFC) if not strictly required and justified",
- "waf": "Reliability"
- },
- {
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.",
- "guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
- "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions",
- "services": [
- "Storage",
- "AVD"
+ "Entra",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "FSLogix",
- "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).",
+ "subcategory": "Security ",
+ "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
"waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.",
- "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
- "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
+ "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82",
+ "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview",
"services": [
- "Storage",
- "AVD"
+ "AVS",
+ "VM",
+ "Arc"
],
- "severity": "High",
- "subcategory": "FSLogix",
- "text": "Review and confirm configured maximum profile size in FSLogix",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "AVS VM Management (Azure Arc)",
+ "waf": "Operations"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.",
- "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
- "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+ "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0",
+ "link": "https://docs.microsoft.com/azure/governance/policy/overview",
"services": [
- "Storage",
- "ACR",
- "AKV",
- "AVD"
+ "AVS",
+ "AzurePolicy",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "FSLogix",
- "text": "Review FSLogix registry keys and determine which ones to apply",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "Azure policy",
+ "waf": "Operations"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.",
- "guid": "5e985b85-9c77-43e7-b261-623b775a917e",
- "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
+ "guid": "1e59c639-9b7e-a60b-5e93-3798c1aff5db",
+ "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks",
"services": [
- "Storage",
- "AVD"
+ "AVS"
],
- "severity": "High",
- "subcategory": "FSLogix",
- "text": "Avoid usage of concurrent or multiple connections",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "Resource locks",
+ "waf": "Operations"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ",
- "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
- "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "For manual deployments, all configuration and deployments must be documented",
+ "guid": "8f2c46aa-ca1b-cad3-3ac9-213dfc0a265e",
+ "link": "Make sure to create your own runbook on the deployment of AVS.",
"services": [
- "Storage",
- "AVD",
- "VM"
+ "AVS"
],
- "severity": "Low",
- "subcategory": "FSLogix",
- "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Operations",
+ "text": "Run books",
+ "waf": "Operations"
},
{
- "category": "Storage",
- "checklist": "Azure Virtual Desktop Review",
- "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.",
- "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
- "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
+ "category": "Management",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
+ "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030",
+ "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
"services": [
- "Storage",
- "AVD"
+ "AKV",
+ "AVS"
],
"severity": "Medium",
- "subcategory": "FSLogix",
- "text": "Review the usage of FSLogix redirection.",
- "waf": "Cost"
- },
- {
- "category": "BC and DR",
- "checklist": "Container Apps Review",
- "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
- "service": "Container Apps",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Leverage Availability Zones if regionally applicable",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Container Apps Review",
- "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
- "service": "Container Apps",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Use more than one replica and enable Zone Redundancy.",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Container Apps Review",
- "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
- "service": "Container Apps",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
- "waf": "Reliability"
+ "subcategory": "Operations",
+ "text": "Naming conventions for auth keys",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Container Apps Review",
- "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
- "service": "Container Apps",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "For automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+ "guid": "e22a2d99-eb71-7d7c-07af-6d4cdb1d4443",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
"services": [
- "FrontDoor",
- "TrafficManager"
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Azure Function Review",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Select the right Function hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Azure Function Review",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Azure Function Review",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Azure Functions",
- "services": [],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "subcategory": "Alerts",
+ "text": "Create warning alerts for critical thresholds ",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Azure Function Review",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Azure Functions",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+ "guid": "6d02f159-627d-79bf-a931-fab6d947eda2",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
"services": [
- "AppSvc"
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Alerts",
+ "text": "Create critical alert vSAN consumption",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Azure Function Review",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Azure Functions",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Provides platform alerts (generated by Microsoft)",
+ "guid": "1cc97b39-2c7e-246f-6d73-789cfebfe951",
+ "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/",
"services": [
- "AppSvc"
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Alerts",
+ "text": "Configured for Azure Service Health alerts and notifications",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Azure Function Review",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Azure Functions",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
+ "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
"services": [
- "Storage"
+ "Backup",
+ "AVS",
+ "VM",
+ "AzurePolicy",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
- "waf": "Reliability"
+ "subcategory": "Backup",
+ "text": "Backup policy",
+ "waf": "Operations"
},
{
- "category": "Application Deployment",
- "checklist": "Azure Function Review",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Azure Functions",
- "services": [],
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Keep in mind the lead time for requesting new nodes",
+ "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
+ "services": [
+ "AVS",
+ "AzurePolicy",
+ "Monitor"
+ ],
"severity": "Medium",
- "subcategory": "CI/CD",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
+ "subcategory": "Capacity",
+ "text": "Policy around ESXi host density and efficiency",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "WAF checklist",
- "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
- "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
- "service": "Device Update for IoT Hub",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Azure Cost Management can be used - one option, put AVS in it's own Subscription. ",
+ "guid": "7f8f175d-13f4-5298-9e61-0bc7e9fcc279",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern",
"services": [
- "WAF"
+ "AVS",
+ "Cost",
+ "Subscriptions",
+ "Monitor"
],
- "severity": "High",
- "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Costs",
+ "text": "Ensure a good cost management process is in place for Azure VMware Solution - ",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "WAF checklist",
- "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
- "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
- "service": "Device Update for IoT Hub",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Create dashboards to enable core Azure VMware Solution monitoring insights",
+ "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74",
+ "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards",
"services": [
- "WAF"
+ "Monitor",
+ "AVS",
+ "NetworkWatcher"
],
- "severity": "High",
- "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Dashboard",
+ "text": "Connection monitor dashboard",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "WAF checklist",
- "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Device Update for IoT Hub",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Send to an Azure Storage account or Azure EventHub for processing (direct to Log Analytics is pending)",
+ "guid": "f9afdcc9-649d-d840-9fb5-a3c0edcc697d",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
"services": [
- "WAF"
+ "AVS",
+ "Storage",
+ "Monitor"
],
- "severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Logs & Metrics",
+ "text": "Configure Azure VMware Solution logging ",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "WAF checklist",
- "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Device Update for IoT Hub",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Must be on-premises, implement if available",
+ "guid": "7cbac8c3-4eda-d5d9-9bda-c6b5abba9fb6",
+ "link": "Is vROPS or vRealize Network Insight going to be used? ",
"services": [
- "WAF",
- "AppSvc"
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Logs & Metrics",
+ "text": "vRealize Operations",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
- "service": "Entra",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+ "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
"services": [
- "WAF",
- "Entra"
+ "AVS",
+ "VM",
+ "Monitor"
],
"severity": "Medium",
- "text": "Use one Entra tenant for managing your Azure resources, unless you have a clear regulatory or business requirement for multi-tenants.",
+ "subcategory": "Logs & Metrics",
+ "text": "AVS VM logging",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Entra",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Between on-premises to Azure are monitored using 'connection monitor'",
+ "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
"services": [
- "WAF",
- "Entra"
+ "NetworkWatcher",
+ "AVS",
+ "VPN",
+ "Monitor",
+ "ExpressRoute"
],
- "severity": "Low",
- "text": "Use Multi-Tenant Automation approach to managing your Microsoft Entra ID Tenants.",
+ "severity": "Medium",
+ "subcategory": "Network",
+ "text": "Monitor ExpressRoute and/or VPN connections ",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "Entra",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "To monitor the Azure VMware Solution back-end ExpressRoute connection (Azure native to AVS)",
+ "guid": "99209143-60fe-19f0-5633-8b5671277ba5",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
"services": [
- "WAF"
+ "AVS",
+ "ExpressRoute",
+ "Monitor"
],
- "severity": "High",
- "text": "Use Azure Lighthouse for Multi-Tenant Management with the same IDs.",
- "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
+ "severity": "Medium",
+ "subcategory": "Network",
+ "text": "Monitor from an Azure native resource to an Azure VMware Solution VM",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Entra",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "To monitor end-to-end, on-premises to AVS workloads",
+ "guid": "b9e5867c-57d3-036f-fb1b-3f0a71664efe",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
"services": [
- "WAF"
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "text": "If you give a partner access to administer your tenant, use Azure Lighthouse.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Network",
+ "text": "Monitor from an on-premises resource to an Azure VMware Solution VM",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "348ef254-c27d-442e-abba-c7571559ab91",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
- "service": "Entra",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Track requests to Azure VMware Solution and Azure VMware Solution based workloads",
+ "guid": "4af7c5f7-e5e9-bedf-a8cf-314b81735962",
+ "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)",
"services": [
- "RBAC",
- "ACR",
- "WAF",
- "Subscriptions"
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "text": "Enforce a RBAC model that aligns to your cloud operating model. Scope and Assign across Management Groups and Subscriptions.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Auditing and logging is implemented for inbound internet ",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
- "service": "Entra",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
+ "guid": "74be60a3-cfac-f057-eda6-3ee087e805d5",
+ "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
"services": [
- "WAF"
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "text": "Only use the authentication type Work or school account for all account types. Avoid using the Microsoft account",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Session monitoring ",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "Entra",
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Enable Diagnostic and metric logging on Azure VMware Solution",
+ "guid": "a434b3b5-f258-0845-cd76-d7df6ef5890e",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
"services": [
- "WAF",
- "Entra"
+ "AVS",
+ "Monitor"
],
"severity": "Medium",
- "text": "Only use groups to assign permissions. Add on-premises groups to the Entra ID only group if a group management system is already in place.",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Security"
+ "subcategory": "VMWare",
+ "text": "Logging and diagnostics",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
- "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
- "service": "Entra",
- "services": [
- "AzurePolicy",
- "WAF",
- "Entra"
+ "category": "Monitoring",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Monitor AVS workloads (each VM in AVS)",
+ "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a",
+ "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard",
+ "services": [
+ "AVS",
+ "VM",
+ "Monitor"
],
- "severity": "High",
- "text": "Enforce Microsoft Entra ID Conditional Access policies for any user with rights to Azure environments.",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "VMware",
+ "text": "Log Analytics Agents deployed on Azure VMware Solution guest VM workloads",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
- "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
- "service": "Entra",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Decision on traffic flow",
+ "guid": "a1354b87-e18e-bf5c-c50b-8ddf0540e971",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke",
"services": [
- "WAF"
+ "AVS"
],
- "severity": "High",
- "text": "Enforce multi-factor authentication for any user with rights to the Azure environments.",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "severity": "Medium",
+ "subcategory": "Hub & Spoke",
+ "text": "North/South routing through Az Firewall or 3rd party ",
"waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "Entra",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)",
+ "guid": "29a8a499-ec31-f336-3266-0895f035e379",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke",
"services": [
- "WAF",
- "Entra"
+ "AVS"
],
"severity": "Medium",
- "text": "Enforce Microsoft Entra ID Privileged Identity Management (PIM) to establish zero standing access and least privilege.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "subcategory": "Hub & Spoke",
+ "text": "East West (Internal to Azure)",
"waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
- "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
- "service": "Entra",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Requires a 3rd party NVA with Azure Route server - Scenario 2 (see link)",
+ "guid": "ebd3cc3c-ac3d-4293-950d-cecd8445a523",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
"services": [
- "WAF",
- "Entra"
+ "ARS",
+ "AVS",
+ "NVA"
],
"severity": "Medium",
- "text": "If planning to switch from Active Directory Domain Services to Entra domain services, evaluate the compatibility of all workloads.",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "Security"
+ "subcategory": "Hub & Spoke",
+ "text": "ExR without Global Reach",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
- "service": "Entra",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN",
+ "guid": "ffb5c5ca-bd89-ff1b-8b73-8a54d503d506",
+ "link": "https://learn.microsoft.com/azure/route-server/route-server-faq",
"services": [
- "Monitor",
- "WAF",
- "Entra"
+ "ARS",
+ "AVS"
],
"severity": "Medium",
- "text": "Integrate Microsoft Entra ID logs with the platform-central Azure Monitor. Azure Monitor allows for a single source of truth around log and monitoring data in Azure, giving organizations a cloud native options to meet requirements around log collection and retention.",
- "waf": "Security"
+ "subcategory": "Hub & Spoke",
+ "text": "Route server ",
+ "waf": "Operations"
},
{
- "ammp": true,
- "checklist": "WAF checklist",
- "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
- "service": "Entra",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Via on-premises, Az Firewall, 3rd Party, NSX-T pubic IP",
+ "guid": "a4070dad-3def-818d-e9f7-be440d10e7de",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-design-public-internet-access",
"services": [
- "WAF"
+ "AVS"
],
- "severity": "High",
- "text": "Implement an emergency access or break-glass accounts to prevent tenant-wide account lockout.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "severity": "Medium",
+ "subcategory": "Internet",
+ "text": "Egress point(s)",
"waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "35037e68-9349-4c15-b371-228514f4cdff",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "Entra",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Az Firewall, 3rd party NVA, Application Gateway, Azure Frontdoor ",
+ "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937",
+ "link": "Research and choose optimal solution for each application",
"services": [
- "RBAC",
- "WAF",
- "Entra"
+ "AVS",
+ "AppGW",
+ "NVA",
+ "FrontDoor"
],
"severity": "Medium",
- "text": "Do not use on-premises synced accounts for Microsoft Entra ID role assignments, unless you have a scenario that specifically requires it.",
- "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "subcategory": "Internet",
+ "text": "Internet facing applications",
"waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Entra",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN",
+ "guid": "e778a2ec-b4d7-1d27-574c-14476b167d37",
+ "link": "https://docs.microsoft.com/azure/route-server/route-server-faq#route-server-limits",
"services": [
- "WAF",
- "Entra"
+ "ARS",
+ "AVS"
],
"severity": "Medium",
- "text": "When using Microsoft Entra ID Application Proxy to give remote users access to applications, manage it as a Platform resource as you can only have one instance per tenant.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "subcategory": "Routing",
+ "text": "When route server Route limit understood? ",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
- "service": "VNet",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "(VPN Gateway, AppGW, FrontDoor, Load balancer, VMs (etc) (Remove: enabled on ExR/VPN Gateway subnet in Azure)",
+ "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a",
+ "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection",
"services": [
- "WAF",
+ "AppGW",
+ "DDoS",
+ "AVS",
+ "VM",
+ "VPN",
+ "LoadBalancer",
+ "FrontDoor",
+ "ExpressRoute",
"VNet"
],
"severity": "Medium",
- "text": "Use a hub-and-spoke network topology for network scenarios that require maximum flexibility.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "subcategory": "Security",
+ "text": "Is DDoS standard protection of public facing IP addresses? ",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
- "service": "VNet",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "To manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
+ "guid": "d43da920-4ecc-a4e9-dd45-a2986ce81d32",
+ "link": "Best practice: Bastion or 3rd party tool",
"services": [
- "DNS",
- "ExpressRoute",
- "VPN",
- "NVA",
- "VNet",
- "Entra",
- "WAF",
- "Firewall"
+ "AVS"
],
- "severity": "High",
- "text": "Deploy shared networking services, including ExpressRoute gateways, VPN gateways, and Azure Firewall or partner NVAs in the central-hub virtual network. If necessary, also deploy DNS services.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Use a dedicated privileged access workstation (PAW)",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "VNet",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use NSX-T for inter-vmware-traffic inspection",
+ "guid": "a2dac74f-5380-6e39-25e6-f13b99ece51f",
+ "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-F6685367-7AA1-4771-927E-ED77727CFDA3.html",
"services": [
- "DDoS",
- "WAF"
+ "AVS"
],
- "severity": "High",
- "text": "Use a DDoS Network or IP protection plan for all public IP addresses in application landing zones.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "severity": "Medium",
+ "subcategory": "Traffic Inspection",
+ "text": "East West (Internal to AVS)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Decision on whether or not to use Secure hub for E/W and Internet traffic - requires Global Reach",
+ "guid": "3f621543-dfac-c471-54a6-7b2849b6909a",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
"services": [
- "WAF",
- "NVA"
+ "AVS",
+ "Firewall",
+ "VWAN"
],
"severity": "Medium",
- "text": "When deploying partner networking technologies or NVAs, follow the partner vendor's guidance.",
- "waf": "Reliability"
+ "subcategory": "Virtual WAN",
+ "text": "Use Secure Hub (Azure Firewall or 3rd party)",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
- "service": "ExpressRoute",
+ "category": "Networking",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)",
+ "guid": "d7af5670-1b39-d95d-6da2-8d660dfbe16b",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/secure-cloud-network",
"services": [
- "VPN",
- "ExpressRoute",
- "WAF",
- "ARS"
+ "AVS",
+ "VWAN"
],
- "severity": "Low",
- "text": "If you need transit between ExpressRoute and VPN gateways in hub and spoke scenarios, use Azure Route Server.",
+ "severity": "Medium",
+ "subcategory": "Virtual WAN",
+ "text": "East West (Internal to Azure)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/virtualHubs",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
- "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
- "service": "ARS",
+ "category": "Other Services/Operations",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
+ "guid": "7d049005-eb35-4a93-50a5-3b31a9f61161",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal",
"services": [
- "WAF",
- "ARS",
- "VNet"
+ "AVS",
+ "Subscriptions"
],
- "severity": "Low",
- "text": "If using Route Server, use a /27 prefix for the Route Server subnet.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Automated Scale",
+ "text": "Scale out operations planning",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
- "service": "VNet",
+ "category": "Other Services/Operations",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
+ "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece",
+ "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
"services": [
- "ACR",
- "WAF",
- "VNet"
+ "AVS",
+ "AzurePolicy",
+ "Storage"
],
"severity": "Medium",
- "text": "For network architectures with multiple hub-and-spoke topologies across Azure regions, use global virtual network peerings between the hub VNets to connect the regions to each other.",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+ "subcategory": "Automated Scale",
+ "text": "Scale in operations planning",
"waf": "Performance"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
- "service": "VNet",
+ "category": "Other Services/Operations",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+ "guid": "3233e49e-62ce-97f3-8737-8230e771b694",
+ "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
"services": [
- "Monitor",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "Use Azure Monitor for Networks to monitor the end-to-end state of the networks on Azure.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
- "waf": "Operations"
+ "subcategory": "Automated Scale",
+ "text": "Scale serialized operations planning",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
- "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
+ "category": "Other Services/Operations",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+ "guid": "68161d66-5707-319b-e77d-9217da892593",
+ "link": "Best practice (testing)",
"services": [
- "ExpressRoute",
- "WAF",
- "VNet"
+ "AVS"
],
"severity": "Medium",
- "text": "If you have more than 400 spoke networks in a region, deploy an additional hub to bypass VNet peering limits (500) and the maximum number of prefixes that can be advertised via ExpressRoute (1000).",
- "waf": "Reliability"
+ "subcategory": "Automated Scale",
+ "text": "Scale rd operations planning",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
- "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
+ "category": "Other Services/Operations",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Define and enforce scale in/out maximum limits for your environment in the automations",
+ "guid": "c32cb953-e860-f204-957a-c79d61202669",
+ "link": "Operational planning - understand workload requirements",
"services": [
- "Storage",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "Limit the number of routes per route table to 400.",
- "waf": "Reliability"
+ "subcategory": "Automated Scale",
+ "text": "Scale maximum operations planning",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
- "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
- "service": "VNet",
+ "category": "Other Services/Operations",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+ "guid": "7bd65a5e-7b5d-652d-dbea-fc6f73a42857",
+ "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring",
"services": [
- "WAF",
- "VNet"
+ "AVS",
+ "Monitor"
],
- "severity": "High",
- "text": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Automated Scale",
+ "text": "Monitor scaling operations ",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
- "service": "ExpressRoute",
+ "category": "Other Services/Operations",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Consider the use of Azure Private-Link when using other Azure Native Services",
+ "guid": "95e374af-8a2a-2672-7ab7-b4a1be43ada7",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
"services": [
- "ExpressRoute",
- "WAF"
+ "PrivateLink",
+ "AVS"
],
"severity": "Medium",
- "text": "When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at the layer-two level between the organization's routers and MSEE. The diagram shows this encryption in flow.",
- "waf": "Security"
+ "subcategory": "Networking",
+ "text": "Private link",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
- "service": "ExpressRoute",
+ "category": "Other Services/Operations",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+ "guid": "71eff90d-5ad7-ac60-6244-2a6f7d3c51f2",
+ "link": "Best practice",
"services": [
- "VPN",
- "ExpressRoute",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "For scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a VPN gateway to establish IPsec tunnels over ExpressRoute private peering.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
- "waf": "Security"
+ "subcategory": "Networking",
+ "text": "Provisioning Vmware VLANs",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "ExpressRoute",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "In which region will AVS be deployed",
+ "guid": "04e3a2f9-83b7-968a-1044-2811811a924b",
+ "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
"services": [
- "ACR",
- "WAF"
+ "AVS"
],
- "severity": "High",
- "text": "Ensure no overlapping IP address spaces across Azure regions and on-premises locations are used.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Region selected",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
- "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Are there regulatory or compliance policies in play",
+ "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b",
+ "link": "Internal policy or regulatory compliance",
"services": [
- "WAF"
+ "AVS",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Use IP addresses from the address allocation ranges for private internets (RFC 1918).",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Security"
+ "subcategory": "Pre-deployment",
+ "text": "Data residency compliant with selected regions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
- "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Request through the support blade",
+ "guid": "92bd5ad6-441f-a983-7aa9-05dd669d760b",
+ "link": "https://learn.microsoft.com/azure/migrate/concepts-azure-vmware-solution-assessment-calculation",
"services": [
- "WAF",
- "VNet"
+ "AVS"
],
- "severity": "High",
- "text": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16).",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Request for number of AVS hosts submitted ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
- "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
- "service": "VNet",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "PG approval for deployment",
+ "guid": "28370f63-1cb8-2e35-907f-c5516b6954fa",
+ "link": "Support request through portal or get help from Account Team",
"services": [
- "WAF",
- "ASR"
+ "AVS"
],
- "severity": "High",
- "text": "Do not use overlapping IP address ranges for production and disaster recovery sites.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Region and number of AVS nodes approved",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "WAF checklist",
- "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
- "service": "DNS",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Portal/subscription/resource providers/ Microsoft.AVS",
+ "guid": "96c76997-30a6-bb92-024d-f4f93f5f57fa",
+ "link": "Done through the subscription/resource providers/ AVS register in the portal",
"services": [
- "DNS",
- "WAF"
+ "AVS",
+ "Subscriptions"
],
"severity": "Medium",
- "text": "For environments where name resolution in Azure is all that's required, use Azure Private DNS for resolution with a delegated zone for name resolution (such as 'azure.contoso.com').",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "Operations"
+ "subcategory": "Pre-deployment",
+ "text": "Resource provider for AVS registered",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "WAF checklist",
- "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
- "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
- "service": "DNS",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Connectivity, subscription & governanace model",
+ "guid": "5898e3ff-5e6b-bee1-6f85-22fee261ce63",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone",
"services": [
- "DNS",
- "ACR",
- "WAF"
+ "AVS",
+ "Subscriptions"
],
"severity": "Medium",
- "text": "For environments where name resolution across Azure and on-premises is required and there is no existing enterprise DNS service like Active Directory, use Azure DNS Private Resolver to route DNS requests to Azure or to on-premises DNS servers.",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
- "waf": "Security"
+ "subcategory": "Pre-deployment",
+ "text": "Landing zone architecture",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "WAF checklist",
- "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
- "service": "DNS",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "The name of the RG where AVS will exist",
+ "guid": "d0181fb8-9cb8-bf4b-f5e5-b5f9bf7ae4ea",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal",
"services": [
- "DNS",
- "WAF"
+ "AVS"
],
- "severity": "Low",
- "text": "Special workloads that require and deploy their own DNS (such as Red Hat OpenShift) should use their preferred DNS solution.",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Resource group name selected",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "WAF checklist",
- "guid": "614658d3-558f-4d77-849b-821112df27ee",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
- "service": "DNS",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Each resource created as part of the deployment will also utilize this prefix in the name",
+ "guid": "0f0d20c2-5a19-726c-de20-0984e070d9d6",
+ "link": "Best practice - naming standards",
"services": [
- "DNS",
- "WAF",
- "VNet",
- "VM"
+ "AVS"
],
- "severity": "High",
- "text": "Enable auto-registration for Azure DNS to automatically manage the lifecycle of the DNS records for the virtual machines deployed within a virtual network.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Deployment prefix selected",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "WAF checklist",
- "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
- "service": "Bastion",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "/22 unique non-overlapping IPv4 address space",
+ "guid": "7fbf2ab7-a36c-5957-c27a-67038557af2a",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations",
"services": [
- "Bastion",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "Use Azure Bastion to securely connect to your network.",
- "waf": "Security"
+ "subcategory": "Pre-deployment",
+ "text": "Network space for AVS management layer",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
- "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
- "service": "Bastion",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "vNets used by workloads running in AVS (non-stretched)",
+ "guid": "0c87f999-e517-21ef-f355-f210ad4134d2",
+ "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html",
"services": [
- "Bastion",
- "WAF",
+ "AVS",
"VNet"
],
"severity": "Medium",
- "text": "Use Azure Bastion in a subnet /26 or larger.",
- "waf": "Security"
+ "subcategory": "Pre-deployment",
+ "text": "Network space for AVS NSX-T segments",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "WAF checklist",
- "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "WAF",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Choose AV36, AV36P, AV52, AV36T (AV36T = Trial)",
+ "guid": "946c8966-f902-6f53-4f37-00847e8895c2",
+ "link": "https://azure.microsoft.com/pricing/details/azure-vmware/",
"services": [
- "AzurePolicy",
- "ACR",
- "WAF",
- "FrontDoor"
+ "AVS"
],
"severity": "Medium",
- "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Security"
+ "subcategory": "Pre-deployment",
+ "text": "AVS SKU (region dependent)",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "WAF checklist",
- "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "services": [
- "AzurePolicy",
- "AppGW",
- "WAF",
- "FrontDoor"
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use the Azure migration assessment tool to determine the minimum number of nodes required (consider BCDR as well)",
+ "guid": "31833808-26ba-9c31-416f-d54a89a17f5d",
+ "link": "https://learn.microsoft.com/azure/migrate/how-to-assess",
+ "services": [
+ "AVS"
],
- "severity": "Low",
- "text": "When using Azure Front Door and Azure Application Gateway to help protect HTTP/S apps, use WAF policies in Azure Front Door. Lock down Azure Application Gateway to receive traffic only from Azure Front Door.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Number of hosts to be deployed",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "WAF checklist",
- "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Understand how and if you should be using reserved instances (cost control)",
+ "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f",
+ "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20",
"services": [
- "WAF",
- "VNet"
+ "AVS",
+ "Cost"
],
- "severity": "High",
- "text": "When WAFs and other reverse proxies are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the apps that they're protecting and exposing to the internet.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Reserverd Instances",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
+ "guid": "94ac48ab-ade5-3fa7-f800-263feeb97070",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
"services": [
- "DDoS",
- "WAF",
- "VNet"
+ "AVS",
+ "ASR"
],
- "severity": "High",
- "text": "Use Azure DDoS Network or IP Protection plans to help protect Public IP Addresses endpoints within the virtual networks.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Capacity ",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
- "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
- "service": "VNet",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Identify which of the networking scenarios make ",
+ "guid": "1f9d4bd5-14b8-928c-b4cb-eb211f9b8de5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
"services": [
- "WAF"
+ "AVS"
],
- "severity": "High",
- "text": "Plan for how to manage your network outbound traffic configuration and strategy before the upcoming breaking change. On September 30, 2025, default outbound access for new deployments will be retired and only explicit access configurations will be allowed.",
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "Networking & Connectivity See docs describing scenrario 1 through 5",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
+ "category": "Planning",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+ "guid": "070db19b-8a2a-fd6a-c39b-4488d8780da9",
+ "link": "Please Check Partner Ecosystem",
"services": [
- "DDoS",
- "WAF"
+ "AVS"
],
- "severity": "High",
- "text": "Add diagnostic settings to save DDoS related logs for all the protected public IP addresses (DDoS IP or Network Protection).",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Pre-deployment",
+ "text": "3rd party application compatibility ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
- "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
- "service": "Policy",
+ "category": "Security",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
+ "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646",
+ "link": "General recommendation for storing encryption keys.",
"services": [
- "AzurePolicy",
- "WAF",
- "VM"
+ "AKV",
+ "AVS"
],
- "severity": "High",
- "text": "Ensure there is a policy assignment to deny Public IP addresses directly tied to Virtual Machines. Use exclusions if public IPs are needed on specific VMs.",
+ "severity": "Medium",
+ "subcategory": "Encryption",
+ "text": "Use Azure Key Vault with in-guest encryption ",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
+ "category": "Security",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
+ "guid": "c1a81638-18df-0ce9-a73a-4b9a8a8dd392",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#data-at-rest-encryption",
"services": [
- "VPN",
- "ExpressRoute",
- "WAF",
- "Backup"
+ "AVS",
+ "SQL"
],
"severity": "Medium",
- "text": "Use ExpressRoute as the primary connection to Azure. Use VPNs as a source of backup connectivity.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Performance"
+ "subcategory": "Encryption",
+ "text": "Use in-guest encryption",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "description": "You can use AS-path prepending and connection weights to influence traffic from Azure to on-premises, and the full range of BGP attributes in your own routers to influence traffic from on-premises to Azure.",
- "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
- "service": "ExpressRoute",
+ "category": "Security",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
+ "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e",
+ "link": "https://docs.microsoft.com/azure/key-vault/general/authentication",
"services": [
- "ExpressRoute",
- "WAF"
+ "AKV",
+ "AVS",
+ "ExpressRoute"
],
"severity": "Medium",
- "text": "When you use multiple ExpressRoute circuits or multiple on-prem locations, use BGP attributes to optimize routing.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Reliability"
+ "subcategory": "Encryption",
+ "text": "Keyvault use for secrets",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
- "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
- "service": "ExpressRoute",
+ "category": "Security",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Older OS security patching configured for workloads running on Azure VMware Solution are eligible for ESU",
+ "guid": "4f8b20e9-a2a1-f80f-af9b-8aa3b26dca08",
+ "link": "https://docs.microsoft.com/windows-server/get-started/extended-security-updates-deploy",
"services": [
- "VPN",
- "ExpressRoute",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "Select the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Performance"
+ "subcategory": "Extended support",
+ "text": "Ensure extended security update support ",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
- "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
- "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
- "service": "ExpressRoute",
+ "category": "Security",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Use a SIEM/SOAR",
+ "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a",
+ "link": "https://learn.microsoft.com/azure/sentinel/overview",
"services": [
- "Cost",
- "ExpressRoute",
- "WAF"
+ "Sentinel",
+ "AVS"
],
- "severity": "High",
- "text": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Investigation",
+ "text": "Enable Azure Sentinel or 3rd party SIEM ",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
- "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
- "service": "ExpressRoute",
+ "category": "Security",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "MS Defender For Cloud, for workloads running on Azure VMware Solution",
+ "guid": "f42b0b09-c591-238a-1580-2de3c485ebd2",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/azure-security-integration#prerequisites",
"services": [
- "Cost",
- "ExpressRoute",
- "WAF"
+ "AVS",
+ "Defender"
],
- "severity": "High",
- "text": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuit peering location supports your Azure regions for the Local SKU.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Enable Advanced Threat Detection ",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
- "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
- "service": "ExpressRoute",
+ "category": "Security",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Are the applicable policies enabled (compliance baselines added to MDfC)",
+ "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b",
+ "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration",
"services": [
- "ExpressRoute",
- "WAF"
+ "AVS",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "Policy & Regulatory Compliance",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Azure to Azure (E/W), Azure to On-premises), AVS to Internet, AVS to Azure",
+ "guid": "607c1ca9-da92-ae19-5a4c-eb1e876acbe7",
+ "link": "https://techcommunity.microsoft.com/t5/azure-migration-and/firewall-integration-in-azure-vmware-solution/ba-p/2254961#:~:text=Azure%20VMware%20Solution%20customers%20have%20multiple%20security%20options,the%20box%20to%20provide%20East-West%20and%20North-South%20firewalling.",
"services": [
- "ExpressRoute",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "For scenarios that require bandwidth higher than 10 Gbps or dedicated 10/100-Gbps ports, use ExpressRoute Direct.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Performance"
+ "subcategory": "Firewalls",
+ "text": "Azure / 3rd party firewall",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
- "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "To allow HCX appliance to connect/sync",
+ "guid": "1d87925c-c02b-7fde-a425-7e95ad846a27",
+ "link": "https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-2CFE1654-9CC9-4EDB-A625-21317299E559.html",
"services": [
- "ExpressRoute",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "When low latency is required, or throughput from on-premises to Azure must be greater than 10 Gbps, enable FastPath to bypass the ExpressRoute gateway from the data path.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Performance"
+ "subcategory": "Firewalls",
+ "text": "Firewalls allow for East/West traffic inside AVS",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
- "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
- "service": "VPN",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Decision on which tool to use (SRM requires additional license - enables automation & other features)",
+ "guid": "468b3495-2f6e-b65a-38ef-3ba631bcaa46",
+ "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-B842696B-89EF-4183-9C73-B77157F56055.html",
"services": [
- "VPN",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available).",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "subcategory": "Networking",
+ "text": "HCX and/or SRM",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "WAF checklist",
- "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
- "service": "VPN",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Read up on requirements for Service Mesh requirements and how HCX ",
+ "guid": "be2ced52-da08-d366-cf7c-044c19e29509",
+ "link": "https://docs.vmware.com/en/VMware-HCX/4.6/hcx-user-guide/GUID-76BCD059-A31A-4041-9105-ACFB56213E7C.html",
"services": [
- "VPN",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "Use redundant VPN appliances on-premises (active/active or active/passive).",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "subcategory": "Networking",
+ "text": "Configuring and Managing the HCX Interconnect",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "If you are planning on using stretch networks ensure that your on-premises environment requirements",
+ "guid": "7dcac579-fc5c-5c9c-f1f7-9b1149ff2c37",
+ "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html",
"services": [
- "Cost",
- "ExpressRoute",
- "WAF"
+ "AVS"
],
- "severity": "High",
- "text": "If using ExpressRoute Direct, consider using ExpressRoute Local circuits to the local Azure regions to save costs.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Restrictions and limitations for network extensions",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Do workloads require MoN?",
+ "guid": "cf45c0b9-6c4b-3bfb-86c5-62fe54061c73",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/vmware-hcx-mon-guidance",
"services": [
- "ExpressRoute",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "When traffic isolation or dedicated bandwidth is required, such as for separating production and nonproduction environments, use different ExpressRoute circuits. It will help you ensure isolated routing domains and alleviate noisy-neighbor risks.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Security"
+ "subcategory": "Networking",
+ "text": "Mobility optimized networking",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Operating system level of Vmware environment",
+ "guid": "b7cf11f3-b12e-5189-991a-06df5250d2ca",
+ "link": "https://learn.microsoft.com/azure/site-recovery/vmware-physical-azure-support-matrix",
"services": [
- "ExpressRoute",
- "WAF",
- "Monitor"
+ "AVS"
],
"severity": "Medium",
- "text": "Monitor ExpressRoute availability and utilization using built-in Express Route Insights.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "subcategory": "On-premises pre-requisites",
+ "text": "Support matrix (OS versions etc).",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
- "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Required that all switches are dynamic",
+ "guid": "45fe9252-aa1b-4e30-45c6-bc02f3b76acf",
+ "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/vsan-network-design-guide/GUID-91E1CD6F-33A6-4AC6-BC22-3E4807296F86.html#:~:text=Migrate%20Management%20Network%201%20Add%20hosts%20to%20the,each%20host.%20...%204%20Finish%20the%20configuration.%20",
"services": [
- "Monitor",
- "ACR",
- "WAF",
- "NetworkWatcher"
+ "AVS"
],
"severity": "Medium",
- "text": "Use Connection Monitor for connectivity monitoring across the network, especially between on-premises and Azure.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "subcategory": "On-premises pre-requisites",
+ "text": "Standard switches converted to dynamic switches",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
- "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "See sections on sizing and capacity in the link.",
+ "guid": "e9f6d736-ee44-e2ac-e7f9-e361f8c857f3",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/plan-private-cloud-deployment",
"services": [
- "ExpressRoute",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "Use ExpressRoute circuits from different peering locations for redundancy.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Reliability"
+ "subcategory": "On-premises pre-requisites",
+ "text": "Capacity for HCX appliance",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Check hardware restrictions to ensure compatibility with AVS/OS ",
+ "guid": "1be2cdd6-15a7-9a33-aea7-113859035ce9",
+ "link": "https://kb.vmware.com/s/article/2007240#:~:text=ESXi%2FESX%20hosts%20and%20compatible%20virtual%20machine%20hardware%20versions,%20Not%20Supported%20%204%20more%20rows",
"services": [
- "VPN",
- "ExpressRoute",
- "WAF"
+ "AVS"
],
"severity": "Medium",
- "text": "Use site-to-site VPN as failover of ExpressRoute, if only using a single ExpressRoute circuit.",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
- "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
- "service": "ExpressRoute",
- "services": [
- "Storage",
- "WAF",
- "VNet"
- ],
- "severity": "High",
- "text": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated.",
- "waf": "Reliability"
+ "subcategory": "On-premises pre-requisites",
+ "text": "Hardware compatibility",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "d581a947-69a2-4783-942e-9df3664324c8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Need to be converted",
+ "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7",
+ "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html",
"services": [
- "ExpressRoute",
- "ACR",
- "WAF"
+ "AVS",
+ "Storage"
],
- "severity": "High",
- "text": "If using ExpressRoute, your on-premises routing should be dynamic: in the event of a connection failure it should converge to the remaining connection of the circuit. Load should be shared across both connections ideally as active/active, although active/passive is supported too.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "VSAN RDM disks are converted - not supported.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Need to be converted",
+ "guid": "eb2f9313-afb2-ab35-aa24-6d97a3cb0611",
+ "link": "3rd-Party tools",
"services": [
- "ExpressRoute",
- "WAF"
+ "AVS",
+ "VM",
+ "Storage"
],
"severity": "Medium",
- "text": "Ensure the two physical links of your ExpressRoute circuit are connected to two distinct edge devices in your network.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Reliability"
+ "subcategory": "Storage",
+ "text": "VM with SCSI shared bus are not supported",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Remove Direct IO before migration",
+ "guid": "3f2a5cff-c8a6-634a-1f1b-53ef9d321381",
+ "link": "Contact VMware",
"services": [
- "WAF"
+ "AVS",
+ "VM",
+ "Storage"
],
"severity": "Medium",
- "text": "Ensure Bidirectional Forwarding Detection (BFD) is enabled and configured on customer or provider edge routing devices.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Reliability"
+ "subcategory": "Storage",
+ "text": "VM with Direct IO require removing DirectPath device",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Cannot migrate clusters ",
+ "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266",
+ "link": "Contact VMware",
"services": [
- "ExpressRoute",
- "WAF"
+ "AVS",
+ "Storage"
],
- "severity": "High",
- "text": "Connect the ExpressRoute Gateway to two or more circuits from different peering locations for higher resiliency.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Shared VMDK files are not supported",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Convert to a different format",
+ "guid": "ab6c89cd-a26f-b894-fe59-61863975458e",
+ "link": "Contact VMware",
"services": [
- "ExpressRoute",
- "WAF",
- "Monitor",
- "VNet"
+ "AVS",
+ "Storage"
],
"severity": "Medium",
- "text": "Configure diagnostic logs and alerts for ExpressRoute virtual network gateway.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "subcategory": "Storage",
+ "text": "RDM with 'physical compatibility mode' are not supported.",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
- "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
- "service": "ExpressRoute",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning 'RAID-1 FTT-1' is default with Thin Provisioning",
+ "guid": "7628d446-6b10-9678-9cec-f407d990de43",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
"services": [
- "ExpressRoute",
- "WAF",
- "VNet"
+ "AVS",
+ "VM",
+ "AzurePolicy",
+ "Storage"
],
"severity": "Medium",
- "text": "Do not use ExpressRoute circuits for VNet-to-VNet communication.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Performance"
+ "subcategory": "Storage",
+ "text": "Default storage policy",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "service": "N/A",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "The default storage policy is set to RAID-1 (Mirroring) FTT-1, with Object Space Reservation set to Thin provisioning.",
+ "guid": "37fef358-7ab9-43a9-542c-22673955200e",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy",
"services": [
- "ACR",
- "WAF"
+ "AVS",
+ "VM",
+ "AzurePolicy",
+ "Storage"
],
- "severity": "Low",
- "text": "Do not send Azure traffic to hybrid locations for inspection. Instead, follow the principle 'traffic in Azure stays in Azure' so that communication across resources in Azure occurs via the Microsoft backbone network.",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Ensure that the appropriate VM template storage policy is used",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
- "link": "https://learn.microsoft.com/azure/firewall/overview",
- "service": "Firewall",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+ "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
"services": [
- "WAF",
- "Firewall"
+ "AVS",
+ "AzurePolicy",
+ "Storage"
],
- "severity": "High",
- "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it).",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Failure to tolerate policy",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
- "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
- "service": "Firewall",
+ "category": "VMware",
+ "checklist": "Azure VMware Solution Implementation Checklist",
+ "description": "ANF can be used to extend storage for Azure VMware Solution,",
+ "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863",
+ "link": "https://learn.microsoft.com/azure/azure-vmware/netapp-files-with-azure-vmware-solution",
"services": [
- "AzurePolicy",
- "RBAC",
- "ACR",
- "WAF",
- "Firewall"
+ "AVS",
+ "Storage"
],
"severity": "Medium",
- "text": "Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "subcategory": "Storage",
+ "text": "Use ANF for external storage",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
- "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
- "service": "Firewall",
- "services": [
- "WAF",
- "Firewall"
- ],
- "severity": "Low",
- "text": "Configure supported partner SaaS security providers within Firewall Manager if the organization wants to use such solutions to help protect outbound connections.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "category": "Operations management",
+ "checklist": "Azure Bot Service",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "High Availablity",
+ "text": "Follow reliability support recommendations in Azure Bot Service",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
- "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
- "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
- "service": "Firewall",
- "services": [
- "DNS",
- "WAF",
- "Firewall"
- ],
- "severity": "High",
- "text": "Use application rules to filter outbound traffic on destination host name for supported protocols. Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over other protocols.",
- "waf": "Security"
+ "category": "Operations management",
+ "checklist": "Azure Bot Service",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "High Availablity",
+ "text": "Deploying bots with local data residency and regional compliance",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
- "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features",
- "service": "Firewall",
- "services": [
- "WAF",
- "Firewall"
- ],
- "severity": "High",
- "text": "Use Azure Firewall Premium to enable additional security features.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
- "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
- "service": "Firewall",
- "services": [
- "WAF",
- "Firewall"
- ],
- "severity": "High",
- "text": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection.",
- "waf": "Security"
+ "category": "Operations management",
+ "checklist": "Azure Bot Service",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "High Availablity",
+ "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
- "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "974a759c-763e-47d2-9161-3a7649907e0e",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ASB_v1.docx",
"services": [
- "WAF",
- "Firewall"
+ "ServiceBus"
],
- "severity": "High",
- "text": "Configure Azure Firewall IDPS mode to Deny for additional protection.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Best Practices",
+ "text": "Leverage FTA Handbook",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
- "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "description": "This will be turned on automatically for a new SB namespace created from the portal with the Premium SKUs in a zone-enabled region. Both the Service Bus metadata and the messages data are replicated across datacenters in the availability zones configuration",
+ "guid": "338ee253-c17d-432e-aaaa-b7571549ab81",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones",
"services": [
- "Storage",
- "VWAN",
- "NVA",
- "VNet",
- "WAF",
- "Firewall"
+ "ServiceBus",
+ "ACR"
],
"severity": "High",
- "text": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance.",
- "waf": "Security"
+ "subcategory": "Best Practices",
+ "text": "Leverage Availability Zones if regionally applicable",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "description": "If enabled, Implements namespace metadata replication to a secondary region. Does not replicate queue/topic message data. Premium sku only.",
+ "guid": "53d89f89-d17b-484b-93b5-a67f7b9ed5b3",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#geo-disaster-recovery",
"services": [
- "Storage",
- "WAF",
- "Firewall"
+ "ServiceBus",
+ "ASR",
+ "Storage"
],
"severity": "Medium",
- "text": "Add diagnostic settings to save logs, using the Resource Specific destination table, for all Azure Firewall deployments.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
- "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
- "service": "Firewall",
- "services": [
- "AzurePolicy",
- "WAF",
- "Firewall"
- ],
- "severity": "Important",
- "text": "Migrate from Azure Firewall Classic rules (if exist) to Firewall Policy.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Operations"
+ "subcategory": "Geo-Disaster Recovery",
+ "text": "Plan for Metadata replication during regional failure",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
- "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "description": "If an outage cannot be tolerated, do not use the build-in metadata replication option. Leverage a replication pattern to replicate Service Bus messages across two or more sets of cross-region namespaces",
+ "guid": "1f38c403-a822-4c24-93cf-0f18ac699ef1",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-federation-overview",
"services": [
- "WAF",
- "VNet",
- "Firewall"
+ "ServiceBus",
+ "ASR",
+ "ACR"
],
- "severity": "High",
- "text": "Use a /26 prefix for your Azure Firewall subnets.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Geo-Disaster Recovery",
+ "text": "Plan for Message replication during regional failure",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
- "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Azure Service Bus uses a message broker to handle messages that are sent to a Service Bus queue or topic. By default, all messages that are sent to a queue or topic are handled by the same message broker process. This architecture can place a limitation on the overall throughput of the message queue. However, you can also partition a queue or topic when it is created",
+ "guid": "d5a83de4-de32-4c18-a147-0607c5c0e4e6",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/data-partitioning-strategies#partitioning-azure-service-bus",
"services": [
- "AzurePolicy",
- "WAF"
+ "ServiceBus",
+ "Storage"
],
"severity": "Medium",
- "text": "Arrange rules within the firewall policy into Rule Collection Groups and Rule Collections and based on their frequency of use.",
- "waf": "Performance"
+ "subcategory": "Best Practices",
+ "text": "For applications which require high throughput, use Patritioning ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
- "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "14658d24-58ed-4671-99b8-21102df26ee4",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters",
"services": [
- "Storage",
- "WAF"
+ "ServiceBus"
],
"severity": "Medium",
- "text": "Use IP Groups or IP prefixes to reduce number of IP table rules.",
- "waf": "Performance"
+ "subcategory": "Best Practices",
+ "text": "Evaluate Premier-tier benefits of Azure Service Bus",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
- "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "11e6f883-e52f-4472-8dd6-8c5b5c2521e5",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-messaging-exceptions",
"services": [
- "WAF"
+ "ServiceBus"
],
- "severity": "Medium",
- "text": "Do not use wildcards as a source IP for DNATS, such as * or any, you should specify source IPs for incoming DNATs.",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Best Practices",
+ "text": "Ensure that Service Bus Messaging Exceptions are handled properly",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
- "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "4a69b9d3-39ac-44e7-a68d-1d75657202b4",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"services": [
- "Monitor",
- "WAF"
+ "PrivateLink",
+ "ServiceBus",
+ "Storage"
],
"severity": "Medium",
- "text": "Prevent SNAT Port exhaustion by monitoring SNAT port usage, evaluating NAT Gateway settings, and ensuring seamless failover. If the port count approaches the limit, it’s a sign that SNAT exhaustion might be imminent.",
- "waf": "Performance"
+ "subcategory": "Best Practices",
+ "text": "Connect to Service Bus with the Advanced Messaging Queue Protocol (AMQP) and use Service Endpoints or Private Endpoints when possible.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "346840b8-1064-496e-8396-4b1340172d52",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "f4564b4d-974a-4759-a763-e7d261613a76",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-performance-improvements?tabs=net-standard-sdk-2",
"services": [
- "WAF",
- "Firewall"
+ "ServiceBus"
],
"severity": "High",
- "text": "If you are using Azure Firewall Premium, enable TLS Inspection.",
- "waf": "Performance"
+ "subcategory": "Best Practices",
+ "text": "Review the Best Practices for performance improvements using Service Bus Messaging",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "49907e0e-338e-4e25-9c17-d32e8aaab757",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/operational-excellence",
"services": [
- "ServiceBus",
- "WAF"
+ "ServiceBus"
],
- "severity": "Low",
- "text": "Use web categories to allow or deny outbound access to specific topics.",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Best Practices",
+ "text": "Implement geo-replication on the sender and receiver side to protect against outages and disasters",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "1549ab81-53d8-49f8-ad17-b84b33b5a67f",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"services": [
- "WAF"
+ "ServiceBus",
+ "ASR",
+ "Storage"
],
"severity": "Medium",
- "text": "As part of your TLS inspection, plan for receiving traffic from Azure App Gateways for inspection.",
- "waf": "Performance"
+ "subcategory": "Best Practices",
+ "text": "If you need mission-critical messaging with queues and topics, Service Bus Premium is recommended with Geo-Disaster Recovery.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
- "link": "https://learn.microsoft.com/azure/firewall/dns-details",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "7b9ed5b3-1f38-4c40-9a82-2c2463cf0f18",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"services": [
- "DNS",
- "WAF",
- "Firewall"
+ "ServiceBus"
],
"severity": "Medium",
- "text": "Enable Azure Firewall DNS proxy configuration.",
- "waf": "Security"
+ "subcategory": "Best Practices",
+ "text": "Implement high availability for the Service Bus namespace",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "ac699ef1-d5a8-43de-9de3-2c1881470607",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"services": [
- "Monitor",
- "WAF",
- "Firewall"
+ "ServiceBus"
],
"severity": "High",
- "text": "Integrate Azure Firewall with Azure Monitor and enable diagnostic logging to store and analyze firewall logs.",
- "waf": "Operations"
+ "subcategory": "Best Practices",
+ "text": "Ensure related messages are delivered in guaranteed order",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
- "service": "Firewall",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "c5c0e4e6-1465-48d2-958e-d67139b82110",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"services": [
- "WAF",
- "Backup"
+ "ServiceBus"
],
"severity": "Low",
- "text": "Implement backups for your firewall rules",
- "waf": "Operations"
+ "subcategory": "Best Practices",
+ "text": "Evaluate different Java Messaging Service (JMS) features through the JMS API",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "App Gateway",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "2df26ee4-11e6-4f88-9e52-f4722dd68c5b",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"services": [
- "WAF",
- "VNet"
+ "ServiceBus"
],
- "severity": "High",
- "text": "Do not disrupt control-plane communication for Azure PaaS services injected into a virtual networks, such as with a 0.0.0.0/0 route or an NSG rule that blocks control plane traffic.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Best Practices",
+ "text": "Use .NET Nuget packages to communicate with Service Bus messaging entities",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
- "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
- "service": "ExpressRoute",
+ "category": "Operations Management",
+ "checklist": "Service Bus Review Checklist",
+ "guid": "5c2521e5-4a69-4b9d-939a-c4e7c68d1d75",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"services": [
- "ExpressRoute",
- "WAF",
- "PrivateLink"
+ "ServiceBus"
],
"severity": "Medium",
- "text": "Access Azure PaaS services from on-premises via private endpoints and ExpressRoute private peering. This method avoids transiting over the public internet.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Security"
+ "subcategory": "Best Practices",
+ "text": "Implement resilience for transient fault handling when sending or receiving messages",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "WAF checklist",
- "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
- "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
- "service": "VNet",
+ "category": "Security",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+ "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
+ "service": "Service Bus",
"services": [
- "WAF",
- "VNet"
+ "ServiceBus"
],
- "severity": "High",
- "text": "Don't enable virtual network service endpoints by default on all subnets.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "severity": "Low",
+ "subcategory": "Data Protection",
+ "text": "Use customer-managed key option in data at rest encryption when required",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "WAF checklist",
- "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
- "link": "azure/private-link/inspect-traffic-with-azure-firewall",
- "service": "Firewall",
+ "category": "Security",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
+ "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
+ "service": "Service Bus",
"services": [
- "DNS",
- "PrivateLink",
- "NVA",
- "WAF",
- "Firewall"
+ "ServiceBus"
],
"severity": "Medium",
- "text": "Filter egress traffic to Azure PaaS services using FQDNs instead of IP addresses in Azure Firewall or an NVA to prevent data exfiltration. If using Private Link you can block all FQDNs, otherwise allow only the required PaaS services.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "subcategory": "Data Protection",
+ "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
- "service": "ExpressRoute",
+ "category": "Security",
+ "checklist": "Service Bus Review Checklist",
+ "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+ "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
+ "service": "Service Bus",
"services": [
- "VPN",
- "ExpressRoute",
- "WAF",
- "VNet"
+ "Entra",
+ "AzurePolicy",
+ "TrafficManager",
+ "RBAC",
+ "ServiceBus"
],
- "severity": "High",
- "text": "Use at least a /27 prefix for your Gateway subnets.",
+ "severity": "Medium",
+ "subcategory": "Identity and Access Management",
+ "text": "Avoid using root account when it is not necessary",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
- "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
- "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
- "service": "NSG",
+ "category": "Security",
+ "checklist": "Service Bus Review Checklist",
+ "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
+ "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
+ "service": "Service Bus",
"services": [
- "WAF",
- "VNet"
+ "Entra",
+ "AKV",
+ "Storage",
+ "VM",
+ "AppSvc",
+ "ServiceBus"
],
- "severity": "High",
- "text": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity.",
+ "severity": "Medium",
+ "subcategory": "Identity and Access Management",
+ "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "WAF checklist",
- "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
- "service": "NSG",
+ "category": "Security",
+ "checklist": "Service Bus Review Checklist",
+ "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
+ "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
+ "service": "Service Bus",
"services": [
- "ACR",
- "WAF",
- "VNet"
+ "Entra",
+ "Storage",
+ "RBAC",
+ "Subscriptions",
+ "ServiceBus"
],
- "severity": "Medium",
- "text": "Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "severity": "High",
+ "subcategory": "Identity and Access Management",
+ "text": "Use least privilege data plane RBAC",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "WAF checklist",
- "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "NSG",
+ "category": "Security",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
+ "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
+ "service": "Service Bus",
"services": [
- "NVA",
- "WAF",
+ "ServiceBus",
"VNet",
- "Entra"
+ "Monitor"
],
"severity": "Medium",
- "text": "Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "subcategory": "Monitoring",
+ "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "WAF checklist",
- "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
- "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
- "service": "NSG",
+ "category": "Security",
+ "checklist": "Service Bus Review Checklist",
+ "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+ "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
+ "service": "Service Bus",
"services": [
- "NetworkWatcher",
- "WAF",
+ "PrivateLink",
+ "ServiceBus",
"VNet"
],
"severity": "Medium",
- "text": "Enable VNet Flow Logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "subcategory": "Networking",
+ "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
- "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "NSG",
+ "category": "Security",
+ "checklist": "Service Bus Review Checklist",
+ "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+ "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
+ "service": "Service Bus",
"services": [
- "WAF",
- "VNet"
+ "ServiceBus"
],
"severity": "Medium",
- "text": "Do not implement more than 900 NSG rules per NSG, due to the limit of 1000 rules.",
- "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "waf": "Reliability"
+ "subcategory": "Networking",
+ "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
- "service": "VWAN",
+ "category": "Version Control",
+ "checklist": "Azure DevOps",
+ "description": "Implement branching policy in Azure DevOps",
+ "guid": "eda1dae2-cc85-4c47-a6b7-81cca0e6c465",
+ "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-policies-overview?view=azure-devops",
"services": [
- "VWAN",
- "WAF"
+ "AzurePolicy"
],
- "severity": "Medium",
- "text": "Use Virtual WAN if your scenario is explicitly described in the list of Virtual WAN routing designs.",
- "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+ "severity": "High",
+ "subcategory": "Branching Policy",
+ "text": "Branch Policies",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
- "service": "VWAN",
+ "category": "Version Control",
+ "checklist": "Azure DevOps",
+ "description": "Understand branch strategy such as GitFlow or GitHub Flow",
+ "guid": "bc288bec-6a16-4ca7-8444-51e1add34529",
+ "link": "https://learn.microsoft.com/azure/devops/repos/git/git-branching-guidance?view=azure-devops",
"services": [
- "VWAN",
- "ACR",
- "WAF"
+ "AzurePolicy"
],
- "severity": "Medium",
- "text": "Use a Virtual WAN hub per Azure region to connect multiple landing zones together across Azure regions via a common global Azure Virtual WAN.",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Branching Policy",
+ "text": "Branching strategy",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
- "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
- "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
- "service": "VWAN",
+ "category": "Version Control",
+ "checklist": "Azure DevOps",
+ "description": "Understand how teams work with git",
+ "guid": "ec723823-7a15-41c5-ab4e-401914387e5c",
+ "link": "https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow",
"services": [
- "WAF",
- "Firewall"
+ "AzurePolicy"
],
- "severity": "Medium",
- "text": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Branching Policy",
+ "text": "Understand GitFlow Branch Strategy",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
- "service": "VWAN",
+ "category": "Version Control",
+ "checklist": "Azure DevOps",
+ "description": "Merge into higher branches after two or more reviewers in a PR",
+ "guid": "a9c26c9c-32ab-45bd-8c69-98a246e33899",
+ "link": "https://learn.microsoft.com/azure/devops/repos/git/review-pull-requests?view=azure-devops&tabs=browser",
"services": [
- "VWAN",
- "WAF"
+ "AzurePolicy"
],
- "severity": "Medium",
- "text": "Ensure that your virtual WAN network architecture aligns to an identified architecture scenario.",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Branching Policy",
+ "text": "Pull Request Review",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
- "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
- "service": "VWAN",
+ "category": "Version Control",
+ "checklist": "Azure DevOps",
+ "description": "Implement access control to the branches",
+ "guid": "7e41c77d-68cb-46a2-8ac1-9f916d697d8e",
+ "link": "https://learn.microsoft.com/azure/devops/repos/git/branch-permissions?view=azure-devops",
"services": [
- "VWAN",
- "WAF",
- "Monitor"
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Use Azure Monitor Insights for Virtual WAN to monitor the end-to-end topology of the Virtual WAN, status, and key metrics.",
+ "subcategory": "Branching Policy",
+ "text": "Access Control to the Branch",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
- "service": "VWAN",
- "services": [
- "VWAN",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Do not disable branch-to-branch traffic in Virtual WAN, unless these flows should be explicitly blocked.",
- "waf": "Reliability"
+ "category": "Version Control",
+ "checklist": "Azure DevOps",
+ "description": "Perform SAST code scan",
+ "guid": "adfd27bd-e187-401a-a252-baa9b68a088c",
+ "link": "https://devblogs.microsoft.com/devops/integrate-security-into-your-developer-workflow-with-github-advanced-security-for-azure-devops/",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Code Scan",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
- "service": "VWAN",
- "services": [
- "VPN",
- "ExpressRoute",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Use AS-Path as hub routing preference, since it is more flexible than ExpressRoute or VPN.",
- "waf": "Reliability"
+ "category": "Version Control",
+ "checklist": "Azure DevOps",
+ "description": "Understand TFVC as Code Repo",
+ "guid": "9a8f822b-8eb9-4d1b-a77f-26e5e6beba8e",
+ "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Practice",
+ "text": "TFVC as Code Repository",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
- "service": "VWAN",
- "services": [
- "VWAN",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Configure label-based propagation in Virtual WAN, otherwise connectivity between virtual hubs will be impaired.",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "WAF checklist",
- "guid": "9c75dfef-573c-461c-a698-68598595581a",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
- "service": "VWAN",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Assign at least a /23 prefix to virtual hubs to ensure enough IP space is available.",
- "waf": "Reliability"
+ "category": "Version Control",
+ "checklist": "Azure DevOps",
+ "description": "Compare Git vs TFVC for your project",
+ "guid": "d4f3437b-c336-4d71-9f27-a71eee0b9b5d",
+ "link": "https://learn.microsoft.com/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Practice",
+ "text": "Choose Right version control",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "Set up your team management",
+ "guid": "8defd5d7-21d4-41d2-900c-807bf9eab40f",
+ "link": "https://learn.microsoft.com/azure/devops/organizations/settings/manage-teams?view=azure-devops",
+ "services": [],
"severity": "High",
- "text": "Leverage Azure Policy strategically, define controls for your environment, using Policy Initiatives to group related policies.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "services": [
- "RBAC",
- "AzurePolicy",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.",
- "waf": "Security"
+ "subcategory": "Team Planning",
+ "text": "Configure your teams",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF",
- "Subscriptions"
- ],
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "Start scheduling sprints",
+ "guid": "9ed5b354-78d4-447a-a26c-2863c00f1cac",
+ "link": "https://learn.microsoft.com/azure/devops/boards/sprints/define-sprints?view=azure-devops",
+ "services": [],
"severity": "Medium",
- "text": "Establish Azure Policy definitions at the intermediate root management group so that they can be assigned at inherited scopes.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "severity": "High",
- "text": "Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.",
- "waf": "Security"
+ "subcategory": "Team Planning",
+ "text": "Configure your sprints",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "43334f24-9116-4341-a2ba-527526944008",
- "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF",
- "Subscriptions"
- ],
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "Set up your work item heirarchy",
+ "guid": "699ef1d5-a83d-4e5d-b36c-1c81870a0bc5",
+ "link": "https://learn.microsoft.com/azure/devops/organizations/settings/work/customize-process-work-item-type?view=azure-devops",
+ "services": [],
"severity": "Low",
- "text": "Use Azure Policy to control which services users can provision at the subscription/management group level.",
- "waf": "Security"
+ "subcategory": "Team Planning",
+ "text": "Choose Work Item types",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "WIT Processes available in Azure DevOps",
+ "guid": "c1e43a18-658d-4285-aed6-7179b825546d",
+ "link": "https://learn.microsoft.com/azure/devops/boards/work-items/guidance/choose-process?view=azure-devops&tabs=agile-process",
+ "services": [],
"severity": "High",
- "text": "Use built-in policies where possible to minimize operational overhead.",
- "waf": "Security"
+ "subcategory": "Team Planning",
+ "text": "Select a WIT Process",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "description": "Assigning the Resource Policy Contributor role to specific scopes allows you to delegate policy management to relevant teams. For instance, a central IT team may oversee management group-level policies, while application teams handle policies for their subscriptions, enabling distributed governance with adherence to organizational standards.",
- "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "RBAC",
- "Entra",
- "WAF",
- "Subscriptions"
- ],
- "severity": "Medium",
- "text": "Assign the built-in Resource Policy Contributor role at a particular scope to enable application-level governance.",
- "waf": "Security"
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "Use Azure Boards with GitHub",
+ "guid": "f2aee455-3afc-4833-a248-726dd68c5b5c",
+ "link": "https://learn.microsoft.com/azure/devops/cross-service/github-integration?view=azure-devops",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Tool Integration",
+ "text": "GitHub Integration",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "19048384-5c98-46cb-8913-156a12476e49",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF",
- "Subscriptions"
- ],
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "Understand the methologies",
+ "guid": "2925394b-69b9-4d37-aac4-3bc68d1d7665",
+ "link": "https://www.atlassian.com/agile/scrum/agile-vs-scrum",
+ "services": [],
"severity": "Medium",
- "text": "Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.",
- "waf": "Security"
+ "subcategory": "Process Planning",
+ "text": "Understand Agile Vs Scrum",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
- "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "Create Dashboard and PowerBI reports",
+ "guid": "7246b448-564b-44dd-94a7-59c7633bd2a1",
+ "link": "https://learn.microsoft.com/azure/devops/report/dashboards/overview?view=azure-devops",
+ "services": [],
"severity": "Medium",
- "text": "If any data sovereignty requirements exist, Azure Policies should be deployed to enforce them.",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
- "waf": "Security"
+ "subcategory": "Reporting",
+ "text": "Dashboard",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF",
- "Subscriptions"
- ],
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "Set up backlog",
+ "guid": "a27a764a-90be-40e3-98ee-293c1bd363ca",
+ "link": "https://learn.microsoft.com/azure/devops/boards/backlogs/set-up-your-backlog?view=azure-devops",
+ "services": [],
"severity": "Medium",
- "text": "For Sovereign Landing Zone, deploy sovereignty policy baseline and assign at correct management group level.",
- "waf": "Security"
+ "subcategory": "Reporting",
+ "text": "Refine your backlog",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
+ "category": "Azure Boards",
+ "checklist": "Azure DevOps",
+ "description": "Link your work items",
+ "guid": "aab75719-49ab-4919-9dc9-fc9d1bb84b37",
+ "link": "https://learn.microsoft.com/azure/devops/boards/queries/link-work-items-support-traceability?view=azure-devops&tabs=browser",
+ "services": [],
"severity": "Medium",
- "text": "For Sovereign Landing Zone, document Sovereign Control objectives to policy mapping.",
- "waf": "Security"
+ "subcategory": "Reporting",
+ "text": "Visualize Relationships",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "WAF checklist",
- "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
- "service": "Policy",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "severity": "Medium",
- "text": "For Sovereign Landing Zone, ensure process is in place for management of 'Sovereign Control objectives to policy mapping'.",
- "waf": "Security"
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "View the velocity report",
+ "guid": "b5a67fcb-9ed5-4b35-978d-447a826c2863",
+ "link": "https://learn.microsoft.com/azure/devops/report/dashboards/team-velocity?view=azure-devops&tabs=in-context",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Reporting",
+ "text": "Review Team Velocity",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
- "services": [
- "AzurePolicy",
- "RBAC",
- "Monitor",
- "Entra",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Use a single monitor logs workspace to manage platforms centrally except where Azure role-based access control (Azure RBAC), data sovereignty requirements, or data retention policies mandate separate workspaces.",
- "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Create your first pipeline",
+ "guid": "c00f1cac-699e-4f1d-9a83-de5de36c1c81",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/create-first-pipeline?view=azure-devops&tabs=java%2Ctfs-2018-2%2Cbrowser",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Continuous Integration",
+ "text": "Set up pipeline",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Monitor",
- "services": [
- "ARS",
- "Storage",
- "WAF",
- "AzurePolicy"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Specify events that trigger pipelines",
+ "guid": "870a0bc5-c1e4-43a1-a658-d2858ed67179",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/build/triggers?view=azure-devops",
+ "services": [],
"severity": "High",
- "text": "Export logs to Azure Storage if your log retention requirements exceed twelve years. Use immutable storage with a write-once, read-many policy to make data non-erasable and non-modifiable for a user-specified interval.",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "subcategory": "Continuous Integration",
+ "text": "Set Build triggers",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
- "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
- "service": "VM",
- "services": [
- "Monitor",
- "WAF",
- "AzurePolicy",
- "VM"
- ],
- "severity": "Medium",
- "text": "Monitor OS level virtual machine (VM) configuration drift using Azure Policy. Enabling Azure Automanage Machine Configuration audit capabilities through policy helps application team workloads to immediately consume feature capabilities with little effort.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Use YAML to create build pipeline",
+ "guid": "b825546d-f2ae-4e45-93af-c8339248726d",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/customize-pipeline?view=azure-devops",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Continuous Integration",
+ "text": "Customize YAML Pipeline",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
- "service": "VM",
- "services": [
- "WAF",
- "VM"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Use classic GUI editor to set up pipeline",
+ "guid": "d68c5b5c-2925-4394-a69b-9d379ac43bc6",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/get-started/pipelines-get-started?view=azure-devops&source=recommendations#define-pipelines-using-the-classic-interface",
+ "services": [],
"severity": "Medium",
- "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs in Azure.",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "subcategory": "Continuous Integration",
+ "text": "Use GUI for pipeline",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
- "service": "VM",
- "services": [
- "WAF",
- "VM"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Set up templates, parameters and expressions",
+ "guid": "8d1d7665-7246-4b44-a564-b4dd74a759c7",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/process/templates?view=azure-devops&pivots=templates-includes",
+ "services": [],
"severity": "Medium",
- "text": "Use Azure Update Manager as a patching mechanism for Windows and Linux VMs outside of Azure using Azure Arc.",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "subcategory": "Continuous Integration",
+ "text": "Configure Templates",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/networkWatchers",
- "checklist": "WAF checklist",
- "guid": "90483845-c986-4cb2-a131-56a12476e49f",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Network Watcher",
- "services": [
- "Monitor",
- "WAF",
- "NetworkWatcher"
- ],
- "severity": "Medium",
- "text": "Use Network Watcher to proactively monitor traffic flows.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Set up jobs, stages and dependencies",
+ "guid": "633bd2a1-a27a-4764-a90b-e0e378ee293c",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/process/stages?view=azure-devops&tabs=yaml",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Continuous Integration",
+ "text": "Jobs",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Monitor",
- "services": [
- "Monitor",
- "WAF"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Set up conditions and Demands",
+ "guid": "1bd363ca-aab7-4571-a49a-b9193dc9fc9d",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/process/conditions?view=azure-devops&tabs=yaml%2Cstages",
+ "services": [],
"severity": "Medium",
- "text": "Use Azure Monitor Logs for insights and reporting.",
+ "subcategory": "Continuous Integration",
+ "text": "Conditions and Demands",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
- "service": "Monitor",
- "services": [
- "Monitor",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Use Azure Monitor alerts for the generation of operational alerts.",
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Define Variables",
+ "guid": "1bb84b37-b5a6-47fc-a9ed-5b35478d447a",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Continuous Integration",
+ "text": "Variables",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "Monitor",
- "services": [
- "Monitor",
- "WAF"
- ],
- "severity": "Medium",
- "text": "When using Change and Inventory Tracking via Azure Automation Accounts, ensure that you have selected supported regions for linking your Log Analytics workspace and automation accounts together.",
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Set up your deployment pipeline",
+ "guid": "826c2863-c00f-41ca-a699-ef1d5a83de5d",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/process/create-multistage-pipeline?view=azure-devops",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Continuous Deployment",
+ "text": "Deployment Pipeline",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Backup",
- "services": [
- "WAF",
- "Backup"
- ],
- "severity": "Low",
- "text": "When using Azure Backup, use the correct backup types (GRS, ZRS & LRS) for your backup, as the default setting is GRS.",
- "waf": "Reliability"
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Select correct branches to deploy from",
+ "guid": "e36c1c81-870a-40bc-9c1e-43a18658d285",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deploy-multiple-branches?view=azure-devops",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Continuous Deployment",
+ "text": "Release branch",
+ "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "VM",
- "services": [
- "AzurePolicy",
- "WAF",
- "VM"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "use relevant template to deploy to azure",
+ "guid": "8ed67179-b825-4546-bf2a-ee4553afc833",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/overview-azure?view=azure-devops",
+ "services": [],
"severity": "Medium",
- "text": "Use Azure guest policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.",
- "waf": "Security"
+ "subcategory": "Continuous Deployment",
+ "text": "Deploy to Azure",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Use Azure Policy's guest configuration features to audit and remediate machine settings (e.g., OS, application, environment) to ensure resources align with expected configurations, and Update Management can enforce patch management for VMs.",
- "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "VM",
- "services": [
- "Monitor",
- "WAF",
- "AzurePolicy",
- "VM"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Define Release Approvals and pre deployment checks",
+ "guid": "9248726d-d68c-45b5-a292-5394b69b9d37",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass",
+ "services": [],
"severity": "Medium",
- "text": "Monitor VM security configuration drift via Azure Policy.",
- "waf": "Security"
+ "subcategory": "Continuous Deployment",
+ "text": "Approvals and Checks",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
- "services": [
- "ACR",
- "WAF",
- "VM",
- "ASR"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Define Gates and post deployment checks",
+ "guid": "9ac43bc6-8d1d-4766-9724-6b448564b4dd",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/release/approvals/?view=azure-devops&tabs=yaml",
+ "services": [],
"severity": "Medium",
- "text": "Use Azure Site Recovery for Azure-to-Azure Virtual Machines disaster recovery scenarios. This enables you to replicate workloads across regions.",
+ "subcategory": "Continuous Deployment",
+ "text": "Gates",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "Backup",
- "services": [
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Use Azure-native backup capabilities, or an Azure-compatible, 3rd-party backup solution.",
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Define Azure Function and REST API Checks",
+ "guid": "74a759c7-633b-4d2a-8a27-a764a90be0e3",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/process/invoke-checks?view=azure-devops",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Continuous Deployment",
+ "text": "Azure Function Checks",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "WAF checklist",
- "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "WAF",
- "services": [
- "AppGW",
- "WAF",
- "FrontDoor"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Review pipeline reports",
+ "guid": "78ee293c-1bd3-463c-aaab-7571949ab919",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/reports/pipelinereport?view=azure-devops",
+ "services": [],
"severity": "High",
- "text": "Add diagnostic settings to save WAF logs from application delivery services like Azure Front Door and Azure Application Gateway. Regularly review the logs to check for attacks and for false positive detections.",
+ "subcategory": "Continuous Deployment",
+ "text": "Pipline Reports",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "WAF checklist",
- "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "WAF",
- "services": [
- "Sentinel",
- "AppGW",
- "WAF",
- "FrontDoor"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "configure Trend Result widget",
+ "guid": "3dc9fc9d-1bb8-44b3-9b5a-67fcb9ed5b35",
+ "link": "https://learn.microsoft.com/azure/devops/report/dashboards/analytics-widgets?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&view=azure-devops#test-results-trend-advanced",
+ "services": [],
"severity": "Medium",
- "text": "Send WAF logs from your application delivery services like Azure Front Door and Azure Application Gateway to Microsoft Sentinel. Detect attacks and integrate WAF telemetry into your overall Azure environment.",
+ "subcategory": "Analytics",
+ "text": "Pipeline Result Trend",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "5017f154-e3ab-4369-9829-e7e316183687",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "High",
- "text": "Use Azure Key Vault to store your secrets and credentials.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
- "guid": "a0477a20-9945-4bda-9333-4f2491163418",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "Use different Azure Key Vaults for different applications and regions to avoid transaction scale limits and restrict access to secrets.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "AzurePolicy",
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "RBAC",
- "WAF",
- "AKV",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Microsoft Entra ID roles.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Automate the certificate management and renewal process with public certificate authorities to ease administration.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "913156a1-2476-4e49-b541-acdce979377b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Establish an automated process for key and certificate rotation.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "VNet",
- "WAF",
- "AKV",
- "PrivateLink"
- ],
- "severity": "Medium",
- "text": "Enable firewall and virtual network service endpoint or private endpoint on the vault to control access to the key vault.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
- "service": "Key Vault",
- "services": [
- "Monitor",
- "WAF",
- "AKV",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "AzurePolicy",
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "Use an Azure Key Vault per application per environment per region.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "ACR",
- "WAF",
- "AKV",
- "ASR"
- ],
- "severity": "Medium",
- "text": "If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don't hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
- "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "For Sovereign Landing Zone, use Azure Key Vault managed HSM to store your secrets and credentials.",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
- "service": "Entra",
- "services": [
- "WAF",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Use Microsoft Entra ID reporting capabilities to generate access control audit reports.",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "09945bda-4333-44f2-9911-634182ba5275",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
- "service": "Defender",
- "services": [
- "WAF",
- "Defender",
- "Subscriptions"
- ],
- "severity": "High",
- "text": "Enable Defender Cloud Security Posture Management for all subscriptions.",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
- "service": "Defender",
- "services": [
- "WAF",
- "Defender",
- "Subscriptions"
- ],
- "severity": "High",
- "text": "Enable a Defender Cloud Workload Protection Plan for Servers on all subscriptions.",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
- "service": "Defender",
- "services": [
- "WAF",
- "Defender",
- "Subscriptions"
- ],
- "severity": "High",
- "text": "Enable Defender Cloud Workload Protection Plans for Azure Resources on all subscriptions.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
- "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
- "service": "VM",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Enable Endpoint Protection on IaaS Servers.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
- "link": "https://learn.microsoft.com/azure/security-center/",
- "service": "VM",
- "services": [
- "Monitor",
- "WAF",
- "Defender"
- ],
- "severity": "Medium",
- "text": "Monitor base operating system patching drift via Azure Monitor Logs and Defender for Cloud.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
- "services": [
- "Monitor",
- "WAF",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
- "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
- "service": "Entra",
- "services": [
- "WAF",
- "Entra"
- ],
- "severity": "Medium",
- "text": "For Sovereign Landing Zone, enable transparancy logs on the Entra ID tenant.",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
- "service": "Entra",
- "services": [
- "WAF",
- "Entra"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Connect with WIT to visualize work",
+ "guid": "478d447a-826c-4286-9c00-f1cac699ef1d",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/integrations/configure-pipelines-work-tracking?view=azure-devops&tabs=yaml",
+ "services": [],
"severity": "Medium",
- "text": "For Sovereign Landing Zone, enable customer Lockbox on the Entra ID tenant.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Storage",
- "services": [
- "Storage",
- "WAF"
- ],
- "severity": "High",
- "text": "Enable secure transfer to storage accounts.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
- "service": "Storage",
- "services": [
- "Storage",
- "WAF"
- ],
- "severity": "High",
- "text": "Enable container soft delete for the storage account to recover a deleted container and its contents.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV",
- "VM"
- ],
- "severity": "High",
- "text": "Use Key Vault secrets to avoid hard-coding sensitive information such as credentials (virtual machines user passwords), certificates or keys.",
+ "subcategory": "Analytics",
+ "text": "Work Tracking with Pipeline",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"waf": "Operations"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "WAF checklist",
- "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
- "service": "Redis",
- "services": [
- "ACR",
- "WAF"
- ],
- "severity": "High",
- "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.cache/redis",
- "checklist": "WAF checklist",
- "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
- "service": "Redis",
- "services": [
- "Storage",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.cache/redis",
- "checklist": "WAF checklist",
- "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
- "service": "Redis",
- "services": [
- "Storage",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.cache/redis",
- "checklist": "WAF checklist",
- "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
- "service": "Redis",
- "services": [
- "WAF",
- "ASR"
- ],
- "severity": "Medium",
- "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "WAF checklist",
- "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
- "service": "IoT",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "WAF checklist",
- "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
- "services": [
- "WAF"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Understand agent pools",
+ "guid": "5a83de5d-e36c-41c8-8870-a0bc5c1e43a1",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=yaml%2Cbrowser",
+ "services": [],
"severity": "Medium",
- "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "WAF checklist",
- "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
- "service": "IoT",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "WAF checklist",
- "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Learn how to trigger a manual failover.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "WAF checklist",
- "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
- "service": "IoT",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Learn how to fail back after a failover.",
- "waf": "Reliability"
+ "subcategory": "Continuous Deployment",
+ "text": " Agents and agent pools",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Services",
- "services": [
- "WAF"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Understand and provision Deployment Groups when required",
+ "guid": "8658d285-8ed6-4717-ab82-5546df2aee45",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/release/deployment-groups/?view=azure-devops",
+ "services": [],
"severity": "Low",
- "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Services",
- "services": [
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
- "waf": "Reliability"
+ "subcategory": "Continuous Deployment",
+ "text": "Deployment Groups",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Services",
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Understand Kubernetes Deployment",
+ "guid": "53afc833-9248-4726-bd68-c5b5c2925394",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/ecosystems/kubernetes/deploy?view=azure-devops",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Continuous Deployment",
+ "text": "Deploy to Kubernetes",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
- "services": [
- "WAF"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Perform Dynamic Security Testing",
+ "guid": "b69b9d37-9ac4-43bc-98d1-d76657246b44",
+ "link": "https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/",
+ "services": [],
"severity": "Medium",
- "text": "Implement health checks",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc",
- "Backup"
- ],
- "severity": "High",
- "text": "Refer to backup and restore best practices for Azure App Service",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc"
- ],
- "severity": "High",
- "text": "Implement Azure App Service reliability best practices",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "DAST Scan",
+ "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc"
- ],
- "severity": "Low",
- "text": "Familiarize with how to move an App Service app to another region During a disaster",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc"
- ],
- "severity": "High",
- "text": "Familiarize with reliability support in Azure App Service",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc"
- ],
- "severity": "Medium",
- "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
- "services": [
- "Monitor",
- "WAF",
- "AppSvc"
- ],
- "severity": "Medium",
- "text": "Monitor App Service instances using Health checks",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
- "service": "App Services",
- "services": [
- "Monitor",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
- "service": "App Services",
- "services": [
- "Monitor",
- "WAF"
- ],
- "severity": "Low",
- "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
- "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
- "services": [
- "AppSvc",
- "WAF",
- "AKV"
- ],
- "severity": "High",
- "text": "Use Key Vault to store secrets",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
- "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
- "services": [
- "AppSvc",
- "WAF",
- "AKV",
- "Entra"
- ],
- "severity": "High",
- "text": "Use Managed Identity to connect to Key Vault",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Store the App Service TLS certificate in Key Vault.",
- "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
- "service": "App Services",
- "services": [
- "AppSvc",
- "WAF",
- "AKV"
- ],
- "severity": "High",
- "text": "Use Key Vault to store TLS certificate.",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
- "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
- "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc",
- "Subscriptions"
- ],
- "severity": "Medium",
- "text": "Isolate systems that process sensitive information",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
- "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc",
- "TrafficManager"
- ],
- "severity": "Medium",
- "text": "Do not store sensitive data on local disk",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
- "guid": "919ca0b2-c121-459e-814b-933df574eccc",
- "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Use an established Identity Provider for authentication",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
- "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc"
- ],
- "severity": "High",
- "text": "Deploy from a trusted environment",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.",
- "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
- "service": "App Services",
- "services": [
- "WAF",
- "Entra"
- ],
- "severity": "High",
- "text": "Disable basic authentication",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
- "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
- "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
- "service": "App Services",
- "services": [
- "WAF",
- "AKV",
- "Entra"
- ],
- "severity": "High",
- "text": "Use Managed Identity to connect to resources",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
- "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
- "service": "App Services",
- "services": [
- "ACR",
- "WAF",
- "Entra"
- ],
- "severity": "High",
- "text": "Pull containers using a Managed Identity",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
- "guid": "47768314-c115-4775-a2ea-55b46ad48408",
- "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
- "service": "App Services",
- "services": [
- "Monitor",
- "WAF",
- "AppSvc",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Send App Service runtime logs to Log Analytics",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
- "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
- "service": "App Services",
- "services": [
- "Monitor",
- "WAF",
- "AppSvc",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Send App Service activity logs to Log Analytics",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.",
- "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
- "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
- "service": "App Services",
- "services": [
- "Monitor",
- "NVA",
- "VNet",
- "WAF",
- "Firewall"
- ],
- "severity": "Medium",
- "text": "Outbound network access should be controlled",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
- "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
- "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
- "service": "App Services",
- "services": [
- "PrivateLink",
- "Storage",
- "NVA",
- "VNet",
- "WAF",
- "Firewall"
- ],
- "severity": "Low",
- "text": "Ensure a stable IP for outbound communications towards internet addresses",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
- "guid": "0725769e-e669-41a4-a34a-c932223ece80",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc",
- "PrivateLink"
- ],
- "severity": "High",
- "text": "Inbound network access should be controlled",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.",
- "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
- "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
- "service": "App Services",
- "services": [
- "Monitor",
- "FrontDoor",
- "AppGW",
- "WAF",
- "AppSvc"
- ],
- "severity": "High",
- "text": "Use a WAF in front of App Service",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
- "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
- "services": [
- "WAF",
- "PrivateLink"
- ],
- "severity": "High",
- "text": "Avoid for WAF to be bypassed",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
- "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
- "service": "App Services",
- "services": [
- "AzurePolicy",
- "WAF",
- "AppSvc"
- ],
- "severity": "Medium",
- "text": "Set minimum TLS policy to 1.2",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
- "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
- "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
- "service": "App Services",
- "services": [
- "WAF",
- "AppSvc"
- ],
- "severity": "High",
- "text": "Use HTTPS only",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
- "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
- "service": "App Services",
- "services": [
- "Storage",
- "WAF"
- ],
- "severity": "High",
- "text": "Wildcards must not be used for CORS",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
- "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
- "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
- "service": "App Services",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Turn off remote debugging",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
- "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
- "service": "App Services",
- "services": [
- "AppSvc",
- "WAF",
- "Defender"
- ],
- "severity": "Medium",
- "text": "Enable Defender for Cloud - Defender for App Service",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
- "guid": "223ece80-b123-4071-a541-6415833ea3ad",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "App Services",
- "services": [
- "WAF",
- "AppGW",
- "NVA",
- "EventHubs",
- "VNet",
- "DDoS"
- ],
- "severity": "Medium",
- "text": "Enable DDOS Protection Standard on the WAF VNet",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
- "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
- "service": "App Services",
- "services": [
- "ACR",
- "WAF",
- "VNet",
- "PrivateLink"
- ],
- "severity": "Medium",
- "text": "Pull containers over a Virtual Network",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
- "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
- "service": "App Services",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Conduct a penetration test",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
- "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
- "service": "App Services",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Deploy validated code",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "WAF checklist",
- "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
- "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
- "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
- "service": "App Services",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Use up-to-date platforms, languages, protocols and frameworks",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
- "service": "AVS",
- "services": [
- "Entra",
- "WAF",
- "Subscriptions"
- ],
- "severity": "High",
- "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "75089c20-990d-4927-b105-885576f76fc2",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
- "service": "AVS",
- "services": [
- "WAF",
- "Entra"
- ],
- "severity": "High",
- "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
- "service": "AVS",
- "services": [
- "RBAC",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Has an RBAC model been created for use within VMware vSphere",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
- "service": "AVS",
- "services": [
- "RBAC",
- "WAF"
- ],
- "severity": "Medium",
- "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
- "service": "AVS",
- "services": [
- "RBAC",
- "AVS",
- "WAF"
- ],
- "severity": "High",
- "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
- "service": "AVS",
- "services": [
- "RBAC",
- "WAF"
- ],
- "severity": "High",
- "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
- "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "High",
- "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
- "service": "AVS",
- "services": [
- "ExpressRoute",
- "VPN",
- "Monitor",
- "NetworkWatcher",
- "WAF"
- ],
- "severity": "High",
- "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
- "service": "AVS",
- "services": [
- "ExpressRoute",
- "Monitor",
- "VM",
- "NetworkWatcher",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
- "service": "AVS",
- "services": [
- "Monitor",
- "VM",
- "NetworkWatcher",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
- "service": "AVS",
- "services": [
- "WAF",
- "ARS"
- ],
- "severity": "High",
- "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
- "service": "AVS",
- "services": [
- "RBAC",
- "AVS",
- "WAF",
- "Entra"
- ],
- "severity": "High",
- "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
- "service": "AVS",
- "services": [
- "RBAC",
- "AVS",
- "WAF",
- "Entra"
- ],
- "severity": "High",
- "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF",
- "Entra"
- ],
- "severity": "Medium",
- "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Limit use of CloudAdmin account to emergency access only",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
- "service": "AVS",
- "services": [
- "RBAC",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF",
- "VM",
- "Entra"
- ],
- "severity": "High",
- "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Is East-West traffic filtering implemented within NSX-T",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
- "service": "AVS",
- "services": [
- "AppGW",
- "AVS",
- "WAF",
- "Firewall"
- ],
- "severity": "High",
- "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "High",
- "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
- "service": "AVS",
- "services": [
- "Monitor",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "334fdf91-c234-4182-a652-75269440b4be",
- "service": "AVS",
- "services": [
- "WAF",
- "ExpressRoute",
- "VPN",
- "VNet",
- "DDoS"
- ],
- "severity": "Medium",
- "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF",
- "Defender"
- ],
- "severity": "Medium",
- "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
- "service": "AVS",
- "services": [
- "Arc",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
- "service": "AVS",
- "services": [
- "SQL",
- "AVS",
- "WAF"
- ],
- "severity": "Low",
- "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
- "service": "AVS",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "Low",
- "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "5ac94222-3e13-4810-9230-81a941741583",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "d88408f3-7273-44c8-96ba-280214590146",
- "service": "AVS",
- "services": [
- "Storage",
- "WAF",
- "AzurePolicy"
- ],
- "severity": "High",
- "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
- "service": "AVS",
- "services": [
- "WAF",
- "ASR"
- ],
- "severity": "High",
- "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
- "service": "AVS",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
- "service": "AVS",
- "services": [
- "Cost",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
- "waf": "Cost"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
- "service": "AVS",
- "services": [
- "Cost",
- "AVS",
- "WAF"
- ],
- "severity": "Low",
- "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
- "waf": "Cost"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Ensure all required resource reside within the same Azure availability zone(s)",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF",
- "Defender",
- "VM"
- ],
- "severity": "Medium",
- "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
- "service": "AVS",
- "services": [
- "Arc",
- "AVS",
- "WAF",
- "VM"
- ],
- "severity": "Medium",
- "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "High",
- "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
- "service": "AVS",
- "services": [
- "Monitor",
- "AVS",
- "WAF",
- "VM"
- ],
- "severity": "Medium",
- "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
- "service": "AVS",
- "services": [
- "AzurePolicy",
- "VM",
- "AVS",
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
- "service": "AVS",
- "services": [
- "Monitor",
- "AVS",
- "WAF",
- "Defender"
- ],
- "severity": "Medium",
- "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
- "service": "AVS",
- "services": [
- "WAF",
- "Defender"
- ],
- "severity": "Medium",
- "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "High",
- "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Are data processing implications (service provider / service consumer model) clear and documented",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "547c1747-dc56-4068-a714-435cd19dd244",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
- "service": "AVS",
- "services": [
- "Monitor",
- "AVS",
- "WAF"
- ],
- "severity": "High",
- "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
- "service": "AVS",
- "services": [
- "Monitor",
- "AVS",
- "WAF"
- ],
- "severity": "High",
- "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
- "service": "AVS",
- "services": [
- "Monitor",
- "AVS",
- "WAF"
- ],
- "severity": "High",
- "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
- "service": "AVS",
- "services": [
- "Monitor",
- "WAF"
- ],
- "severity": "High",
- "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
- "service": "AVS",
- "services": [
- "Storage",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "Low",
- "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
- "service": "AVS",
- "services": [
- "Storage",
- "WAF",
- "AzurePolicy",
- "VM"
- ],
- "severity": "High",
- "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
- "service": "AVS",
- "services": [
- "Storage",
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
- "service": "AVS",
- "services": [
- "Arc",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
- "service": "AVS",
- "services": [
- "Monitor",
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
- "service": "AVS",
- "services": [
- "Monitor",
- "AVS",
- "WAF",
- "AzurePolicy"
- ],
- "severity": "Medium",
- "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF",
- "Defender"
- ],
- "severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
- "service": "AVS",
- "services": [
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
- "service": "AVS",
- "services": [
- "WAF",
- "ASR"
- ],
- "severity": "Medium",
- "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "8255461e-2aee-4345-9aec-8339248b262d",
- "service": "AVS",
- "services": [
- "WAF",
- "ASR"
- ],
- "severity": "Medium",
- "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
- "service": "AVS",
- "services": [
- "ExpressRoute",
- "AVS",
- "WAF",
- "NVA"
- ],
- "severity": "Medium",
- "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
- "service": "AVS",
- "services": [
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
- "service": "AVS",
- "services": [
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Deploy your backup solution outside of vSan, on Azure native components",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "Low",
- "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Low",
- "text": "For manual deployments, all configuration and deployments must be documented",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "Low",
- "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Low",
- "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Low",
- "text": "For automated deployments, request or reserve quota prior to starting the deployment",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
- "service": "AVS",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "severity": "Low",
- "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
- "service": "AVS",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "Low",
- "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "255461e2-aee3-4553-afc8-339248b262d6",
- "service": "AVS",
- "services": [
- "ExpressRoute",
- "AVS",
- "WAF",
- "AKV"
- ],
- "severity": "Low",
- "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF"
- ],
- "severity": "Low",
- "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Low",
- "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
- "service": "AVS",
- "services": [
- "AVS",
- "WAF",
- "Subscriptions"
- ],
- "severity": "Medium",
- "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
- "service": "AVS",
- "services": [
- "Storage",
- "WAF",
- "AzurePolicy"
- ],
- "severity": "Medium",
- "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
- "service": "AVS",
- "services": [
- "Monitor",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "services": [
- "WAF",
- "VM"
- ],
- "severity": "High",
- "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
- "service": "AVS",
- "services": [
- "VPN",
- "WAF"
- ],
- "severity": "Medium",
- "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "e614658d-d457-4e92-9139-b821102cad6e",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AVS",
- "services": [
- "Storage",
- "AVS",
- "WAF",
- "VM"
- ],
- "severity": "Medium",
- "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "AVS",
- "services": [
- "ExpressRoute",
- "WAF",
- "Storage"
- ],
- "severity": "Medium",
- "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "AVS",
- "services": [
- "ExpressRoute",
- "WAF",
- "Storage"
- ],
- "severity": "Medium",
- "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "AVS",
- "services": [
- "WAF",
- "ASR"
- ],
- "severity": "High",
- "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "AVS",
- "services": [
- "ExpressRoute",
- "WAF"
- ],
- "severity": "High",
- "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "AVS",
- "services": [
- "ExpressRoute",
- "WAF"
- ],
- "severity": "High",
- "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "WAF checklist",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "WAF checklist",
- "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Enable 2 replicas to have 99.9% availability for read operations",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "WAF checklist",
- "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "WAF checklist",
- "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
- "service": "Cognitive Search",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Leverage Availability Zones by enabling read and/or write replicas",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "WAF checklist",
- "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
- "service": "Cognitive Search",
- "services": [
- "ACR",
- "WAF"
- ],
- "severity": "Medium",
- "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "WAF checklist",
- "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
- "service": "Cognitive Search",
- "services": [
- "ACR",
- "WAF"
- ],
- "severity": "Medium",
- "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "WAF checklist",
- "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
- "service": "Cognitive Search",
- "services": [
- "WAF",
- "TrafficManager"
- ],
- "severity": "Medium",
- "text": "Use Azure Traffic Manager to coordinate requests",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "WAF checklist",
- "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
- "service": "Cognitive Search",
- "services": [
- "Storage",
- "WAF",
- "Backup"
- ],
- "severity": "High",
- "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "WAF checklist",
- "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
- "service": "Azure Data Factory",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "WAF checklist",
- "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Use zone redundant pipelines in regions that support Availability Zones",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "WAF checklist",
- "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
- "link": "https://learn.microsoft.com/azure/data-factory/source-control",
- "service": "Azure Data Factory",
- "services": [
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "WAF checklist",
- "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "services": [
- "WAF",
- "VM"
- ],
- "severity": "Medium",
- "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "WAF checklist",
- "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "services": [
- "WAF",
- "VNet"
- ],
- "severity": "Medium",
- "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "WAF checklist",
- "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
- "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Azure Data Factory",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "Low",
- "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
- "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
- "service": "Azure Data Explorer",
- "services": [
- "Cost",
- "Storage",
- "WAF"
- ],
- "text": "Leverage External Tables and Continuous data export overview to reduce costs",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
- "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
- "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
- "service": "Azure Data Explorer",
- "services": [
- "Storage",
- "WAF"
- ],
- "text": "To share data, explore Leader-follower cluster configuration",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
- "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
- "service": "Azure Data Explorer",
- "services": [
- "WAF",
- "ASR"
- ],
- "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
- "service": "Azure Data Explorer",
- "services": [
- "RBAC",
- "Storage",
- "WAF"
- ],
- "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
- "service": "Azure Data Explorer",
- "services": [
- "WAF"
- ],
- "text": "Ingest data into each cluster in parallel",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
- "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
- "service": "Azure Data Explorer",
- "services": [
- "ACR",
- "WAF"
- ],
- "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
- "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
- "service": "Azure Data Explorer",
- "services": [
- "ACR",
- "WAF"
- ],
- "text": "For critical applications, create Active-Active configuration in two paired regions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
- "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
- "service": "Azure Data Explorer",
- "services": [
- "WAF"
- ],
- "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
- "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
- "service": "Azure Data Explorer",
- "services": [
- "AzurePolicy",
- "Storage",
- "ASR",
- "Cost",
- "WAF"
- ],
- "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
- "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "text": "Wrap DevOps and source control around all your code",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
- "services": [
- "WAF"
- ],
- "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
- "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "WAF checklist",
- "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
- "services": [
- "WAF"
- ],
- "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV",
- "Backup"
- ],
- "severity": "High",
- "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Key Vault",
- "services": [
- "ACR",
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
- "service": "Key Vault",
- "services": [
- "AzurePolicy",
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
- "service": "Key Vault",
- "services": [
- "AKV",
- "Storage",
- "WAF",
- "Backup",
- "Subscriptions"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Manage Service Connections",
+ "guid": "8564b4dd-74a7-459c-9633-bd2a1a27a764",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml",
+ "services": [],
"severity": "Medium",
- "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "Service Connections",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "Key Vault",
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Set data retention policies for CI and CD",
+ "guid": "a90be0e3-78ee-4293-a1bd-363caaab7571",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/retention?view=azure-devops&tabs=yaml",
"services": [
- "WAF",
- "AKV"
+ "AzurePolicy"
],
- "severity": "High",
- "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Retention Policies",
+ "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Set up and pay for concurrent pipelines",
+ "guid": "949ab919-3dc9-4fc9-b1bb-84b37b5a67fc",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/licensing/concurrent-jobs?view=azure-devops&tabs=ms-hosted",
+ "services": [],
"severity": "Low",
- "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
- "waf": "Reliability"
+ "subcategory": "Administration",
+ "text": "Parallel Pipelines",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV",
- "Backup"
- ],
- "severity": "Low",
- "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
- "waf": "Reliability"
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Set pipeline permissions",
+ "guid": "b9ed5b35-478d-4447-a826-c2863c00f1ca",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/permissions?view=azure-devops",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Pipeline Permissions",
+ "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV",
- "Backup"
- ],
+ "category": "Azure Pipelines",
+ "checklist": "Azure DevOps",
+ "description": "Add users to pipeline",
+ "guid": "c699ef1d-5a83-4de5-be36-c1c81870a0bc",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/policies/set-permissions?view=azure-devops",
+ "services": [],
"severity": "Low",
- "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "Pipeline Users",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "WAF checklist",
- "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
- "service": "Key Vault",
- "services": [
- "WAF",
- "AKV",
- "EventHubs"
- ],
+ "category": "Azure Artifact",
+ "checklist": "Azure DevOps",
+ "description": "Configure Artifacts",
+ "guid": "5c1e43a1-8658-4d28-98ed-67179b825546",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/artifacts-overview?view=azure-devops&tabs=nuget",
+ "services": [],
"severity": "Medium",
- "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
- "waf": "Reliability"
+ "subcategory": "Configuration",
+ "text": "Artifact In Pipeline",
+ "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "WAF checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
- "services": [
- "WAF"
- ],
+ "category": "Azure Artifact",
+ "checklist": "Azure DevOps",
+ "description": "Publish and consume artifact in pipeline",
+ "guid": "df2aee45-53af-4c83-9924-8726dd68c5b5",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/pipeline-artifacts?view=azure-devops&tabs=yaml",
+ "services": [],
"severity": "Medium",
- "text": "Leverage Flexible Server",
- "waf": "Reliability"
+ "subcategory": "Configuration",
+ "text": "Publish and download Artifact",
+ "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "WAF checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Leverage Availability Zones where regionally applicable",
- "waf": "Reliability"
+ "category": "Azure Artifact",
+ "checklist": "Azure DevOps",
+ "description": "Publish NuGet packages with artifacts",
+ "guid": "c2925394-b69b-49d3-99ac-43bc68d1d766",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/nuget?view=azure-devops&tabs=yaml",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Configuration",
+ "text": "NuGet",
+ "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "WAF checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Leverage Data-in replication for cross-region DR scenarios",
- "waf": "Reliability"
+ "category": "Azure Artifact",
+ "checklist": "Azure DevOps",
+ "description": "Publish Maven packages with artifacts",
+ "guid": "57246b44-8564-4b4d-b74a-759c7633bd2a",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/publish-maven-artifacts?view=azure-devops",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Configuration",
+ "text": "Maven",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Front Door",
- "services": [
- "FrontDoor",
- "WAF",
- "AKV"
- ],
- "severity": "Medium",
- "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
+ "category": "Azure Artifact",
+ "checklist": "Azure DevOps",
+ "description": "Publish NPM packages with artifacts",
+ "guid": "1a27a764-a90b-4e0e-978e-e293c1bd363c",
+ "link": "https://learn.microsoft.com/azure/devops/pipelines/artifacts/npm?view=azure-devops&tabs=yaml",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Configuration",
+ "text": "NPM",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
- "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "App Gateway",
- "services": [
- "AppGW",
- "WAF"
- ],
+ "category": "Azure Artifact",
+ "checklist": "Azure DevOps",
+ "description": "Best Practices to work with Azure Artifact",
+ "guid": "aaab7571-949a-4b91-a3dc-9fc9d1bb84b3",
+ "link": "https://learn.microsoft.com/azure/devops/artifacts/concepts/best-practices?view=azure-devops",
+ "services": [],
"severity": "Medium",
- "text": "Ensure you are using Application Gateway v2 SKU",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Security"
+ "subcategory": "Configuration",
+ "text": "Best Practices",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
- "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Load Balancer",
+ "category": "DevOps Practice",
+ "checklist": "Azure DevOps",
+ "description": "What is monitoring?",
+ "guid": "7b5a67fc-b9ed-45b3-9478-d447a826c286",
+ "link": "https://learn.microsoft.com/devops/operate/what-is-monitoring",
"services": [
- "LoadBalancer",
- "WAF"
+ "Monitor"
],
+ "severity": "High",
+ "subcategory": "Practice",
+ "text": "What to monitor?",
+ "waf": "Operations"
+ },
+ {
+ "category": "DevOps Practice",
+ "checklist": "Azure DevOps",
+ "description": "Progressive Exposure Strategy",
+ "guid": "3c00f1ca-c699-4ef1-b5a8-3de5de36c1c8",
+ "link": "https://learn.microsoft.com/devops/operate/safe-deployment-practices",
+ "services": [],
"severity": "Medium",
- "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
- "waf": "Security"
+ "subcategory": "Practice",
+ "text": "Safe Deployment Practices",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "WAF checklist",
- "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
- "service": "Load Balancer",
- "services": [
- "LoadBalancer",
- "WAF"
- ],
+ "category": "DevOps Practice",
+ "checklist": "Azure DevOps",
+ "description": "Microsoft runs reliable systems with DevOps",
+ "guid": "1870a0bc-5c1e-443a-8865-8d2858ed6717",
+ "link": "https://learn.microsoft.com/devops/operate/how-microsoft-operates-devops",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Practice",
+ "text": "Case Study",
+ "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "waf": "Operations"
+ },
+ {
+ "category": "DevOps Practice",
+ "checklist": "Azure DevOps",
+ "description": "Security in DevOps",
+ "guid": "9b825546-df2a-4ee4-953a-fc8339248726",
+ "link": "https://learn.microsoft.com/devops/operate/security-in-devops",
+ "services": [],
"severity": "Medium",
- "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
+ "subcategory": "Practice",
+ "text": "DevSecOps",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
- "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "App Gateway",
- "services": [
- "AppGW",
- "WAF",
- "VNet"
- ],
- "severity": "Medium",
- "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "category": "DevOps Practice",
+ "checklist": "Azure DevOps",
+ "description": "Enable DevSecops with Azure And GitHub",
+ "guid": "dd68c5b5-c292-4539-9b69-b9d379ac43bc",
+ "link": "https://learn.microsoft.com/devops/devsecops/enable-devsecops-azure-github",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Practice",
+ "text": "DevSecops",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
- "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "category": "DevOps Practice",
+ "checklist": "Azure DevOps",
+ "description": "Mirror RBAC in DevOps",
+ "guid": "68d1d766-5724-46b4-9856-4b4dd74a759c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/secure/best-practices/end-to-end-governance",
"services": [
- "AppGW",
- "NVA",
- "VNet",
- "Entra",
- "WAF",
- "Subscriptions"
+ "RBAC"
],
- "severity": "Medium",
- "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "severity": "Low",
+ "subcategory": "Practice",
+ "text": "Secure DevOps Govenance",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
- "services": [
- "DDoS",
- "WAF"
- ],
+ "category": "DevOps Practice",
+ "checklist": "Azure DevOps",
+ "description": "Governance when using CI/CD",
+ "guid": "7633bd2a-1a27-4a76-9a90-be0e378ee293",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/governance/end-to-end-governance-in-azure",
+ "services": [],
"severity": "Medium",
- "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "subcategory": "Practice",
+ "text": "Azure DevOps Governance",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
- "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
- "service": "App Gateway",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Configure autoscaling with a minimum amount of instances of two.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "category": "BC and DR",
+ "checklist": "Azure Function Review",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Select the right Function hosting plan based on your business & SLO requirements",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
- "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
- "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
- "service": "App Gateway",
- "services": [
- "AppGW",
- "ACR",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Deploy Application Gateway across Availability Zones",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "category": "BC and DR",
+ "checklist": "Azure Function Review",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Front Door",
- "services": [
- "AzurePolicy",
- "WAF",
- "FrontDoor"
- ],
+ "category": "BC and DR",
+ "checklist": "Azure Function Review",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Azure Functions",
+ "services": [],
"severity": "Medium",
- "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "Front Door",
+ "category": "BC and DR",
+ "checklist": "Azure Function Review",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Azure Functions",
"services": [
- "AzurePolicy",
- "AppGW",
- "WAF",
- "FrontDoor"
+ "AppSvc"
],
- "severity": "Medium",
- "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/trafficManagerProfiles",
- "checklist": "WAF checklist",
- "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Traffic Manager",
+ "category": "BC and DR",
+ "checklist": "Azure Function Review",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Azure Functions",
"services": [
- "WAF",
- "TrafficManager"
+ "AppSvc"
],
"severity": "High",
- "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "subcategory": "High Availability",
+ "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
"waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
+ "category": "BC and DR",
+ "checklist": "Azure Function Review",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Azure Functions",
"services": [
- "WAF",
- "AVD",
- "Entra"
+ "Storage"
],
- "severity": "Low",
- "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "High Availability",
+ "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
+ "category": "Application Deployment",
+ "checklist": "Azure Function Review",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "Azure Functions",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "CI/CD",
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
+ "service": "Cognitive Services",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Best Practice",
+ "text": "Leverage FTA HandBook for Cognitive Services",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Cognitive Services",
"services": [
- "WAF",
- "Entra"
+ "Backup"
],
"severity": "Medium",
- "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Security"
+ "subcategory": "Backup",
+ "text": "Backup Your Prompts",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "Front Door",
+ "category": "Operations Management",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Cognitive Services",
"services": [
- "AzurePolicy",
- "WAF",
- "FrontDoor"
+ "Backup",
+ "ASR"
],
"severity": "High",
- "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
- "waf": "Security"
+ "subcategory": "Backup",
+ "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "Front Door",
+ "category": "Operations Management",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
+ "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
+ "service": "Cognitive Services",
"services": [
- "WAF",
- "FrontDoor",
- "TrafficManager"
+ "Backup"
],
- "severity": "High",
- "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "Backup Your ChatGPT conversations",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "Front Door",
- "services": [
- "WAF",
- "FrontDoor"
- ],
- "severity": "High",
- "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
- "waf": "Security"
+ "category": "Operations Management",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
+ "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
+ "service": "Cognitive Services",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "DevOps",
+ "text": "CI/CD for custom speech",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
- "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "Front Door",
+ "category": "Operations Management",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "3687a046-7a1f-4893-9bda-43324f248116",
+ "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
+ "service": "Cognitive Services",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "QnA Service",
+ "text": "Move a knowledge base using export-import",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Azure App Service Review",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc"
],
"severity": "Low",
- "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
- "waf": "Performance"
+ "subcategory": "High Availability",
+ "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "Front Door",
+ "category": "BC and DR",
+ "checklist": "Azure App Service Review",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "Backup"
],
"severity": "Medium",
- "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
+ "subcategory": "High Availability",
+ "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
- "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "Front Door",
+ "category": "BC and DR",
+ "checklist": "Azure App Service Review",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc"
],
- "severity": "Low",
- "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "WAF checklist",
- "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
- "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "Load Balancer",
+ "category": "Operations",
+ "checklist": "Azure App Service Review",
+ "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"services": [
- "LoadBalancer",
- "WAF"
+ "AppSvc",
+ "Monitor"
+ ],
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Implement health checks",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations",
+ "checklist": "Azure App Service Review",
+ "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+ "service": "App Services",
+ "services": [
+ "AppSvc",
+ "Backup"
],
"severity": "High",
- "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
+ "subcategory": "Multi-tenant service",
+ "text": "Refer to backup and restore best practices for Azure App Service",
"waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
- "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "Front Door",
+ "category": "BC and DR",
+ "checklist": "Azure App Service Review",
+ "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+ "service": "App Services",
"services": [
- "Cost",
- "FrontDoor",
- "WAF",
- "AKV"
+ "AppSvc"
],
"severity": "High",
- "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
- "waf": "Operations"
+ "subcategory": "High Availability",
+ "text": "Implement Azure App Service reliability best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
- "service": "Front Door",
+ "category": "BC and DR",
+ "checklist": "Azure App Service Review",
+ "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc"
],
- "severity": "Medium",
- "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "High Availability",
+ "text": "Familiarize with how to move an App Service app to another region During a disaster",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
- "service": "Front Door",
+ "category": "BC and DR",
+ "checklist": "Azure App Service Review",
+ "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc"
],
"severity": "High",
- "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Familiarize with reliability support in Azure App Service",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
- "service": "Front Door",
+ "category": "BC and DR",
+ "checklist": "Azure App Service Review",
+ "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc"
],
"severity": "Medium",
- "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
- "service": "Front Door",
+ "category": "Operations",
+ "checklist": "Azure App Service Review",
+ "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "Monitor"
],
- "severity": "High",
- "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Monitor App Service instances using Health checks",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
- "service": "Front Door",
+ "category": "Operations",
+ "checklist": "Azure App Service Review",
+ "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "Monitor"
],
- "severity": "High",
- "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "Front Door",
+ "category": "Operations",
+ "checklist": "Azure App Service Review",
+ "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+ "service": "App Services",
"services": [
- "AzurePolicy",
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "Monitor"
],
- "severity": "High",
- "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Monitoring",
+ "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
+ "waf": "Reliability"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
+ "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "AKV"
],
"severity": "High",
- "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
+ "subcategory": "Data Protection",
+ "text": "Use Key Vault to store secrets",
"waf": "Security"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
+ "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "Entra",
+ "AppSvc",
+ "AKV"
],
"severity": "High",
- "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
+ "subcategory": "Data Protection",
+ "text": "Use Managed Identity to connect to Key Vault",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Store the App Service TLS certificate in Key Vault.",
+ "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "AKV"
],
- "severity": "Medium",
- "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "severity": "High",
+ "subcategory": "Data Protection",
+ "text": "Use Key Vault to store TLS certificate.",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
+ "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "Subscriptions"
],
"severity": "Medium",
- "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+ "subcategory": "Data Protection",
+ "text": "Isolate systems that process sensitive information",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
+ "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "TrafficManager"
],
"severity": "Medium",
- "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+ "subcategory": "Data Protection",
+ "text": "Do not store sensitive data on local disk",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
+ "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+ "service": "App Services",
"services": [
- "WAF"
+ "Entra",
+ "AppSvc"
],
- "severity": "Low",
- "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+ "severity": "Medium",
+ "subcategory": "Identity and Access Control",
+ "text": "Use an established Identity Provider for authentication",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
+ "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "Entra",
+ "AppSvc"
],
- "severity": "Medium",
- "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+ "severity": "High",
+ "subcategory": "Identity and Access Control",
+ "text": "Deploy from a trusted environment",
"waf": "Security"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
- "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.",
+ "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+ "service": "App Services",
"services": [
- "AppGW",
- "WAF"
+ "Entra",
+ "AppSvc"
],
"severity": "High",
- "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
+ "subcategory": "Identity and Access Control",
+ "text": "Disable basic authentication",
"waf": "Security"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
+ "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+ "service": "App Services",
"services": [
- "AzurePolicy",
- "AppGW",
- "WAF"
+ "Entra",
+ "AppSvc",
+ "AKV"
],
"severity": "High",
- "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
+ "subcategory": "Identity and Access Control",
+ "text": "Use Managed Identity to connect to resources",
"waf": "Security"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
+ "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+ "service": "App Services",
"services": [
- "AppGW",
- "WAF"
+ "Entra",
+ "AppSvc",
+ "ACR"
],
"severity": "High",
- "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
+ "subcategory": "Identity and Access Control",
+ "text": "Pull containers using a Managed Identity",
"waf": "Security"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
+ "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+ "service": "App Services",
"services": [
- "AzurePolicy",
- "AppGW",
- "WAF"
+ "Entra",
+ "AppSvc",
+ "Monitor"
],
- "severity": "High",
- "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
+ "severity": "Medium",
+ "subcategory": "Logging and Monitoring",
+ "text": "Send App Service runtime logs to Log Analytics",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
+ "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "service": "App Services",
"services": [
- "AppGW",
- "WAF"
+ "Entra",
+ "AppSvc",
+ "Monitor"
],
"severity": "Medium",
- "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+ "subcategory": "Logging and Monitoring",
+ "text": "Send App Service activity logs to Log Analytics",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.",
+ "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+ "service": "App Services",
"services": [
- "AppGW",
- "WAF"
+ "NVA",
+ "Monitor",
+ "AppSvc",
+ "VNet",
+ "Firewall"
],
"severity": "Medium",
- "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+ "subcategory": "Network Security",
+ "text": "Outbound network access should be controlled",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
+ "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+ "service": "App Services",
"services": [
- "WAF"
+ "PrivateLink",
+ "Storage",
+ "NVA",
+ "AppSvc",
+ "VNet",
+ "Firewall"
],
"severity": "Low",
- "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+ "subcategory": "Network Security",
+ "text": "Ensure a stable IP for outbound communications towards internet addresses",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
+ "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
"services": [
- "AppGW",
- "WAF"
+ "PrivateLink",
+ "AppSvc"
],
- "severity": "Medium",
- "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+ "severity": "High",
+ "subcategory": "Network Security",
+ "text": "Inbound network access should be controlled",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.",
+ "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+ "service": "App Services",
"services": [
"AppGW",
+ "FrontDoor",
+ "Monitor",
+ "AppSvc",
"WAF"
],
- "severity": "Medium",
- "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "severity": "High",
+ "subcategory": "Network Security",
+ "text": "Use a WAF in front of App Service",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
+ "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
"services": [
- "AppGW",
+ "PrivateLink",
+ "AppSvc",
"WAF"
],
- "severity": "Medium",
- "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Network Security",
+ "text": "Avoid for WAF to be bypassed",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+ "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
- "waf": "Operations"
+ "subcategory": "Network Security",
+ "text": "Set minimum TLS policy to 1.2",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
+ "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+ "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+ "service": "App Services",
"services": [
- "Sentinel",
- "AppGW",
+ "AppSvc",
"WAF"
],
- "severity": "Medium",
- "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Network Security",
+ "text": "Use HTTPS only",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
+ "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+ "service": "App Services",
"services": [
- "Sentinel",
- "WAF",
- "FrontDoor"
+ "AppSvc",
+ "Storage"
],
- "severity": "Medium",
- "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Network Security",
+ "text": "Wildcards must not be used for CORS",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+ "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+ "service": "App Services",
"services": [
- "AppGW",
- "WAF"
+ "AppSvc"
],
- "severity": "Medium",
- "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Network Security",
+ "text": "Turn off remote debugging",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
+ "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+ "service": "App Services",
"services": [
- "AzurePolicy",
- "WAF"
+ "AppSvc",
+ "Defender"
],
"severity": "Medium",
- "text": "Use WAF Policies instead of the legacy WAF configuration.",
- "waf": "Operations"
+ "subcategory": "Network Security",
+ "text": "Enable Defender for Cloud - Defender for App Service",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
+ "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "App Services",
"services": [
- "ExpressRoute",
- "VPN",
"AppGW",
+ "DDoS",
+ "EventHubs",
+ "NVA",
+ "AppSvc",
"VNet",
"WAF"
],
"severity": "Medium",
- "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
+ "subcategory": "Network Security",
+ "text": "Enable DDOS Protection Standard on the WAF VNet",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
- "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
- "service": "Front Door",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
+ "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+ "service": "App Services",
"services": [
- "WAF",
- "FrontDoor"
+ "PrivateLink",
+ "AppSvc",
+ "VNet",
+ "ACR"
],
"severity": "Medium",
- "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
+ "subcategory": "Network Security",
+ "text": "Pull containers over a Virtual Network",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
- "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
+ "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "service": "App Services",
"services": [
- "WAF"
+ "AppSvc"
],
- "severity": "High",
- "text": "You should encrypt traffic to the backend servers.",
+ "severity": "Medium",
+ "subcategory": "Penetration Testing",
+ "text": "Conduct a penetration test",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+ "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+ "service": "App Services",
"services": [
- "WAF"
+ "AppSvc"
],
- "severity": "High",
- "text": "You should use a Web Application Firewall.",
+ "severity": "Medium",
+ "subcategory": "Vulnerability Management",
+ "text": "Deploy validated code",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
- "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure App Service Review",
+ "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+ "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+ "service": "App Services",
"services": [
- "WAF"
+ "AppSvc"
],
- "severity": "Medium",
- "text": "Redirect HTTP to HTTPS",
+ "severity": "High",
+ "subcategory": "Vulnerability Management",
+ "text": "Use up-to-date platforms, languages, protocols and frameworks",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
- "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Storage"
],
"severity": "Medium",
- "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
- "waf": "Operations"
+ "subcategory": " Overview",
+ "text": "Consider the 'Azure security baseline for storage'",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "PrivateLink",
+ "Storage"
],
"severity": "High",
- "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
+ "subcategory": "Networking",
+ "text": "Consider using private endpoints for Azure Storage",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
- "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "RBAC",
+ "Storage",
+ "Subscriptions"
],
- "severity": "Low",
- "text": "Create custom error pages to display a personalized user experience",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Governance",
+ "text": "Ensure older storage accounts are not using 'classic deployment model'",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
- "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Storage",
+ "Defender"
],
- "severity": "Medium",
- "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
+ "severity": "High",
+ "subcategory": "Governance",
+ "text": "Enable Microsoft Defender for all of your storage accounts",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "FrontDoor"
+ "Storage"
],
"severity": "Medium",
- "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
- "waf": "Performance"
+ "subcategory": "Data Availability",
+ "text": "Enable 'soft delete' for blobs",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Storage"
],
"severity": "Medium",
- "text": "Use transport layer load balancing",
- "waf": "Performance"
+ "subcategory": "Confidentiality",
+ "text": "Disable 'soft delete' for blobs",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
- "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Storage"
+ ],
+ "severity": "High",
+ "subcategory": "Data Availability",
+ "text": "Enable 'soft delete' for containers",
+ "waf": "Security"
+ },
+ {
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
+ "services": [
+ "Storage"
],
"severity": "Medium",
- "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
+ "subcategory": "Confidentiality",
+ "text": "Disable 'soft delete' for containers",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
- "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "Entra"
+ "Storage"
],
- "severity": "Medium",
- "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
+ "severity": "High",
+ "subcategory": "Data Availability",
+ "text": "Enable resource locks on storage accounts",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "WAF checklist",
- "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
- "service": "App Gateway",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+ "service": "Azure Storage",
"services": [
- "AppGW",
- "WAF"
+ "Storage",
+ "Subscriptions",
+ "AzurePolicy"
],
- "severity": "Low",
- "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
+ "severity": "High",
+ "subcategory": "Data Availability, Compliance",
+ "text": "Consider immutable blobs",
"waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "Entra"
+ "Storage"
],
- "severity": "Medium",
- "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Networking",
+ "text": "Require HTTPS, i.e. disable port 80 on the storage account",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Storage"
],
- "severity": "Medium",
- "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Networking",
+ "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Storage"
],
"severity": "Medium",
- "text": "Custom brand assets should be hosted on a CDN",
- "waf": "Performance"
+ "subcategory": "Networking",
+ "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "AAD tokens should be favored over shared access signatures, wherever possible",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Entra",
+ "Storage"
],
- "severity": "Low",
- "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Identity and Access Management",
+ "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "VM"
+ "Entra",
+ "RBAC",
+ "Storage"
],
"severity": "Medium",
- "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
- "waf": "Reliability"
+ "subcategory": "Identity and Access Management",
+ "text": "Least privilege in IaM permissions",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Entra",
+ "Storage"
],
- "severity": "Medium",
- "text": "Don't replicate! Replication can create issues with directory synchronization",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Identity and Access Management",
+ "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Entra",
+ "AKV",
+ "Storage",
+ "Monitor"
],
- "severity": "Medium",
- "text": "Have active-active for multi-regions",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Identity and Access Management",
+ "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "Entra"
+ "AKV",
+ "Storage",
+ "AzurePolicy",
+ "Monitor"
],
- "severity": "Medium",
- "text": "Add Azure AD Domain service stamps to additional regions and locations",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Monitoring",
+ "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Entra",
+ "AKV",
+ "Storage",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Use Replica Sets for DR",
- "waf": "Reliability"
+ "subcategory": "Identity and Access Management",
+ "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "WAF checklist",
- "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
- "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
- "service": "Service Bus",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Azure Storage",
"services": [
- "ServiceBus",
- "WAF"
+ "Entra",
+ "Storage",
+ "AzurePolicy"
],
- "severity": "Low",
- "text": "Use customer-managed key option in data at rest encryption when required",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "severity": "Medium",
+ "subcategory": "Identity and Access Management",
+ "text": "Consider configuring an SAS expiration policy",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "WAF checklist",
- "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
- "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
- "service": "Service Bus",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Azure Storage",
"services": [
- "ServiceBus",
- "WAF"
+ "Entra",
+ "AKV",
+ "Storage",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "subcategory": "Identity and Access Management",
+ "text": "Consider linking SAS to a stored access policy",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "WAF checklist",
- "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
- "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
- "service": "Service Bus",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Azure Storage",
"services": [
- "AzurePolicy",
- "Entra",
- "RBAC",
- "TrafficManager",
- "ServiceBus",
- "WAF"
+ "AKV",
+ "Storage"
],
"severity": "Medium",
- "text": "Avoid using root account when it is not necessary",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "subcategory": "CI/CD",
+ "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "WAF checklist",
- "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
- "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
- "service": "Service Bus",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Azure Storage",
"services": [
- "AKV",
- "Storage",
- "VM",
"Entra",
- "ServiceBus",
- "WAF",
- "AppSvc"
+ "Storage"
],
- "severity": "Medium",
- "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "severity": "High",
+ "subcategory": "Identity and Access Management",
+ "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "WAF checklist",
- "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
- "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
- "service": "Service Bus",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"services": [
- "RBAC",
+ "Entra",
"Storage",
- "ServiceBus",
- "WAF",
- "Subscriptions"
+ "AzurePolicy"
],
"severity": "High",
- "text": "Use least privilege data plane RBAC",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "subcategory": "Identity and Access Management",
+ "text": "Strive for short validity periods for ad-hoc SAS",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "WAF checklist",
- "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
- "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
- "service": "Service Bus",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"services": [
- "ServiceBus",
- "Monitor",
- "WAF",
- "VNet"
+ "Entra",
+ "Storage"
],
"severity": "Medium",
- "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "subcategory": "Identity and Access Management",
+ "text": "Apply a narrow scope to a SAS",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "WAF checklist",
- "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
- "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
- "service": "Service Bus",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Azure Storage",
"services": [
- "ServiceBus",
- "WAF",
- "VNet",
- "PrivateLink"
+ "Entra",
+ "Storage"
],
"severity": "Medium",
- "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "subcategory": "Identity and Access Management",
+ "text": "Consider scoping SAS to a specific client IP address, wherever possible",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ServiceBus/namespaces",
- "checklist": "WAF checklist",
- "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
- "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
- "service": "Service Bus",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Azure Storage",
"services": [
- "ServiceBus",
- "WAF"
+ "Entra",
+ "Storage"
],
- "severity": "Medium",
- "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "severity": "Low",
+ "subcategory": "Identity and Access Management",
+ "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "WAF checklist",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Entra",
+ "RBAC",
+ "Storage"
],
"severity": "High",
- "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
+ "subcategory": "Identity and Access Management",
+ "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "WAF checklist",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Entra",
+ "Storage"
],
- "severity": "High",
- "text": "Protect logic apps from region failures with zone redundancy and availability zones",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Identity and Access Management",
+ "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "WAF checklist",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Storage",
+ "AzurePolicy"
],
"severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "subcategory": "Networking",
+ "text": "Avoid overly broad CORS policies",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "WAF checklist",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "AppSvc"
+ "Storage"
],
"severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "subcategory": "Confidentiality and Encryption",
+ "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "WAF checklist",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Azure Storage",
"services": [
- "WAF"
+ "Storage"
],
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
- "waf": "Operations"
+ "subcategory": "Confidentiality and Encryption",
+ "text": "Determine which/if platform encryption should be used.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachineScaleSets",
- "checklist": "WAF checklist",
- "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
- "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
- "service": "VMSS",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "VM"
+ "Storage"
],
- "severity": "Low",
- "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Confidentiality and Encryption",
+ "text": "Determine which/if client-side encryption should be used.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
- "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
- "service": "VM",
+ "category": "Security",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "Backup",
- "VM"
+ "Entra",
+ "Storage"
],
"severity": "High",
- "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
- "waf": "Reliability"
+ "subcategory": "Identity and Access Management",
+ "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
- "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "VM",
+ "category": "Operations Management",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "VM"
+ "Storage"
],
"severity": "High",
- "text": "Use Premium or Ultra disks for production VMs",
+ "subcategory": "Platform Version",
+ "text": "Leverage a storagev2 account type for better performance and reliability",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
- "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
- "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
- "service": "VM",
+ "category": "BC and DR",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "VM"
+ "Storage"
],
"severity": "High",
- "text": "Ensure Managed Disks are used for all VMs",
+ "subcategory": "Availablity",
+ "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
- "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
- "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
- "service": "VM",
+ "category": "BC and DR",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
+ "service": "Azure Storage",
"services": [
- "Storage",
- "WAF",
- "SQL",
- "VM"
+ "Storage"
],
"severity": "Medium",
- "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
+ "subcategory": "Failover",
+ "text": "For write operation after failover, use customer-Managed Failover ",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
- "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "VM",
+ "category": "Operations Management",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
+ "service": "Azure Storage",
"services": [
- "Storage",
- "ACR",
- "WAF",
- "VM"
+ "Storage"
],
"severity": "Medium",
- "text": "Leverage Availability Zones for your VMs in regions where they are supported",
+ "subcategory": "Failover",
+ "text": "Understand Microsoft-Managed Failover details",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
- "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "VM",
+ "category": "Operations Management",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+ "service": "Azure Storage",
"services": [
- "WAF",
- "VM"
+ "Storage"
],
"severity": "Medium",
- "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+ "subcategory": "Data Protection",
+ "text": "Enable Soft Delete",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
- "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "VM",
+ "category": "Security",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+ "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+ "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+ "service": "Event Hubs",
"services": [
- "WAF",
- "VM",
- "ASR"
+ "EventHubs"
],
- "severity": "High",
- "text": "Avoid running a production workload on a single VM",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Data Protection",
+ "text": "Use customer-managed key option in data at rest encryption when required",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
- "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
+ "category": "Security",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
+ "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+ "service": "Event Hubs",
"services": [
- "AVS",
- "WAF",
- "VM",
- "ASR"
+ "EventHubs"
],
- "severity": "High",
- "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Data Protection",
+ "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
- "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
- "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
- "service": "VM",
+ "category": "Security",
+ "checklist": "Azure Event Hub Review",
+ "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+ "service": "Event Hubs",
"services": [
- "WAF"
+ "Entra",
+ "AzurePolicy",
+ "RBAC",
+ "TrafficManager",
+ "EventHubs"
],
- "severity": "Low",
- "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Identity and Access Management",
+ "text": "Avoid using root account when it is not necessary",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
- "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
- "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
- "service": "VM",
+ "category": "Security",
+ "checklist": "Azure Event Hub Review",
+ "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
+ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+ "service": "Event Hubs",
"services": [
- "WAF",
+ "Entra",
+ "AKV",
+ "Storage",
"VM",
- "ASR"
+ "EventHubs"
],
"severity": "Medium",
- "text": "Increase quotas in DR region before testing failover with ASR",
- "waf": "Reliability"
+ "subcategory": "Identity and Access Management",
+ "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
- "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
- "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
- "service": "VM",
+ "category": "Security",
+ "checklist": "Azure Event Hub Review",
+ "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
+ "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+ "service": "Event Hubs",
"services": [
- "WAF",
- "VM"
+ "Entra",
+ "EventHubs",
+ "RBAC"
],
- "severity": "Low",
- "text": "Utilize Scheduled Events to prepare for VM maintenance",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Identity and Access Management",
+ "text": "Use least privilege data plane RBAC",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
- "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Azure Storage",
+ "category": "Security",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
+ "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+ "service": "Event Hubs",
"services": [
- "Storage",
- "WAF"
+ "EventHubs",
+ "VNet",
+ "Monitor"
],
"severity": "Medium",
- "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
- "waf": "Reliability"
+ "subcategory": "Monitoring",
+ "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
- "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
+ "category": "Security",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+ "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+ "service": "Event Hubs",
"services": [
- "Storage",
- "WAF"
+ "PrivateLink",
+ "EventHubs",
+ "VNet"
],
- "severity": "Low",
- "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
- "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "category": "Security",
+ "checklist": "Azure Event Hub Review",
+ "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+ "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+ "service": "Event Hubs",
"services": [
- "Storage",
- "WAF"
+ "EventHubs"
],
- "severity": "Low",
- "text": "Enable soft delete for Storage Account Containers",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
- "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
+ "category": "Operations Management",
+ "checklist": "Azure Event Hub Review",
+ "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+ "service": "Event Hubs",
"services": [
- "Storage",
- "WAF"
+ "EventHubs"
],
- "severity": "Low",
- "text": "Enable soft delete for blobs",
+ "severity": "Medium",
+ "subcategory": "Best Practices",
+ "text": "Leverage FTA Resillency HandBook",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
- "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
- "service": "Azure Backup",
+ "category": "Operations Management",
+ "checklist": "Azure Event Hub Review",
+ "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
+ "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+ "service": "Event Hubs",
"services": [
- "WAF",
- "Backup"
+ "EventHubs",
+ "ACR"
],
- "severity": "Medium",
- "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
+ "severity": "High",
+ "subcategory": "Zone Redudancy",
+ "text": "Leverage Availability Zones if regionally applicable",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
- "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
- "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
- "service": "Azure Backup",
+ "category": "Operations Management",
+ "checklist": "Azure Event Hub Review",
+ "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+ "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+ "service": "Event Hubs",
"services": [
- "WAF",
- "Backup"
+ "EventHubs"
],
- "severity": "Low",
- "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
+ "severity": "Medium",
+ "subcategory": "Best Practices",
+ "text": "Use the Premium or Dedicated SKUs for predicable performance",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
- "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
- "service": "Azure Backup",
+ "category": "Operations Management",
+ "checklist": "Azure Event Hub Review",
+ "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
+ "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+ "service": "Event Hubs",
"services": [
- "Storage",
- "WAF",
- "Backup"
+ "EventHubs",
+ "ASR"
],
- "severity": "Low",
- "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+ "severity": "High",
+ "subcategory": "Geo Redudancy",
+ "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "WAF checklist",
- "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
- "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
- "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
- "service": "DNS",
+ "category": "Operations Management",
+ "checklist": "Azure Event Hub Review",
+ "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
+ "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+ "service": "Event Hubs",
"services": [
- "DNS",
- "ACR",
- "WAF",
+ "EventHubs",
"ASR"
],
- "severity": "Low",
- "text": "Implement DNS Failover using Azure DNS Private Resolvers",
+ "severity": "Medium",
+ "subcategory": "Geo Redudancy",
+ "text": "For Business Critical Applications, use Active Active configuration",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.PowerBI/gateways",
- "checklist": "WAF checklist",
- "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
- "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
- "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
- "service": "Data Gateways",
+ "category": "Operations Management",
+ "checklist": "Azure Event Hub Review",
+ "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+ "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+ "service": "Event Hubs",
"services": [
- "ACR",
- "WAF"
+ "EventHubs"
],
"severity": "Medium",
- "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+ "subcategory": "Reliability",
+ "text": "Design Resilient Event Hubs",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
- "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Front Door",
"services": [
- "WAF",
- "NVA"
+ "AKV",
+ "FrontDoor"
],
- "severity": "High",
- "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Front Door",
+ "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
- "service": "CosmosDB",
- "services": [
- "WAF"
- ],
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "services": [],
"severity": "Medium",
- "text": "FTA Resiliency Playbook",
- "waf": "Reliability"
+ "subcategory": "App delivery",
+ "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+ "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "App Gateway",
"services": [
- "WAF"
+ "AppGW"
],
- "severity": "High",
- "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Ensure you are using Application Gateway v2 SKU",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+ "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Load Balancer",
"services": [
- "WAF"
+ "LoadBalancer"
],
"severity": "Medium",
- "text": "Run multiple replicas of the database (>1 ) in Prod",
- "waf": "Reliability"
+ "subcategory": "Load Balancer",
+ "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
- "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+ "service": "Load Balancer",
"services": [
- "ACR",
- "WAF"
+ "LoadBalancer"
],
"severity": "Medium",
- "text": "Leverage Multi-Region Writes",
- "waf": "Reliability"
+ "subcategory": "Load Balancer",
+ "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "description": "Span Cosmos account across two or more regions with multi-region writes",
- "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+ "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "App Gateway",
"services": [
- "ACR",
- "WAF"
+ "VNet",
+ "AppGW"
],
"severity": "Medium",
- "text": "Distribute your data globally",
- "waf": "Reliability"
+ "subcategory": "App Gateway",
+ "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
- "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
- "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
+ "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
"services": [
+ "Entra",
+ "AppGW",
+ "Subscriptions",
+ "NVA",
+ "VNet",
"WAF"
],
- "severity": "High",
- "text": "Choose from several well-defined consistency models",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
- "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
- "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
"services": [
- "WAF",
- "CosmosDB"
+ "DDoS"
],
"severity": "Medium",
- "text": "Enable Service managed failover",
+ "subcategory": "App Gateway",
+ "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Security"
+ },
+ {
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+ "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+ "service": "App Gateway",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Configure autoscaling with a minimum amount of instances of two.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
- "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
- "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+ "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+ "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+ "service": "App Gateway",
"services": [
- "Storage",
- "WAF",
- "Backup",
- "CosmosDB"
+ "AppGW",
+ "ACR"
],
"severity": "Medium",
- "text": "Enable Automatic Backups",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "subcategory": "App Gateway",
+ "text": "Deploy Application Gateway across Availability Zones",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
- "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
- "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Front Door",
"services": [
"WAF",
- "Backup"
+ "AzurePolicy",
+ "FrontDoor"
],
"severity": "Medium",
- "text": "Perform Periodic Backups",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Reliability"
+ "subcategory": "Front Door",
+ "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "WAF checklist",
- "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
- "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
- "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
- "service": "CosmosDB",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "Front Door",
"services": [
+ "AppGW",
"WAF",
- "Backup",
- "CosmosDB"
+ "AzurePolicy",
+ "FrontDoor"
],
"severity": "Medium",
- "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
- "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
- "waf": "Reliability"
+ "subcategory": "App delivery",
+ "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Traffic Manager",
"services": [
- "WAF"
+ "TrafficManager"
],
"severity": "High",
- "text": "Follow Metaprompting guardrails for resonsible AI",
- "waf": "Operational Excellence"
+ "subcategory": "Traffic Manager",
+ "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
- "link": "https://github.com/Azure-Samples/AI-Gateway",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
"services": [
- "APIM",
- "WAF",
- "Entra"
+ "Entra",
+ "AVD"
],
- "severity": "High",
- "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
- "waf": "Operational Excellence"
+ "severity": "Low",
+ "subcategory": "App delivery",
+ "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
"services": [
- "Monitor",
- "WAF"
+ "Entra"
],
- "severity": "High",
- "text": "Enable monitoring for your AOAI instances",
- "waf": "Operational Excellence"
+ "severity": "Medium",
+ "subcategory": "App delivery",
+ "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "Front Door",
"services": [
- "Monitor",
"WAF",
- "AKV",
- "Subscriptions"
+ "AzurePolicy",
+ "FrontDoor"
],
"severity": "High",
- "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
- "waf": "Operational Excellence"
+ "subcategory": "Front Door",
+ "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "Front Door",
"services": [
- "Monitor",
- "WAF"
+ "TrafficManager",
+ "FrontDoor"
],
"severity": "High",
- "text": "Monitor token usage to prevent service disruptions due to capacity",
- "waf": "Operational Excellence"
+ "subcategory": "Front Door",
+ "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "Front Door",
"services": [
- "Monitor",
- "WAF"
+ "FrontDoor"
],
- "severity": "Medium",
- "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
- "waf": "Operational Excellence"
+ "severity": "High",
+ "subcategory": "Front Door",
+ "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
- "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+ "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "Front Door",
"services": [
- "APIM",
- "WAF"
+ "FrontDoor"
],
"severity": "Low",
- "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
- "waf": "Operational Excellence"
+ "subcategory": "Front Door",
+ "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
- "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "Front Door",
"services": [
- "WAF"
+ "FrontDoor"
],
- "severity": "High",
- "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
- "waf": "Operational Excellence"
+ "severity": "Medium",
+ "subcategory": "Front Door",
+ "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "4350d092-d234-4292-a752-8537a551c5bf",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+ "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "Front Door",
"services": [
- "WAF",
- "Entra"
+ "FrontDoor"
],
- "severity": "High",
- "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Front Door",
+ "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+ "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "Load Balancer",
"services": [
- "WAF"
+ "LoadBalancer"
],
"severity": "High",
- "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
- "waf": "Operational Excellence"
+ "subcategory": "Load Balancer",
+ "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "68889535-e327-4897-b31b-67d67be5962a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+ "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "Front Door",
"services": [
- "WAF"
+ "AKV",
+ "Cost",
+ "FrontDoor"
],
"severity": "High",
- "text": "Evaluate usage of Provisioned throughput model ",
- "waf": "Performance"
+ "subcategory": "Front Door",
+ "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+ "service": "Front Door",
"services": [
+ "FrontDoor",
"WAF"
],
- "severity": "High",
- "text": "Review and implement Azure AI content safety",
- "waf": "Operational Excellence"
+ "severity": "Medium",
+ "subcategory": "Front Door",
+ "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+ "service": "Front Door",
"services": [
- "WAF"
+ "FrontDoor"
],
"severity": "High",
- "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
- "service": "Azure OpenAI",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Improve latency of the system by limiting token sizes, streaming options",
- "waf": "Performance"
+ "subcategory": "Front Door",
+ "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+ "service": "Front Door",
"services": [
- "ServiceBus",
- "Storage",
- "WAF"
+ "FrontDoor"
],
"severity": "Medium",
- "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
- "waf": "Performance"
+ "subcategory": "Front Door",
+ "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "5bda4332-4f24-4811-9331-82ba51752694",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+ "service": "Front Door",
"services": [
+ "FrontDoor",
"WAF"
],
"severity": "High",
- "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
- "waf": "Performance"
+ "subcategory": "Front Door",
+ "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+ "service": "Front Door",
"services": [
+ "FrontDoor",
"WAF"
],
"severity": "High",
- "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
- "waf": "Performance"
+ "subcategory": "Front Door",
+ "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "Front Door",
"services": [
- "WAF"
+ "WAF",
+ "AzurePolicy",
+ "FrontDoor"
],
- "severity": "Medium",
- "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Front Door",
+ "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+ "service": "Front Door",
"services": [
- "ACR",
+ "FrontDoor",
"WAF"
],
- "severity": "Low",
- "text": "Deploy multiple OAI instances across regions",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Front Door",
+ "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+ "service": "Front Door",
"services": [
- "APIM",
- "WAF",
- "Entra"
+ "FrontDoor",
+ "WAF"
],
"severity": "High",
- "text": "Implement retry & healthchecks with Gateway pattern like APIM",
- "waf": "Reliability"
+ "subcategory": "Front Door",
+ "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+ "service": "Front Door",
"services": [
+ "FrontDoor",
"WAF"
],
"severity": "Medium",
- "text": "Ensure having adequate quotas of TPM & RPM for the workload",
- "waf": "Reliability"
+ "subcategory": "Front Door",
+ "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
- "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+ "service": "Front Door",
"services": [
+ "FrontDoor",
"WAF"
],
"severity": "Medium",
- "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
- "waf": "Operational Excellence"
+ "subcategory": "Front Door",
+ "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+ "service": "Front Door",
"services": [
- "ACR",
+ "FrontDoor",
"WAF"
],
"severity": "Medium",
- "text": "Deploy separate fine tuned models across regions if finetuning is employed",
- "waf": "Reliability"
+ "subcategory": "Front Door",
+ "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
- "link": "https://learn.microsoft.com/azure/backup/backup-overview",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+ "service": "Front Door",
"services": [
- "WAF",
- "Backup",
- "ASR"
+ "FrontDoor"
],
- "severity": "Medium",
- "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Front Door",
+ "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+ "service": "Front Door",
"services": [
+ "FrontDoor",
"WAF"
],
- "severity": "High",
- "text": "Azure AI search service tiers should be choosen to have a SLA ",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Front Door",
+ "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
- "link": "https://learn.microsoft.com/purview/purview",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+ "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+ "service": "App Gateway",
"services": [
+ "AppGW",
"WAF"
],
- "severity": "Low",
- "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+ "severity": "High",
+ "subcategory": "App Gateway",
+ "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "App Gateway",
"services": [
+ "AppGW",
+ "AzurePolicy",
"WAF"
],
"severity": "High",
- "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+ "subcategory": "App Gateway",
+ "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
- "link": "https://learn.microsoft.com/azure/search/search-security-overview",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+ "service": "App Gateway",
"services": [
- "ACR",
+ "AppGW",
"WAF"
],
"severity": "High",
- "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+ "subcategory": "App Gateway",
+ "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "App Gateway",
"services": [
- "RBAC",
+ "AppGW",
+ "AzurePolicy",
"WAF"
],
"severity": "High",
- "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+ "subcategory": "App Gateway",
+ "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+ "service": "App Gateway",
"services": [
+ "AppGW",
"WAF"
],
"severity": "Medium",
- "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+ "subcategory": "App Gateway",
+ "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+ "service": "App Gateway",
"services": [
- "Sentinel",
- "Monitor",
- "WAF",
- "Defender"
+ "AppGW",
+ "WAF"
],
- "severity": "High",
- "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
- "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+ "service": "App Gateway",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "App Gateway",
+ "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+ "waf": "Security"
+ },
+ {
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+ "service": "App Gateway",
"services": [
- "AzurePolicy",
+ "AppGW",
"WAF"
],
"severity": "Medium",
- "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+ "subcategory": "App Gateway",
+ "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+ "service": "App Gateway",
"services": [
+ "AppGW",
"WAF"
],
- "severity": "High",
- "text": "Implement Prompt shields and groundedness detection using Content Safety ",
- "waf": "Operational Excellence"
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
- "link": "https://learn.microsoft.com/azure/compliance/",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "App Gateway",
"services": [
+ "AppGW",
"WAF"
],
- "severity": "High",
- "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "Front Door",
"services": [
+ "FrontDoor",
"WAF"
],
"severity": "Medium",
- "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
- "waf": "Security"
+ "subcategory": "Front Door",
+ "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+ "service": "App Gateway",
"services": [
+ "Sentinel",
+ "AppGW",
"WAF"
],
- "severity": "High",
- "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "Front Door",
"services": [
+ "Sentinel",
+ "FrontDoor",
"WAF"
],
"severity": "Medium",
- "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
- "waf": "Security"
+ "subcategory": "Front Door",
+ "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+ "service": "App Gateway",
"services": [
- "RBAC",
- "AzurePolicy",
+ "AppGW",
"WAF"
],
"severity": "Medium",
- "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
- "waf": "Security"
+ "subcategory": "App Gateway",
+ "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+ "service": "App Gateway",
"services": [
+ "AzurePolicy",
"WAF"
],
- "severity": "High",
- "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Use WAF Policies instead of the legacy WAF configuration.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+ "service": "App Gateway",
"services": [
- "RBAC",
- "WAF"
+ "VPN",
+ "VNet",
+ "AppGW",
+ "ExpressRoute"
],
- "severity": "High",
- "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+ "service": "Front Door",
"services": [
- "WAF",
- "PrivateLink"
+ "FrontDoor"
],
- "severity": "High",
- "text": "Configure private endpoint for AI services to restrict service access within your network",
+ "severity": "Medium",
+ "subcategory": "Front Door",
+ "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
- "service": "Azure OpenAI",
- "services": [
- "WAF",
- "VNet",
- "Firewall"
- ],
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+ "service": "App Gateway",
+ "services": [],
"severity": "High",
- "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+ "subcategory": "App Gateway",
+ "text": "You should encrypt traffic to the backend servers.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+ "service": "App Gateway",
"services": [
"WAF"
],
"severity": "High",
- "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
+ "subcategory": "App Gateway",
+ "text": "You should use a Web Application Firewall.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
- "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
- "service": "Azure OpenAI",
- "services": [
- "WAF"
- ],
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+ "service": "App Gateway",
+ "services": [],
"severity": "Medium",
- "text": "Use prompt compression tools like LLMLingua or gprtrim",
- "waf": "Cost Optimization"
+ "subcategory": "App Gateway",
+ "text": "Redirect HTTP to HTTPS",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
- "services": [
- "WAF",
- "AKV",
- "Entra"
- ],
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+ "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+ "service": "App Gateway",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
+ "waf": "Operations"
+ },
+ {
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+ "service": "App Gateway",
+ "services": [],
"severity": "High",
- "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
+ "subcategory": "App Gateway",
+ "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool",
+ "waf": "Security"
+ },
+ {
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+ "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+ "service": "App Gateway",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "App Gateway",
+ "text": "Create custom error pages to display a personalized user experience",
+ "waf": "Operations"
+ },
+ {
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+ "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+ "service": "App Gateway",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "App Gateway",
"services": [
- "WAF"
+ "FrontDoor"
],
"severity": "Medium",
- "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
- "waf": "Security"
+ "subcategory": "App Gateway",
+ "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
- "service": "Azure OpenAI",
- "services": [
- "Monitor",
- "WAF"
- ],
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "App Gateway",
+ "services": [],
"severity": "Medium",
- "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+ "subcategory": "App Gateway",
+ "text": "Use transport layer load balancing",
+ "waf": "Performance"
+ },
+ {
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+ "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+ "service": "App Gateway",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "App Gateway",
+ "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+ "service": "App Gateway",
"services": [
- "WAF"
+ "Entra"
],
"severity": "Medium",
- "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+ "subcategory": "App Gateway",
+ "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
- "service": "Azure OpenAI",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+ "service": "App Gateway",
"services": [
- "WAF"
+ "AppGW"
],
"severity": "Low",
- "text": "Azure AI Services are properly tagged for better management",
- "waf": "Operational Excellence"
+ "subcategory": "App Gateway",
+ "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
- "service": "Azure OpenAI",
- "services": [
- "WAF"
- ],
- "severity": "Low",
- "text": "Azure AI Service accounts follows organizational naming conventions",
- "waf": "Operational Excellence"
+ "category": "BC and DR",
+ "checklist": "Logic Apps checklist",
+ "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+ "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+ "service": "Logic Apps",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
- "service": "Azure OpenAI",
- "services": [
- "WAF"
- ],
+ "category": "BC and DR",
+ "checklist": "Logic Apps checklist",
+ "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+ "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "Logic Apps",
+ "services": [],
"severity": "High",
- "text": "Diagnostic logs in Azure AI services resources should be enabled",
- "waf": "Operational Excellence"
+ "subcategory": "High Availability",
+ "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/ai-services/authentication",
- "service": "Azure OpenAI",
- "services": [
- "WAF",
- "Entra"
- ],
+ "category": "BC and DR",
+ "checklist": "Logic Apps checklist",
+ "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+ "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Logic Apps",
+ "services": [],
"severity": "High",
- "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
+ "category": "BC and DR",
+ "checklist": "Logic Apps checklist",
+ "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+ "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+ "service": "Logic Apps",
"services": [
- "WAF",
- "AKV",
- "Entra"
+ "AppSvc"
],
"severity": "High",
- "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
- "services": [
- "WAF",
- "AKV"
- ],
+ "category": "Application Deployment",
+ "checklist": "Logic Apps checklist",
+ "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+ "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+ "service": "Logic Apps",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "CI/CD",
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "guid": "65285269-440c-44be-9d3e-0844276d4bdc",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foudations-playbooks-ADB_v1.docx",
+ "services": [],
"severity": "High",
- "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
- "waf": "Security"
+ "subcategory": "Best Practices",
+ "text": "Reference Databricks HA/DR playbook",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "adfe27be-e297-401a-a352-baaab79b088d",
- "link": "https://github.com/openai/tiktoken",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6",
+ "link": "https://learn.microsoft.com/azure/databricks/security/secrets/secret-scopes",
"services": [
- "WAF"
+ "Backup"
],
- "severity": "High",
- "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
- "waf": "Cost Optimization"
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "Backup Your Workspace Configuration including ARM templates and Secret Scopes",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
- "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757",
"services": [
- "WAF"
+ "Backup",
+ "ACR"
],
- "severity": "High",
- "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "Share MetaData Across different Databricks Workspaces using Hive External Metastore",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
- "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "guid": "769e3969-0e78-428a-a936-657d03b0f466",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581",
"services": [
- "WAF"
+ "Backup",
+ "ASR"
],
- "severity": "High",
- "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "Plan Disaster Recovery Strategy in Databricks using the Hive External Metastore",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "e29711b1-352b-4eee-879b-588defc4972c",
- "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b",
+ "link": "https://www.databricks.com/blog/2021/04/20/attack-of-the-delta-clones-against-disaster-recovery-availability-complexity.html",
"services": [
- "AzurePolicy",
- "WAF"
+ "Backup"
],
- "severity": "High",
- "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
- "waf": "Operational Excellence"
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "Backup your data with deep and shallow clones",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "description": "Download the blob using Secondary Endpoint in RAGRS Storage Account",
+ "guid": "7abae48a-bd54-4cd7-ae2e-86768357c559",
+ "link": "https://techcommunity.microsoft.com/t5/azure-paas-blog/download-the-blob-using-secondary-endpoint-in-ragrs-storage/ba-p/2403750",
"services": [
- "Cost",
- "WAF"
+ "Storage",
+ "Backup"
],
"severity": "Medium",
- "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
- "waf": "Cost Optimization"
+ "subcategory": "Backup",
+ "text": "Backup your data to Azure Storage RA-GRS",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a",
+ "link": "https://learn.microsoft.com/azure/databricks/dev-tools/index-ci-cd",
"services": [
- "Cost",
- "WAF"
+ "Backup"
],
"severity": "High",
- "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
- "waf": "Cost Optimization"
+ "subcategory": "Backup",
+ "text": "Backup your code with DevOps",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a",
+ "link": "https://learn.microsoft.com/azure/databricks/administration-guide/disaster-recovery",
"services": [
- "Cost",
- "Monitor",
- "WAF"
+ "ASR"
],
- "severity": "Medium",
- "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
- "waf": "Cost Optimization"
+ "severity": "High",
+ "subcategory": "Disaster Recovery",
+ "text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "166cd072-af9b-4141-a898-a535e737897e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace",
+ "guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc",
+ "link": "https://github.com/databrickslabs/migrate",
"services": [
- "WAF"
+ "Backup"
],
"severity": "Medium",
- "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
- "waf": "Cost Optimization"
+ "subcategory": "Migration",
+ "text": "Use Databricks Migration tools",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
- "link": "https://learn.microsoft.com/azure/search/search-reliability",
- "service": "Azure OpenAI",
+ "category": "Operations Management",
+ "checklist": "DataBricks Review Checklist",
+ "guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd",
+ "link": "https://github.com/databrickslabs/databricks-sync",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Migration",
+ "text": "Use Databricks Sync",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Identity and Access Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "d7e47431-76c8-4bdb-b55b-ce619e8a03f9",
+ "link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli",
"services": [
- "WAF"
+ "Entra",
+ "RBAC"
],
- "severity": "Medium",
- "text": "Review the guidance provided on setting up AI search for Reliability",
- "waf": "Operational Excellence"
+ "severity": "High",
+ "subcategory": "Identity",
+ "text": "Create a service principal and its role assignments before creating the ARO clusters.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
- "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
- "service": "Azure OpenAI",
+ "category": "Identity and Access Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "7879424d-6267-486d-90b9-6c97be985190",
+ "link": "https://learn.microsoft.com/azure/openshift/configure-azure-ad-ui",
"services": [
- "Storage",
- "WAF"
+ "Entra"
],
- "severity": "Medium",
- "text": "Plan and manage AI Search Vector storage",
- "waf": "Operational Excellence"
+ "severity": "High",
+ "subcategory": "Identity",
+ "text": "Use AAD to authenticate users in your ARO cluster.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "category": "Identity and Access Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "adfec5f9-a82d-46e9-a8d1-5a0c7fed5d15",
+ "link": "https://docs.openshift.com/container-platform/4.14/authentication/remove-kubeadmin.html",
"services": [
- "WAF"
+ "Entra"
],
"severity": "Medium",
- "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
- "waf": "Operational Excellence"
+ "subcategory": "Identity",
+ "text": "When using AAD authentication, remove kubeadmin user from the cluster.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
- "service": "Azure OpenAI",
+ "category": "Identity and Access Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "483835c9-86bb-4291-8155-a11475e39f54",
+ "link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html",
"services": [
- "WAF"
+ "Entra",
+ "RBAC"
],
"severity": "High",
- "text": "Evaluate usage of billing models - PAYG vs PTU",
- "waf": "Cost Optimization"
+ "subcategory": "Identity",
+ "text": "Define OpenShift projects to restrict RBAC privilege and isolate workloads in your cluster.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
- "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
- "service": "Azure OpenAI",
+ "category": "Identity and Access Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "0acccd97-9376-4bcd-a375-0ab2ab039da6",
+ "link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html",
"services": [
- "WAF"
+ "Entra",
+ "RBAC"
],
"severity": "Medium",
- "text": "Evaluate the quality of prompts and applications when switching between model versions",
- "waf": "Operational Excellence"
+ "subcategory": "Identity",
+ "text": "Define the required RBAC roles in OpenShift are scoped to either a project or a cluster.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "3418db61-2712-4650-9bb4-7a393a080327",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "category": "Identity and Access Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "d54d7c89-29db-4107-b532-5ae625ca44e4",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
"services": [
- "Monitor",
- "WAF"
+ "Entra",
+ "AKV"
],
"severity": "Medium",
- "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
- "waf": "Operational Excellence"
+ "subcategory": "Identity",
+ "text": "Minimize the number of users who have administrator rights and secrets access.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "294798b1-578b-4219-a46c-eb5443513592",
- "service": "Azure OpenAI",
+ "category": "Identity and Access Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "685e2223-ace8-4bb1-8307-ca5f16f154e3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
"services": [
- "WAF"
+ "Entra",
+ "RBAC"
],
"severity": "Medium",
- "text": "Evaluate your Azure AI Search results based on different search parameters",
- "waf": "Operational Excellence"
+ "subcategory": "Identity",
+ "text": "Use Privileged Identity Management in AAD for ARO users with privileged roles.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "2744293b-b628-4537-a551-19b08e8f5854",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
- "service": "Azure OpenAI",
+ "category": "Network topology and connectivity",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "aa369282-9e7e-4216-8836-87af467a1f89",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"services": [
+ "Entra",
+ "DDoS",
+ "Subscriptions",
+ "VNet",
+ "Firewall",
"WAF"
],
- "severity": "Medium",
- "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
- "waf": "Operational Excellence"
+ "severity": "Low",
+ "subcategory": "DDoS",
+ "text": "Use Azure DDoS Network/IP Protection to protect the virtual network you use for the ARO cluster unless you use Azure Firewall or WAF in a centralized subscription",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Azure OpenAI",
+ "category": "Network topology and connectivity",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "35bda433-24f1-4481-8533-182aa5174269",
+ "link": "https://docs.openshift.com/container-platform/4.13/networking/routes/secured-routes.html",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Encryption",
+ "text": "All web applications you configure to use an ingress should use TLS encryption and shouldn't allow access over unencrypted HTTP.",
+ "waf": "Security"
+ },
+ {
+ "category": "Network topology and connectivity",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "44008ae7-d7e4-4743-876c-8bdbf55bce61",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"services": [
+ "FrontDoor",
"WAF"
],
"severity": "Medium",
- "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
- "waf": "Operational Excellence"
+ "subcategory": "Internet",
+ "text": "Use Azure Front Door with WAF to securely publish ARO applications to the internet, especially in multi-region environments.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "e737897e-71ca-47da-acfa-962a1594946d",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
- "service": "Azure OpenAI",
+ "category": "Network topology and connectivity",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "9e8a03f9-7879-4424-b626-786d60b96c97",
+ "link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door",
"services": [
- "WAF"
+ "PrivateLink",
+ "FrontDoor"
],
"severity": "Medium",
- "text": "Red team your GenAI applications",
+ "subcategory": "Internet",
+ "text": "If exposing an app on ARO with Azure Front Door, use private link to connect Front Door with the ARO router.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
- "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
- "service": "Azure OpenAI",
+ "category": "Network topology and connectivity",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "be985190-4838-435c-a86b-b2912155a114",
+ "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress",
"services": [
- "WAF"
+ "AzurePolicy",
+ "NVA",
+ "Firewall"
],
"severity": "Medium",
- "text": "Provide end users with scoring options for LLM responses and track these scores. ",
- "waf": "Operational Excellence"
+ "subcategory": "Internet",
+ "text": "If your security policy requires you to inspect all outbound internet traffic that's generated in the ARO cluster, secure egress network traffic by using Azure Firewall or an NVA.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
+ "category": "Network topology and connectivity",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "75e39f54-0acc-4cd9-9937-6bcda3750ab2",
+ "link": "https://learn.microsoft.com/azure/openshift/howto-create-private-cluster-4x",
"services": [
- "WAF"
+ "AzurePolicy"
],
"severity": "High",
- "text": "Consider Quota management practices",
- "waf": "Cost Optimization"
+ "subcategory": "Private access",
+ "text": "If your security policy requires you to use a private IP address for the OpenShift API, deploy a private ARO cluster.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
- "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
- "service": "Azure OpenAI",
+ "category": "Network topology and connectivity",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "ab039da6-d54d-47c8-a29d-b107d5325ae6",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
"services": [
- "APIM",
- "ACR",
- "Entra",
- "LoadBalancer",
- "WAF"
+ "PrivateLink",
+ "ACR"
],
"severity": "Medium",
- "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
- "waf": "Operational Excellence"
+ "subcategory": "Private access",
+ "text": "Use Azure Private Link to secure network connections to managed Azure services, including to Azure Container Registry.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
- "service": "Cognitive Services",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "25ca44e4-685e-4222-9ace-8bb12307ca5f",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-enable-arc-enabled-clusters",
"services": [
- "WAF"
+ "Monitor"
],
+ "severity": "High",
+ "subcategory": "Operations",
+ "text": "Establish a monitoring process using the inbuilt Prometheus, OpenShift Logging or Container Insights integration.",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "16f154e3-aa36-4928-89e7-e216183687af",
+ "link": "https://docs.openshift.com/container-platform/4.13/cicd/pipelines/understanding-openshift-pipelines.html",
+ "services": [],
"severity": "Medium",
- "text": "Leverage FTA HandBook for Cognitive Services",
- "waf": "Reliability"
+ "subcategory": "Operations",
+ "text": "Automate the application delivery process through DevOps practices and CI/CD solutions, such as Pipelines/GitOps provided by OpenShift.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Cognitive Services",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "467a1f89-35bd-4a43-924f-14811533182a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Operations",
+ "text": "Whenever possible, remove the service state from inside containers. Instead, use an Azure platform as a service (PaaS) that supports multiregion replication.",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "1b7da8cf-aa66-4e15-b4d5-ada97dc3e232",
+ "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-storageclass",
"services": [
- "WAF",
- "Backup"
+ "Storage"
],
+ "severity": "Low",
+ "subcategory": "Operations",
+ "text": "Use RWX storage with inbuilt Azure Files storage class.",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "6bb235c7-05e1-4696-bded-fa8a4c8cdec4",
+ "link": "https://docs.openshift.com/container-platform/4.13/nodes/clusters/nodes-cluster-limit-ranges.html",
+ "services": [],
"severity": "Medium",
- "text": "Backup Your Prompts",
- "waf": "Reliability"
+ "subcategory": "Performance",
+ "text": "Use pod requests and limits to manage the compute resources within a cluster.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Cognitive Services",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "c620c30c-14ee-4b7f-9ae8-d9b3fec228e7",
+ "link": "https://docs.openshift.com/container-platform/4.13/applications/quotas/quotas-setting-per-project.html",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Performance",
+ "text": "Enforce resource quotas on projects.",
+ "waf": "Performance"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "87ab177a-db59-4f6b-a613-334fd09dc234",
+ "link": "https://docs.openshift.com/container-platform/4.13/machine_management/applying-autoscaling.html",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Performance",
+ "text": "Define ClusterAutoScaler and MachineAutoScaler to scale machines when your cluster runs out of resources to support more deployments.",
+ "waf": "Performance"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "19db6128-1269-4040-a4ba-4d3e0804276d",
+ "link": "https://learn.microsoft.com/azure/openshift/support-policies-v4#supported-virtual-machine-sizes",
"services": [
- "WAF",
- "ASR"
+ "VM"
],
"severity": "High",
- "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
+ "subcategory": "Reliability",
+ "text": "Use virtual machine sizes that are large enough to contain multiple container instances so you get the benefits of increased density, but not so large that your cluster can't handle the workload of a failing node.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
- "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
- "service": "Cognitive Services",
- "services": [
- "WAF",
- "Backup"
- ],
- "severity": "Medium",
- "text": "Backup Your ChatGPT conversations",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "4b98b15c-8b31-4aa5-aceb-58889135e227",
+ "link": "https://docs.openshift.com/container-platform/4.13/machine_management/deploying-machine-health-checks.html",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Reliability",
+ "text": "Deploy machine health checks to automatically repair damaged machines in a machine pool.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
- "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
- "service": "Cognitive Services",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "896d31b6-6c67-4ba5-a119-c08e8f5d587c",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-metric-alerts",
"services": [
- "WAF"
+ "Monitor"
],
- "severity": "Medium",
- "text": "CI/CD for custom speech",
+ "severity": "High",
+ "subcategory": "Reliability",
+ "text": "Use an alerting system to provide notifications when things need direct action: Container Insights metric alerts or in-built Alerting UI.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "WAF checklist",
- "guid": "3687a046-7a1f-4893-9bda-43324f248116",
- "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
- "service": "Cognitive Services",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "7e9ced16-acd1-476e-b9b2-41a998a57ae7",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Reliability",
+ "text": "Ensure that the cluster is created in a region that supports AZs and create a machine set for each AZ.",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "7b997e71-1b7d-4a8c-baa6-6e15d4d5ada9",
+ "link": "https://docs.openshift.com/container-platform/4.13/machine_management/creating-infrastructure-machinesets.html",
"services": [
- "WAF"
+ "AKS"
],
"severity": "Low",
- "text": "Move a knowledge base using export-import",
+ "subcategory": "Reliability",
+ "text": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
- "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
- "service": "Purview",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "7dc3e232-6bb2-435c-905e-1696fdedfa8a",
+ "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup#create-a-backup-with-velero-to-include-snapshots",
"services": [
- "WAF"
+ "Backup"
],
"severity": "Medium",
- "text": "Leverage FTA Resillency Handbook",
+ "subcategory": "Reliability",
+ "text": "Create application backup and plan for restore and include persistent volumes in the backup.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "81c12318-1a64-4174-8583-3fb4ae3c2df7",
+ "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-priority.html",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Reliability",
+ "text": "Use pod priorities, so that in case of limited resources the most critical pods will run.",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "43166c3b-cbe0-45bb-b209-d4a0da577784",
+ "link": "https://docs.openshift.com/container-platform/4.13/architecture/admission-plug-ins.html",
"services": [
- "WAF"
+ "AzurePolicy"
],
- "severity": "High",
- "text": "Plan for Data Center level outage",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Security",
+ "text": "Regulate cluster functions using admission plug-ins, which are commonly used to enforce security policy, resource limitations, or configuration requirements.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
- "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "24d21678-5d2f-4a56-a56a-d48408fe8273",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
"services": [
- "WAF"
+ "ACR"
],
+ "severity": "Low",
+ "subcategory": "Security",
+ "text": "Store your container images in Azure Container Registry and geo-replicate the registry to each region.",
+ "waf": "Security"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "4c486ba2-80dc-4059-8cf7-5ee8e1309ccc",
+ "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-vertical-autoscaler.html",
+ "services": [],
"severity": "Medium",
- "text": "Practice Failover for BCDR",
- "waf": "Reliability"
+ "subcategory": "Workload",
+ "text": "Optimize the CPU and memory request values, and maximize the efficiency of the cluster resources using vertical pod autoscaler.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "d579366b-cda2-4750-aa1a-bfe9d55d14c3",
+ "link": "https://docs.openshift.com/container-platform/4.13/applications/application-health.html",
"services": [
- "WAF",
- "Backup"
+ "Monitor"
],
- "severity": "High",
- "text": "Plan a backup strategy and take regular backups",
+ "severity": "Medium",
+ "subcategory": "Workload",
+ "text": "Add health probes to your pods to monitor application health. Make sure pods contain livenessProbe and readinessProbe. Use Startup probes to determine the point at which the application has started up.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
- "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
- "service": "Purview",
- "services": [
- "WAF",
- "EventHubs"
- ],
- "severity": "Low",
- "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "c4929cb1-b3d1-4325-ae12-4ba34d0685ed",
+ "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-autoscaling.html",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Workload",
+ "text": "Scale pods to meet demand using horizontal pod autoscaler.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
- "link": "https://learn.microsoft.com/purview/deployment-best-practices",
- "service": "Purview",
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "dce9be3b-b0dd-4b3b-95fb-2ec14eeaa359",
+ "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-configuring.html#nodes-pods-pod-distruption-about_nodes-pods-configuring",
"services": [
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Follow Purview accounts architectures and deployment best practices",
+ "subcategory": "Workload",
+ "text": "Use disruption budgets to ensure the required number of pod replicas exist to handle expected application load.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
- "service": "Purview",
- "services": [
- "WAF"
- ],
+ "category": "Operations management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "2829e2ed-b217-4367-9aff-6791b4935ada",
+ "link": "https://docs.openshift.com/container-platform/4.13/nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.html",
+ "services": [],
"severity": "Medium",
- "text": "Follow Collection Architectures and best practices",
+ "subcategory": "Workload",
+ "text": "Use pod topology constraints to automatically schedule pods on nodes throughout the cluster.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
- "service": "Purview",
- "services": [
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "fea1dbf3-dd95-4d48-a7c8-91dcb1f7d575",
+ "link": "https://learn.microsoft.com/azure/openshift/intro-openshift#service-level-agreement",
+ "services": [],
"severity": "Medium",
- "text": "Follow Assest lifecycle best practices",
+ "subcategory": "Availablity",
+ "text": "Leverage Current ARO SLA - 99.95 into BCDR planning",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
- "service": "Purview",
+ "category": "Operations Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "b95e06e1-58e2-4ea3-a92c-2de6e2065b3a",
+ "link": "https://www.redhat.com/rhdc/managed-files/pa-getting-started-azure-openshift-ebook-f20686-201911-en_0.pdf",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Cluster Design",
+ "text": "Run user workloads on the worker nodes, not the control plane nodes",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "description": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines",
+ "guid": "76af4a69-1e88-439a-ba46-667e13c10567",
+ "link": "https://learn.microsoft.com/azure/openshift/howto-segregate-machinesets",
"services": [
- "WAF"
+ "VNet",
+ "AKS"
],
"severity": "Medium",
- "text": "Follow automation best practices",
+ "subcategory": "Cluster Design",
+ "text": "Isolate workloads into worker nodes running in individual subnets as needed",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "category": "Operations Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "785c6fe9-6c96-4ad8-a44c-f3b2b38c886b",
+ "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup",
"services": [
- "WAF",
"Backup"
],
"severity": "Medium",
- "text": "Follow Backup and Migration Best practices",
+ "subcategory": "Backup",
+ "text": "Backup a cluster state for stateful workload scenarios to a paired region",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
- "service": "Purview",
+ "category": "Operations Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "a2c02149-9014-4a5d-9ce5-74dccbd9792a",
+ "link": "https://access.redhat.com/documentation/red_hat_openshift_container_storage/4.4/html/deploying_and_managing_openshift_container_storage_on_microsoft_azure/deploying-openshift-container-storage-on-microsoft-azure_rhocs",
"services": [
- "WAF"
+ "Storage",
+ "ACR"
],
"severity": "Medium",
- "text": "Follow Purview Glossary Best Practices",
+ "subcategory": "Data Store",
+ "text": "If container storage is required, ensure availability across regions if needed: Using RWX storage with inbuilt Azure Files storage class. Using CSI Drivers for storage provisioning",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
- "link": "https://learn.microsoft.com/purview/concept-workflow",
- "service": "Purview",
+ "category": "Operations Management",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "6bcca2b4-fea1-4dbf-9dd9-5d48c7c891dc",
+ "link": "https://docs.openshift.com/aro/3/dev_guide/persistent_volumes.html",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data Store",
+ "text": "Whenever possible, move state out of containers and into external databases that support multi-region replication. Avoid Persistent Volumes",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Platform Automation",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "42324ece-81c1-4231-a1a6-417415833fb4",
+ "link": "https://docs.openshift.com/container-platform/4.13/applications/deployments/route-based-deployment-strategies.html",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Workload",
+ "text": "Consider blue/green or canary strategies to deploy new releases of application.",
+ "waf": "Operations"
+ },
+ {
+ "category": "Platform Automation",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "ae3c2df7-4316-46c3-acbe-05bbe209d4a0",
+ "link": "https://docs.openshift.com/container-platform/4.13/cicd/gitops/understanding-openshift-gitops.html",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Workload",
+ "text": "Consider using Red Hat OpenShift GitOps. Red Hat OpenShift GitOps uses Argo CD to maintain cluster resources and support application CI/CD.",
+ "waf": "Operations"
+ },
+ {
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "da577784-24d2-4167-a5d2-fa56c56ad484",
+ "link": "https://learn.microsoft.com/azure/openshift/support-lifecycle",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Control plane",
+ "text": "Keep your clusters on the latest OpenShift version to avoid potential security or upgrade issues.",
+ "waf": "Security"
+ },
+ {
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "08fe8273-4c48-46ba-880d-c0591cf75ee8",
+ "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster",
"services": [
- "WAF"
+ "Arc",
+ "AKS"
],
+ "severity": "High",
+ "subcategory": "Control plane",
+ "text": "Connect Azure Red Hat OpenShift clusters to Azure Arc-enabled Kubernetes.",
+ "waf": "Security"
+ },
+ {
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "e1309ccc-d579-4366-acda-2750aa1abfe9",
+ "link": "https://docs.openshift.com/container-platform/4.10/security/encrypting-etcd.html",
+ "services": [],
"severity": "Low",
- "text": "Leverage Workflows ",
- "waf": "Reliability"
+ "subcategory": "Encryption",
+ "text": "For Azure Red Hat OpenShift 4 clusters, etcd data isn't encrypted by default, but it's recommended to enable etcd encryption to provide another layer of data security.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
- "service": "Purview",
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "d55d14c3-c492-49cb-8b3d-1325ae124ba3",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
"services": [
- "WAF"
+ "Arc",
+ "Defender",
+ "AKS"
],
"severity": "Medium",
- "text": "Follow Purview Security Best Practices",
- "waf": "Reliability"
+ "subcategory": "Posture",
+ "text": "Use Microsoft Defender for Containers supported via Arc-enabled Kubernetes to secure clusters, containers, and applications.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
- "service": "Purview",
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "4d0685ed-dce9-4be3-ab0d-db3b55fb2ec1",
+ "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider",
"services": [
- "WAF"
+ "AKV",
+ "Arc",
+ "AKS"
],
"severity": "Medium",
- "text": "Follow Purview Data Lineage Best Practices",
- "waf": "Reliability"
+ "subcategory": "Secrets",
+ "text": "For applications that require access to sensitive information, use a service principal and the AKV Secrets Provider with the extension for Arc-enabled Kubernetes clusters.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
- "service": "Purview",
- "services": [
- "WAF"
- ],
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "4eeaa359-2829-4e2e-bb21-73676aff6791",
+ "link": "https://learn.microsoft.com/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources",
+ "services": [],
"severity": "Medium",
- "text": "Follow Best Practices for Scanning Registered Sources",
- "waf": "Reliability"
+ "subcategory": "Workload",
+ "text": "Secure pod access to resources. Provide the least number of permissions, and avoid using root or privileged escalation.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
- "service": "Purview",
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "b4935ada-4232-44ec-b81c-123181a64174",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes",
"services": [
- "WAF"
+ "AzurePolicy",
+ "Monitor"
],
"severity": "Medium",
- "text": "Follow Classification Best Practices in Governance Portal",
- "waf": "Reliability"
+ "subcategory": "Workload",
+ "text": "Monitor and enforce configuration by using the Azure Policy Extension.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
- "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
- "service": "Purview",
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "15833fb4-ae3c-42df-9431-66c3bcbe05bb",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
"services": [
- "WAF"
+ "Defender"
],
- "severity": "Medium",
- "text": "Perform Sensitivity Labelling in the Purview Data Map",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Workload",
+ "text": "Scan your images for vulnerabilities with Microsoft Defender or any other image scanning solution.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
- "link": "https://learn.microsoft.com/purview/concept-data-share",
- "service": "Purview",
+ "category": "Security",
+ "checklist": "Azure Red Hat OpenShift",
+ "guid": "e209d4a0-da57-4778-924d-216785d2fa56",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
"services": [
- "Storage",
- "WAF"
+ "Subscriptions",
+ "ACR"
],
"severity": "Low",
- "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
- "waf": "Reliability"
+ "subcategory": "Workload",
+ "text": "Deploy a dedicated and private instance of Azure Container Registry to each landing zone subscription.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
- "link": "https://learn.microsoft.com/purview/concept-insights",
- "service": "Purview",
+ "category": "Business",
+ "checklist": "Multitenant architecture",
+ "guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview",
"services": [
- "WAF"
+ "Entra"
],
- "severity": "Low",
- "text": "Leverage Data Estate Insights",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Business",
+ "text": "Understand what kind of solution you're creating, such as business-to-business (B2B), business-to-consumer (B2C), or your enterprise software, and how tenants are different from users.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
- "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
- "service": "Purview",
- "services": [
- "WAF"
- ],
- "severity": "Low",
- "text": "Use Data stewardship and Catalog adoption",
- "waf": "Reliability"
+ "category": "Business",
+ "checklist": "Multitenant architecture",
+ "guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Business",
+ "text": "Define your tenants. Understand how many tenants you will support initially, and your growth plans.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
- "link": "https://learn.microsoft.com/purview/concept-insights",
- "service": "Purview",
- "services": [
- "WAF"
- ],
- "severity": "Low",
- "text": "Use Inventory and Ownership",
- "waf": "Reliability"
+ "category": "Business",
+ "checklist": "Multitenant architecture",
+ "guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Business",
+ "text": "Define your pricing model and ensure it aligns with your tenants' consumption of Azure resources.",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
- "link": "https://learn.microsoft.com/purview/glossary-insights",
- "service": "Purview",
- "services": [
- "WAF"
- ],
- "severity": "Low",
- "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
- "waf": "Reliability"
+ "category": "Business",
+ "checklist": "Multitenant architecture",
+ "guid": "331e84a6-2d65-4359-92ff-a1870b062995",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Business",
+ "text": "Understand whether you need to separate your tenants into different tiers. Tiers might have different pricing, features, performance promises, geographic locations, and so forth.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
- "link": "https://learn.microsoft.com/purview/compliance-manager",
- "service": "Purview",
- "services": [
- "WAF"
- ],
+ "category": "Business",
+ "checklist": "Multitenant architecture",
+ "guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "services": [],
"severity": "Medium",
- "text": "Generate assessment scores",
- "waf": "Reliability"
+ "subcategory": "Business",
+ "text": "Based on your customers' requirements, decide on the tenancy models that are appropriate for various parts of your solution.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
- "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
- "service": "Purview",
+ "category": "Business",
+ "checklist": "Multitenant architecture",
+ "guid": "f5d76ae1-7048-4ff5-abba-f1ca799578b9",
+ "link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer",
"services": [
- "WAF"
+ "Entra"
],
"severity": "Medium",
- "text": "Profiling- get summaries of data content",
- "waf": "Reliability"
+ "subcategory": "Business",
+ "text": "When you're ready, sell your B2B multitenant solution using the Microsoft Commercial Marketplace.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
- "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
- "service": "Purview",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "severity": "Low",
- "text": "Follow Microsoft Purview Data Owner access policies",
+ "category": "Reliability",
+ "checklist": "Multitenant architecture",
+ "guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Reliability",
+ "text": "Review the Azure Well-Architected Reliability checklist, which is applicable to all workloads.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
- "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
- "service": "Purview",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "severity": "Low",
- "text": "Follow Self-service access policies",
+ "category": "Reliability",
+ "checklist": "Multitenant architecture",
+ "guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
+ "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Reliability",
+ "text": "Understand the Noisy Neighbor antipattern. Prevent individual tenants from impacting the system's availability for other tenants.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "WAF checklist",
- "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
- "link": "https://learn.microsoft.com/purview/concept-policies-devops",
- "service": "Purview",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "severity": "Low",
- "text": "Follow DevOps policies",
+ "category": "Reliability",
+ "checklist": "Multitenant architecture",
+ "guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Reliability",
+ "text": "Design your multitenant solution for the level of growth that you expect. But don't overengineer for unrealistic growth.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "WAF checklist",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
- "services": [
- "WAF"
- ],
+ "category": "Reliability",
+ "checklist": "Multitenant architecture",
+ "guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics",
+ "services": [],
"severity": "Medium",
- "text": "Follow reliability support recommendations in Azure Bot Service",
+ "subcategory": "Reliability",
+ "text": "Define service-level objectives (SLOs) and optionally service-level agreements (SLAs) for your solution. SLAs and SLOs should be based on the requirements of your tenants, as well as the composite SLA of the Azure resources in your architecture.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "WAF checklist",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Deploying bots with local data residency and regional compliance",
+ "category": "Reliability",
+ "checklist": "Multitenant architecture",
+ "guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Reliability",
+ "text": "Test the scale of your solution. Ensure that it performs well under all levels of load, and that it scales correctly as the number of tenants increases.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "WAF checklist",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
- "services": [
- "WAF"
- ],
+ "category": "Reliability",
+ "checklist": "Multitenant architecture",
+ "guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
+ "services": [],
"severity": "Medium",
- "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
+ "subcategory": "Reliability",
+ "text": "Apply chaos engineering principles to test the reliability of your solution.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "WAF checklist",
- "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
- "service": "PostgreSQL",
+ "category": "Security",
+ "checklist": "Multitenant architecture",
+ "guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
+ "link": "https://learn.microsoft.com/security/zero-trust",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Apply the Zero Trust and least privilege principles in all layers of your solution.",
+ "waf": "Security"
+ },
+ {
+ "category": "Security",
+ "checklist": "Multitenant architecture",
+ "guid": "92160e00-6894-4102-97e0-615d4ed93c01",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests",
"services": [
- "WAF"
+ "Entra"
],
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Ensure that you can correctly map user requests to tenants. Consider including the tenant context as part of the identity system, or by using another means, like application-level tenant authorization.",
+ "waf": "Security"
+ },
+ {
+ "category": "Security",
+ "checklist": "Multitenant architecture",
+ "guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "services": [],
"severity": "Medium",
- "text": "Leverage Flexible Server",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "Perform ongoing penetration testing and security code reviews.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "WAF checklist",
- "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
- "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
- "service": "PostgreSQL",
+ "category": "Security",
+ "checklist": "Multitenant architecture",
+ "guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Understand your tenants' compliance requirements, including data residency and any compliance or regulatory standards that they require you to meet.",
+ "waf": "Security"
+ },
+ {
+ "category": "Security",
+ "checklist": "Multitenant architecture",
+ "guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names",
"services": [
- "WAF"
+ "DNS"
],
"severity": "High",
- "text": "Leverage Availability Zones where regionally applicable",
- "waf": "Reliability"
+ "subcategory": "Security",
+ "text": "Correctly manage domain names and avoid vulnerabilities like dangling DNS and subdomain takeover attacks.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "WAF checklist",
- "guid": "31b67c67-be59-4519-8083-845d587cb391",
- "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
- "service": "PostgreSQL",
+ "category": "Security",
+ "checklist": "Multitenant architecture",
+ "guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Follow service-specific guidance for multitenancy.",
+ "waf": "Security"
+ },
+ {
+ "category": "Cost Optimization",
+ "checklist": "Multitenant architecture",
+ "guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist",
"services": [
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Leverage cross-region read replicas for BCDR",
- "waf": "Reliability"
+ "subcategory": "Cost Optimization",
+ "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
- "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
- "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
- "service": "ACR",
+ "category": "Cost Optimization",
+ "checklist": "Multitenant architecture",
+ "guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption",
"services": [
- "ACR",
- "WAF"
+ "Cost"
],
"severity": "High",
- "text": "Disable Azure Container Registry image export",
- "waf": "Security"
+ "subcategory": "Cost Optimization",
+ "text": "Ensure you can adequately measure per-tenant consumption and correlate it with your infrastructure costs.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
- "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
- "service": "ACR",
+ "category": "Cost Optimization",
+ "checklist": "Multitenant architecture",
+ "guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation",
"services": [
- "AzurePolicy",
- "ACR",
- "WAF"
+ "Cost",
+ "Monitor"
],
+ "severity": "Medium",
+ "subcategory": "Cost Optimization",
+ "text": "Avoid antipatterns. Antipatterns include failing to track costs, tracking costs with unnecessary precision, real-time measurement, and using monitoring tools for billing.",
+ "waf": "Cost"
+ },
+ {
+ "category": "Operational Excellence",
+ "checklist": "Multitenant architecture",
+ "guid": "0d475a5a-2c0f-47ab-b1e1-701da68d3407",
+ "link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops",
+ "services": [],
"severity": "High",
- "text": "Enable Azure Policies for Azure Container Registry",
- "waf": "Security"
+ "subcategory": "Operational Excellence",
+ "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
- "guid": "d345293c-7639-4637-a551-c5c04e401955",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
- "service": "ACR",
+ "category": "Operational Excellence",
+ "checklist": "Multitenant architecture",
+ "guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Operational Excellence",
+ "text": "Use automation to manage the tenant lifecycle, such as onboarding, deployment, provisioning, and configuration.",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operational Excellence",
+ "checklist": "Multitenant architecture",
+ "guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Operational Excellence",
+ "text": "Find the right balance for deploying service updates. Consider both your tenants' requirements and your own operational requirements.",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operational Excellence",
+ "checklist": "Multitenant architecture",
+ "guid": "a3f80518-d428-4c02-b2cc-dfaef47db7e2",
"services": [
- "ACR",
- "WAF",
- "AKV"
+ "Monitor"
],
"severity": "High",
- "text": "Sign and Verify containers with notation (Notary v2)",
- "waf": "Security"
+ "subcategory": "Operational Excellence",
+ "text": "Monitor the health of the overall system, as well as each tenant.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
- "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
- "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
- "service": "ACR",
+ "category": "Operational Excellence",
+ "checklist": "Multitenant architecture",
+ "guid": "dfb42da5-f871-4953-9e5c-da6fda3f1411",
"services": [
- "ACR",
- "WAF",
- "AKV"
+ "Monitor"
],
"severity": "Medium",
- "text": "Encrypt registry with a customer managed key",
- "waf": "Security"
+ "subcategory": "Operational Excellence",
+ "text": "Configure and test alerts to notify you when specific tenants are experiencing issues or are exceeding their consumption limits.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
- "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
- "service": "ACR",
- "services": [
- "RBAC",
- "ACR",
- "WAF",
- "Entra"
- ],
+ "category": "Operational Excellence",
+ "checklist": "Multitenant architecture",
+ "guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization",
+ "services": [],
"severity": "High",
- "text": "Use Managed Identities to connect instead of Service Principals",
- "waf": "Security"
+ "subcategory": "Operational Excellence",
+ "text": "Organize your Azure resources for isolation and scale.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
- "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
- "service": "ACR",
- "services": [
- "RBAC",
- "WAF"
- ],
+ "category": "Operational Excellence",
+ "checklist": "Multitenant architecture",
+ "guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Operational Excellence",
+ "text": "Avoid deployment and configuration antipatterns. Antipatterns include running separate versions of the solution for each tenant, hardcoding tenant-specific configurations or logic, and manual deployments.",
+ "waf": "Operations"
+ },
+ {
+ "category": "Performance Efficiency",
+ "checklist": "Multitenant architecture",
+ "guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency",
+ "services": [],
"severity": "High",
- "text": "Disable local authentication for management plane access",
- "waf": "Security"
+ "subcategory": "Performance Efficiency",
+ "text": "Review the Azure Well-Architected Performance Efficiency checklist, which is applicable to all workloads.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
- "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
- "service": "ACR",
- "services": [
- "RBAC",
- "ACR",
- "WAF",
- "Entra"
- ],
+ "category": "Performance Efficiency",
+ "checklist": "Multitenant architecture",
+ "guid": "18911c4c-934c-49a8-839a-60c092afce30",
+ "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor",
+ "services": [],
"severity": "High",
- "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
- "waf": "Security"
+ "subcategory": "Performance Efficiency",
+ "text": "If you use shared infrastructure, plan for how you'll mitigate Noisy Neighbor concerns. Ensure that one tenant can't reduce the performance of the system for other tenants.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Disable anonymous pull/push access",
- "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
- "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
- "service": "ACR",
+ "category": "Performance Efficiency",
+ "checklist": "Multitenant architecture",
+ "guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
"services": [
- "WAF"
+ "Storage"
],
"severity": "Medium",
- "text": "Disable Anonymous pull access",
- "waf": "Security"
+ "subcategory": "Performance Efficiency",
+ "text": "Determine how you'll scale your compute, storage, networking, and other Azure resources to match the demands of your tenants.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
- "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
- "service": "ACR",
- "services": [
- "WAF",
- "Entra"
- ],
+ "category": "Performance Efficiency",
+ "checklist": "Multitenant architecture",
+ "guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization",
+ "services": [],
"severity": "High",
- "text": "Disable repository-scoped access tokens",
- "waf": "Security"
+ "subcategory": "Performance Efficiency",
+ "text": "Consider each Azure resource's scale limits. Organize your resources appropriately, in order to avoid resource organization antipatterns. For example, don't over-architect your solution to work within unrealistic scale requirements.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
- "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "9f519499-5820-4060-88fe-cab4538c9dd0",
+ "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements",
"services": [
- "EventHubs",
- "ACR",
- "WAF",
- "PrivateLink"
+ "Storage"
],
- "severity": "High",
- "text": "Deploy images from a trusted environment",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Physical",
+ "text": "All planned storage pools should use direct-attached storage (SATA, SAS, NVMe)",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
- "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "f7c015e0-7d97-4283-b006-567afeb2b5ca",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/drive-symmetry-considerations#understand-capacity-imbalance",
"services": [
- "AzurePolicy",
- "ACR",
- "WAF",
- "Entra"
+ "Storage",
+ "ACR"
],
"severity": "Medium",
- "text": "Disable Azure ARM audience tokens for authentication",
- "waf": "Security"
+ "subcategory": "Physical",
+ "text": "Disks are symmetrical across all nodes",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
- "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
- "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "f785b143-2c1e-4466-9baa-dde8ba4c7aaa",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/fault-tolerance#parity",
"services": [
- "Monitor",
- "ACR",
- "WAF",
- "Entra"
+ "Backup",
+ "Storage"
],
"severity": "Medium",
- "text": "Enable diagnostics logging",
- "waf": "Security"
+ "subcategory": "S2D",
+ "text": "Parity type disk redundancy should only be used for low I/O volumes (backup/archive)",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
- "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8a705965-9840-43cc-93b3-06d089406bb4",
+ "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements#physical-deployments",
"services": [
- "Firewall",
- "WAF",
- "VNet",
- "PrivateLink"
+ "Storage"
],
"severity": "Medium",
- "text": "Control inbound network access with Private Link",
- "waf": "Security"
+ "subcategory": "S2D",
+ "text": "Ensure there at least 2 capacity disks with available capacity in the Storage Pool",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Disable public network access if inbound network access is secured using Private Link",
- "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "2a4f629a-d623-4610-a8e3-d6fd66057d8e",
+ "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/delimit-volume-allocation",
"services": [
- "WAF",
- "PrivateLink"
+ "Storage"
],
- "severity": "Medium",
- "text": "Disable Public Network access",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "S2D",
+ "text": "'Delimited allocation' has been considered to improve volume resiliency in a multi-node failure",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Only the ACR Premium SKU supports Private Link access",
- "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "960eb9be-1f0f-4fc1-9b31-fcf1cf9e34e6",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#choosing-how-many-volumes-to-create",
"services": [
- "ACR",
- "WAF",
- "PrivateLink"
+ "Storage"
],
"severity": "Medium",
- "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
- "waf": "Security"
+ "subcategory": "S2D",
+ "text": "CSVs are created in multiples of node count",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
- "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "859ba2b9-a3a8-4ca1-bb61-165effbf1c03",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/cache",
"services": [
- "ACR",
- "WAF",
- "Defender"
+ "Storage"
],
- "severity": "Low",
- "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "S2D",
+ "text": "If a cache tier is implemented, the number of capacity drives is a multiple of the number of cache drives",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
- "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "d8a65f05-db06-461d-81dc-7899ad3f8f1e",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#reserve-capacity",
"services": [
- "WAF"
+ "Storage"
],
"severity": "Medium",
- "text": "Deploy validated container images",
- "waf": "Security"
+ "subcategory": "S2D",
+ "text": "A minimum of 1 type of each disk type per node has been factored as a reserve disk",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
- "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
- "service": "ACR",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "description": "VMFleet is a tool that can be used to measure the performance of a storage subsystem, best used to baseline performance prior to workload deployment",
+ "guid": "9d138f1d-5363-476e-bbd7-acfa500bdc0c",
+ "link": "https://github.com/microsoft/diskspd/wiki/VMFleet",
"services": [
- "WAF"
+ "Storage"
],
- "severity": "High",
- "text": "Use up-to-date platforms, languages, protocols and frameworks",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "S2D",
+ "text": "VMFleet has been run prior to workload deployment to baseline storage performance",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
- "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
- "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
- "service": "Event Hubs",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "13c12e2a-c938-4dd1-9223-507d5e17f9c5",
"services": [
- "WAF",
- "EventHubs"
+ "Storage"
],
- "severity": "Low",
- "text": "Use customer-managed key option in data at rest encryption when required",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Host OS",
+ "text": "OS drives use a dedicated storage controller",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
- "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
- "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
- "service": "Event Hubs",
+ "category": "Storage",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "a631e7dc-8879-45bd-b0a7-e5927b805428",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-csv-cache",
"services": [
- "WAF",
- "EventHubs"
+ "Storage"
],
"severity": "Medium",
- "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
- "waf": "Security"
+ "subcategory": "Host OS",
+ "text": "CSV in-memory read caching is enabled and properly configured",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
- "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
- "service": "Event Hubs",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "c062cd9a-f1db-4f83-aab3-9cb03f56c140",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements#switch-embedded-teaming-set",
"services": [
- "TrafficManager",
- "AzurePolicy",
- "RBAC",
- "EventHubs",
- "Entra",
- "WAF"
+ "ACR"
],
"severity": "Medium",
- "text": "Avoid using root account when it is not necessary",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
- "waf": "Security"
+ "subcategory": "Host",
+ "text": "NICs are symmetrical across nodes",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
- "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
- "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
- "service": "Event Hubs",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "ea8054db-a558-4533-80c8-5d9cf447ba19",
"services": [
- "AKV",
- "Storage",
- "VM",
- "EventHubs",
- "Entra",
- "WAF"
+ "Storage"
],
+ "severity": "High",
+ "subcategory": "Host",
+ "text": "Storage networking is redundant",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "15d976c5-e267-49a1-8b00-62010bfa5188",
+ "link": "https://learn.microsoft.com/azure-stack/hci/deploy/network-atc",
+ "services": [],
"severity": "Medium",
- "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Security"
+ "subcategory": "Host",
+ "text": "Host networking configuration is managed by Network ATC and intents are healthy",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
- "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
- "service": "Event Hubs",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "676c53ad-b29a-4de1-9d03-d7d2674405b8",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/network-hud-overview",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Host",
+ "text": "Network HUD has been configured",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8f6d58d9-6c1a-4ec1-b2d7-b2c6ba8f3949",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements",
"services": [
- "RBAC",
- "WAF",
- "EventHubs"
+ "Storage",
+ "VNet"
],
- "severity": "High",
- "text": "Use least privilege data plane RBAC",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Host",
+ "text": "Storage NICs are assigned static IP addresses on separate subnets and VLANs",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
- "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
- "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
- "service": "Event Hubs",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "824e53ec-953e-40c2-a6b8-52970b5b0f74",
+ "link": "https://learn.microsoft.com/azure-stack/hci/plan/two-node-switched-converged",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Host",
+ "text": "For switchless designs, dual link full mesh connectivity has been implemented",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "dbc85d0e-0ebd-4589-a789-0fa8ceb1d0f0",
+ "link": "https://learn.microsoft.com/azure-stack/hci/concepts/physical-network-requirements#using-switchless",
"services": [
- "Monitor",
- "WAF",
- "VNet",
- "EventHubs"
+ "Storage"
],
"severity": "Medium",
- "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Security"
+ "subcategory": "Host",
+ "text": "If the cluster is made up of more than 3 nodes, a switched storage network has been implemented",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
- "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
- "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
- "service": "Event Hubs",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "603c6d71-59d2-419c-a312-8edc6e799c6a",
"services": [
- "EventHubs",
- "WAF",
- "VNet",
- "PrivateLink"
+ "Storage"
],
- "severity": "Medium",
- "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Host",
+ "text": "RDMA is enabled on the Storage networking",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
- "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
- "service": "Event Hubs",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "9e260eae-bca1-4827-a259-76ee63fda8d6",
+ "link": "https://github.com/microsoft/SDN/blob/master/Diagnostics/Test-Rdma.ps1",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Host",
+ "text": "Test-RDMA.ps1 has been run to validate the RDMA configuration",
+ "waf": "Performance"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "description": "This ensures that Management traffic is not exposed to the VM traffic",
+ "guid": "abc85d0e-0ebd-4589-a777-0fa8ceb1d0f0",
+ "link": "",
"services": [
- "WAF",
- "EventHubs"
+ "VM"
],
"severity": "Medium",
- "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "subcategory": "Host",
+ "text": "If a VMSwitch is shared for Compute and Management traffic, require that Management traffic is tagged with a VLAN ID",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
- "service": "Event Hubs",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "description": "This ensures you have at least 3 NCs active at all times during NC upgrades.",
+ "guid": "eb36f5f4-0fa7-4a2c-85f3-1b1c7c7817c0",
"services": [
- "WAF"
+ "VM"
],
"severity": "Medium",
- "text": "Leverage FTA Resillency HandBook",
+ "subcategory": "SDN",
+ "text": "There are at least 3 Network Controller VMs deployed",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
- "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
- "service": "Event Hubs",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8bc78c85-6028-4a43-af2d-082a0a344909",
+ "link": "https://learn.microsoft.com/windows-server/networking/sdn/manage/update-backup-restore",
"services": [
- "ACR",
- "WAF",
- "EventHubs"
+ "Backup"
],
"severity": "High",
- "text": "Leverage Availability Zones if regionally applicable",
- "waf": "Reliability"
+ "subcategory": "SDN",
+ "text": "Backups of SDN infrastructure are configured and tested",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
- "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
- "service": "Event Hubs",
+ "category": "Management and Monitoring",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "51eaa4b6-b9a7-43e1-a7dc-634d3107bc6d",
"services": [
- "WAF"
+ "Monitor"
],
"severity": "Medium",
- "text": "Use the Premium or Dedicated SKUs for predicable performance",
- "waf": "Reliability"
+ "subcategory": "Cluster",
+ "text": "SCOM Managed Instance has been considered for more complex monitoring and alerting scenarios",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
- "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
- "service": "Event Hubs",
+ "category": "Management and Monitoring",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "831f5aca-99ef-41e7-8263-9509f5093b43",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/setup-hci-system-alerts",
"services": [
- "EventHubs",
- "WAF",
- "ASR"
+ "Monitor"
],
"severity": "High",
- "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
- "waf": "Reliability"
+ "subcategory": "Cluster",
+ "text": "Alerts have been configured for the cluster, either using Azure Monitor, SCOM, or a third-party solution",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
- "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
- "service": "Event Hubs",
+ "category": "Management and Monitoring",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "f95d0e7e-9f61-476d-bf65-59f2454d1d39",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later",
"services": [
- "EventHubs",
- "WAF",
- "ASR"
+ "Monitor"
],
"severity": "Medium",
- "text": "For Business Critical Applications, use Active Active configuration",
- "waf": "Reliability"
+ "subcategory": "Cluster",
+ "text": "Insights has been enabled at the cluster level and all nodes are reporting data",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "WAF checklist",
- "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
- "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
- "service": "Event Hubs",
+ "category": "Management and Monitoring",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "f4250fcb-ff53-40c9-b304-3560464fd90c",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later",
"services": [
- "WAF",
- "EventHubs"
+ "Monitor"
],
"severity": "Medium",
- "text": "Design Resilient Event Hubs",
- "waf": "Reliability"
+ "subcategory": "Cluster",
+ "text": "Azure Monitoring Agent has been deployed to hosts and an appropriate Data Collection Rule has been configured",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "service": "Azure Monitor",
+ "category": "Management and Monitoring",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "6143af1d-0d1a-4163-b1c9-662f7459bb98",
"services": [
- "Monitor",
- "WAF"
+ "Monitor"
],
"severity": "Medium",
- "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Cost"
+ "subcategory": "Hardware",
+ "text": "Relevant hardware monitoring has been configured",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "guid": "45901365-d38e-443f-abcb-d868266abca2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Azure Backup",
+ "category": "Management and Monitoring",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "9cbdf225-549a-41cf-9c97-794766a6f2b0",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/health-service-overview",
"services": [
- "WAF",
- "Backup"
+ "Monitor"
],
"severity": "Medium",
- "text": "check backup instances with the underlying datasource not found",
- "waf": "Cost"
+ "subcategory": "Hardware",
+ "text": "Relevant hardware alerting has been configured",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "VM",
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "c0da5bbd-0f0d-4a26-98ec-38c9cc42b323",
"services": [
- "WAF"
+ "VM"
],
- "severity": "Medium",
- "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
- "waf": "Cost"
+ "severity": "Low",
+ "subcategory": "VM Management - Resource Bridge",
+ "text": "The Azure CLI has been installed on every node to enable RB management from WAC",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Azure Backup",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "a8ecf23c-c048-4fa9-b87b-51ebfb409863",
+ "services": [
+ "VM"
+ ],
+ "severity": "Low",
+ "subcategory": "VM Management - Resource Bridge",
+ "text": "DHCP is available in the cluster to support Guest Configuration at VM deployment from Azure",
+ "waf": "Operations"
+ },
+ {
+ "category": "Backup and Disaster Recovery",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "074541e3-fe08-458a-8062-32d13dcc10c6",
+ "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines",
"services": [
- "Storage",
- "WAF",
"Backup",
+ "VM",
"ASR"
],
+ "severity": "High",
+ "subcategory": "VM",
+ "text": "Backups of HCI VMs have been configured using MABS or a third-party solution",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "48f7ae57-1035-4101-8a38-fbe163d03e8a",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Cluster Configuration",
+ "text": "Cluster configuration or a configuration script has been documented and maintained",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "f2a6a19a-ffe6-444d-badb-cb336c8e7b50",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/witness",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Cluster Configuration",
+ "text": "A cluster witness has been configured for clusters with less than 5 nodes",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "a47339fe-62c5-44a0-bb83-3d46ef16292f",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/update-cluster",
+ "services": [],
"severity": "Medium",
- "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
- "waf": "Cost"
+ "subcategory": "Cluster Configuration",
+ "text": "Cluster-Aware Updating has been configured for Windows and hardware updates (if available)",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
- "service": "Azure Monitor",
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "7f1d6fe8-3079-44ea-8ea6-14494d1aa470",
+ "link": "https://learn.microsoft.com/azure-stack/hci/deploy/validate",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Cluster Configuration",
+ "text": "Cluster validation has been run against the configured cluster",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "81693af0-5638-4aa2-a153-1d6189df30a7",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits",
"services": [
- "Monitor",
- "WAF"
+ "VM"
],
"severity": "Medium",
- "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "subcategory": "Cluster Configuration",
+ "text": "Azure Benefits has been enabled at the cluster and VM levels",
"waf": "Cost"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "WAF checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Azure Monitor",
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8c967ee8-8170-4537-a28d-33431cd3632a",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-environment-checker",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Cluster Configuration",
+ "text": "The Environment Checker module has been run to validate the environment",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "43ffbfab-766e-4950-a102-78b479136e4d",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits",
"services": [
- "Storage",
- "WAF",
"AzurePolicy"
],
"severity": "Medium",
- "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "Cost"
+ "subcategory": "Cluster Configuration",
+ "text": "Group Policy inheritance on the HCI cluster and node Active Directory organizational unit has been blocked or applied policies have been evaluated for compatibility issues (usually WinRM and PowerShell execution policy)",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "VM",
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "e6a3f3a7-4a7d-49e2-985a-6e39dd284027",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Cluster Configuration",
+ "text": "WAC is on the latest release and configured to automatically upgrade extensions",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "d1caa31f-cc26-42b2-b92f-2b667c0e6020",
+ "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr",
"services": [
- "Storage",
- "WAF",
- "Backup"
+ "Entra"
],
"severity": "Medium",
- "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "Cost"
+ "subcategory": "Stretch Clustering",
+ "text": "There is sub 5ms latency between each site if synchronous replication is being configured AAD",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "3277558e-3155-4088-b49a-78594cb4ce1a",
"services": [
"Storage",
- "WAF",
- "AzurePolicy"
+ "VNet"
],
- "severity": "Medium",
- "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Stretch Clustering",
+ "text": "Management, Replication and Storage networks excluded from stretched VLANs configurations, are routed, and in different subnets",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "VM",
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "baed6066-8531-44ba-bd94-38cbabbf4099",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Stretch Clustering",
+ "text": "There is a plan detailed for site failure and recovery",
+ "waf": "Operations"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b4",
"services": [
- "WAF",
- "VM"
+ "ACR"
],
"severity": "Medium",
- "text": "Make sure advisor is configured for VM right sizing ",
- "waf": "Cost"
+ "subcategory": "Stretch Clustering",
+ "text": "Separate vLANs and networks are used for each replication network across both sites",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "description": "check by searching the Meter Category Licenses in the Cost analysys",
- "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
- "service": "VM",
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b5",
+ "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization",
"services": [
- "Cost",
- "AzurePolicy",
- "WAF",
- "VM"
+ "Storage"
],
- "severity": "Medium",
- "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Stretch Clustering",
+ "text": "Use either a cloud witness or a file share witness in a third site for cluster quorum for clusters with less than 5 nodes",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "VM",
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b6",
+ "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Stretch Clustering",
+ "text": "When using data deduplication, only enable it on the primary/source volumes",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "ac527887-f6f4-40a3-b883-e04d704f013b",
+ "link": "https://learn.microsoft.com/windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage#provision-operating-system-features-roles-storage-and-network",
"services": [
- "LoadBalancer",
- "WAF"
+ "Storage"
],
- "severity": "Medium",
- "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Stretch Clustering",
+ "text": "Storage backing log volumes must be faster (ideally) or at least as fast as capacity storage",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "VM",
+ "category": "Backup and Disaster Recovery",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8ea49f70-1038-4283-b0c4-230165d3eabc",
+ "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-site-recovery",
"services": [
- "WAF",
- "VM"
+ "Backup",
+ "ASR"
],
"severity": "Medium",
- "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
- "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
- "waf": "Cost"
+ "subcategory": "Disaster Recovery",
+ "text": "Azure Site Recovery has been considered for DR purposes",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
- "service": "VM",
+ "category": "Security",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "03e65fdc-2628-4a1a-ba2e-a5174340ba52",
+ "link": "https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Host",
+ "text": "BitLocker has been enabled on CSVs for volume encryption, where appropriate",
+ "waf": "Security"
+ },
+ {
+ "category": "Security",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "9645d2e6-ba28-453c-b6d5-d9ef29fc34be",
+ "link": "https://learn.microsoft.com/windows-server/storage/file-server/smb-security",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Host",
+ "text": "SMB encryption has been enabled, where appropriate",
+ "waf": "Security"
+ },
+ {
+ "category": "Security",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "8f03437a-5068-4486-9a78-0402ce771298",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server",
"services": [
- "Cost",
- "WAF",
- "ARS",
- "VM"
+ "Defender"
],
"severity": "Medium",
- "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
- "waf": "Cost"
+ "subcategory": "Host",
+ "text": "Microsoft Defender Antivirus has been enabled on all nodes",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "service": "VM",
+ "category": "Security",
+ "checklist": "Azure Stack HCI Review",
+ "guid": "dba6b211-fc02-43b3-b7c8-f163c188332e",
+ "link": "https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Host",
+ "text": "Credential Guard has been configured, where appropriate",
+ "waf": "Security"
+ },
+ {
+ "category": "Responsible AI",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Metaprompting",
+ "text": "Follow Metaprompting guardrails for resonsible AI",
+ "waf": "Operational Excellence"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+ "link": "https://github.com/Azure-Samples/AI-Gateway",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Entra",
+ "APIM"
],
- "severity": "Medium",
- "text": "Only larger disks can be reserved => 1 TiB -",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Load Balancing",
+ "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
- "service": "VM",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Monitor"
],
- "severity": "Medium",
- "text": "After the right-sizing optimization",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Monitoring",
+ "text": "Enable monitoring for your AOAI instances",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Sql/servers",
- "checklist": "WAF checklist",
- "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Azure SQL",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+ "service": "Azure OpenAI",
"services": [
- "Cost",
- "SQL",
- "WAF",
- "AzurePolicy"
+ "AKV",
+ "Subscriptions",
+ "Monitor"
],
- "severity": "Medium",
- "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Alerts",
+ "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "VM",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
"services": [
- "WAF",
- "VM"
+ "Monitor"
],
- "severity": "Medium",
- "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Monitoring",
+ "text": "Monitor token usage to prevent service disruptions due to capacity",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "VM",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
"services": [
- "WAF",
- "VM"
+ "Monitor"
],
"severity": "Medium",
- "text": "Consider using a VMSS to match demand rather than flat sizing",
- "waf": "Cost"
+ "subcategory": "Observability",
+ "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "AKS",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+ "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+ "service": "Azure OpenAI",
"services": [
- "WAF",
- "AKS"
+ "APIM"
],
- "severity": "Medium",
- "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
- "waf": "Cost"
+ "severity": "Low",
+ "subcategory": "Observability",
+ "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Azure Backup",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Move recovery points to vault-archive where applicable (Validate)",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Cost"
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+ "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Infrastructure Deployment",
+ "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Databricks/workspaces",
- "checklist": "WAF checklist",
- "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
- "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
- "service": "Databricks",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
"services": [
- "LoadBalancer",
- "WAF",
- "VM"
+ "Entra"
],
- "severity": "Medium",
- "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Authentication",
+ "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
- "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
- "service": "Azure Functions",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Functions - Reuse connections",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
- "waf": "Cost"
+ "category": "Responsible AI",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Evaluation",
+ "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
- "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "service": "Azure Functions",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Functions - Cache data locally",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
- "waf": "Cost"
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "68889535-e327-4897-b31b-67d67be5962a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Hosting model",
+ "text": "Evaluate usage of Provisioned throughput model ",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Azure Functions",
- "services": [
- "Storage",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "Cost"
+ "category": "Responsible AI",
+ "checklist": "Azure OpenAI Review",
+ "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Content Safety",
+ "text": "Review and implement Azure AI content safety",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "Azure Functions",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Functions - Keep your functions warm",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Cost"
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Throughput definition",
+ "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Azure Functions",
- "services": [
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
- "waf": "Cost"
+ "subcategory": "Latency improvement",
+ "text": "Improve latency of the system by limiting token sizes, streaming options",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
- "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
- "service": "Azure Functions",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Storage",
+ "ServiceBus"
],
"severity": "Medium",
- "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
- "waf": "Cost"
+ "subcategory": "Elasticity segregation",
+ "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
- "service": "Azure Functions",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
- "waf": "Cost"
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Benchmarking",
+ "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Front Door",
- "services": [
- "WAF",
- "FrontDoor",
- "EventHubs"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
- "waf": "Cost"
+ "subcategory": "Elasticity ",
+ "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "WAF checklist",
- "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Front Door",
- "services": [
- "AppSvc",
- "WAF",
- "FrontDoor"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Model choice",
+ "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
+ "waf": "Performance"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
- "waf": "Cost"
+ "subcategory": "Fine tuning",
+ "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
- "service": "Storage",
+ "category": "BC and DR",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "ACR"
],
- "severity": "Medium",
- "text": "Consider archiving tiers for less used data",
- "waf": "Cost"
+ "severity": "Low",
+ "subcategory": "Multi-region architecture",
+ "text": "Deploy multiple OAI instances across regions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "VM",
+ "category": "BC and DR",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Entra",
+ "APIM"
],
+ "severity": "High",
+ "subcategory": "Load balancing",
+ "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
- "waf": "Cost"
+ "subcategory": "Quotas",
+ "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "Storage",
- "services": [
- "WAF"
- ],
+ "category": "Responsible AI",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+ "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Consider using standard SSD rather than Premium or Ultra where possible",
- "waf": "Cost"
+ "subcategory": "UX best practice",
+ "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "Storage",
+ "category": "BC and DR",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "WAF"
+ "ACR"
],
"severity": "Medium",
- "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
- "waf": "Cost"
+ "subcategory": "Load balancing",
+ "text": "Deploy separate fine tuned models across regions if finetuning is employed",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "WAF checklist",
- "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "Site Recovery",
+ "category": "BC and DR",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+ "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+ "service": "Azure OpenAI",
"services": [
- "WAF",
+ "Backup",
"ASR"
],
"severity": "Medium",
- "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
- "waf": "Cost"
+ "subcategory": "Data Backup and Disaster Recovery",
+ "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
- "service": "Storage",
- "services": [
- "Storage",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Storage accounts: check hot tier and/or GRS necessary",
- "waf": "Cost"
+ "category": "BC and DR",
+ "checklist": "Azure OpenAI Review",
+ "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "SLA considerations",
+ "text": "Azure AI search service tiers should be choosen to have a SLA ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "VM",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ",
- "waf": "Cost"
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+ "link": "https://learn.microsoft.com/purview/purview",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Data Sensitivity",
+ "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "WAF checklist",
- "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "Synapse",
- "services": [
- "Cost",
- "Monitor",
- "WAF",
- "EventHubs"
- ],
- "severity": "Medium",
- "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
- "waf": "Cost"
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Encryption at Rest",
+ "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "WAF checklist",
- "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "Synapse",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+ "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+ "service": "Azure OpenAI",
"services": [
- "Cost",
- "Storage",
- "WAF"
+ "ACR"
],
- "severity": "Medium",
- "text": "Export cost data to a storage account for additional data analysis.",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Transit Encryption",
+ "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "WAF checklist",
- "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Synapse",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"services": [
- "Cost",
- "SQL",
- "WAF"
+ "RBAC"
],
- "severity": "Medium",
- "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Access Control",
+ "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "WAF checklist",
- "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
- "service": "Synapse",
- "services": [
- "WAF"
- ],
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
- "waf": "Cost"
+ "subcategory": "Data Masking and Redaction",
+ "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "WAF checklist",
- "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Synapse",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Sentinel",
+ "Defender",
+ "Monitor"
],
- "severity": "Medium",
- "text": "Create multiple Apache Spark pool definitions of various sizes.",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Threat Detection and Monitoring",
+ "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "WAF checklist",
- "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "service": "Synapse",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+ "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+ "service": "Azure OpenAI",
"services": [
- "Cost",
- "WAF"
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "subcategory": "Data Retention and Disposal",
+ "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "VM",
- "services": [
- "Cost",
- "WAF",
- "VM"
- ],
- "severity": "Medium",
- "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "category": "Responsible AI",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Jail break Safety",
+ "text": "Implement Prompt shields and groundedness detection using Content Safety ",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "VM",
- "services": [
- "WAF",
- "VM"
- ],
- "severity": "Medium",
- "text": "Right-sizing all VMs",
- "waf": "Cost"
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+ "link": "https://learn.microsoft.com/azure/compliance/",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Data Privacy and Compliance",
+ "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "VM",
- "services": [
- "WAF",
- "VM"
- ],
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Swap VM sized with normalized and most recent sizes",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "subcategory": "Employee Awareness and Training",
+ "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "services": [
- "Monitor",
- "WAF",
- "VM"
- ],
- "severity": "Medium",
- "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Environment segregation",
+ "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "WAF checklist",
- "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "services": [
- "WAF",
- "VM"
- ],
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Containerizing an application can improve VM density and save money on scaling it",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Cost"
+ "subcategory": "Index Segregation",
+ "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+ "service": "Azure OpenAI",
"services": [
- "AzurePolicy",
- "WAF"
+ "RBAC",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Implement an error handling policy at the global level",
- "waf": "Operations"
+ "subcategory": "Sensitive Data in Separate Instances",
+ "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
- "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
- "service": "APIM",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
- "severity": "Medium",
- "text": "Ensure all APIs policies include a element.",
- "waf": "Operations"
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Embedding and Vector handling",
+ "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
- "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"services": [
- "AzurePolicy",
- "ACR",
- "WAF"
+ "RBAC"
],
- "severity": "Medium",
- "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Access control",
+ "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
- "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "PrivateLink"
],
- "severity": "Medium",
- "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Network security",
+ "text": "Configure private endpoint for AI services to restrict service access within your network",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+ "service": "Azure OpenAI",
"services": [
- "Monitor",
- "WAF"
+ "VNet",
+ "Firewall"
],
"severity": "High",
- "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
- "waf": "Operations"
+ "subcategory": "Network security",
+ "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
- "service": "APIM",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Enable Application Insights for more detailed telemetry",
- "waf": "Operations"
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Control Network Access",
+ "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
- "service": "APIM",
+ "category": "Cost Optimization",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+ "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+ "service": "Azure OpenAI",
"services": [
- "Monitor",
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "Configure alerts on the most critical metrics",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Token Optimization",
+ "text": "Use prompt compression tools like LLMLingua or gprtrim",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
"services": [
- "WAF",
+ "Entra",
"AKV"
],
"severity": "High",
- "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+ "subcategory": "Secure APIs and Endpoints",
+ "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
- "service": "APIM",
- "services": [
- "WAF",
- "Entra"
- ],
- "severity": "High",
- "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Implement Strong Authentication",
+ "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+ "service": "Azure OpenAI",
"services": [
- "WAF",
- "Entra"
+ "Monitor"
],
"severity": "Medium",
- "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+ "subcategory": "Use Network Monitoring",
+ "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
- "service": "APIM",
- "services": [
- "WAF"
- ],
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Create appropriate groups to control the visibility of the products",
+ "subcategory": "Security Audits and Penetration Testing",
+ "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "06862505-2d9a-4874-9491-2837b00a3475",
- "link": "https://learn.microsoft.com/azure/api-management/backends",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Infrastructure Deployment",
+ "text": "Azure AI Services are properly tagged for better management",
+ "waf": "Operational Excellence"
+ },
+ {
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Infrastructure Deployment",
+ "text": "Azure AI Service accounts follows organizational naming conventions",
+ "waf": "Operational Excellence"
+ },
+ {
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Diagnostics Logging",
+ "text": "Diagnostic logs in Azure AI services resources should be enabled",
+ "waf": "Operational Excellence"
+ },
+ {
+ "category": "Identity and Access Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Entra"
],
- "severity": "Medium",
- "text": "Use Backends feature to eliminate redundant API backend configurations",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Entra ID based access",
+ "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
"services": [
- "AzurePolicy",
- "WAF"
+ "Entra",
+ "AKV"
],
- "severity": "Medium",
- "text": "Use Named Values to store common values that can be used in policies",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Secure Key Management",
+ "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
"services": [
- "ACR",
- "WAF"
+ "AKV"
],
- "severity": "Medium",
- "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Key Rotation and Expiration",
+ "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
- "link": "https://learn.microsoft.com/azure/api-management/high-availability",
- "service": "APIM",
+ "category": "Cost Optimization",
+ "checklist": "Azure OpenAI Review",
+ "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+ "link": "https://github.com/openai/tiktoken",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Cost"
],
- "severity": "Medium",
- "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Token Optimization",
+ "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
- "service": "APIM",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+ "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Secure coding practice",
+ "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+ "waf": "Security"
+ },
+ {
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+ "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Patching and updates",
+ "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+ "waf": "Security"
+ },
+ {
+ "category": "Responsible AI",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+ "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "service": "Azure OpenAI",
"services": [
- "WAF",
- "Backup"
+ "AzurePolicy"
],
"severity": "High",
- "text": "Ensure there is an automated backup routine",
- "waf": "Reliability"
+ "subcategory": "Governance",
+ "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
- "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
- "service": "APIM",
+ "category": "Cost Optimization",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "service": "Azure OpenAI",
"services": [
- "AzurePolicy",
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
- "waf": "Reliability"
+ "subcategory": "Cost familiarization",
+ "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
- "service": "APIM",
+ "category": "Cost Optimization",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"services": [
- "AzurePolicy",
- "WAF",
- "EventHubs"
+ "Cost"
],
- "severity": "Low",
- "text": "If you need to log at high performance levels, consider Event Hubs policy",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Batch processing",
+ "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
- "service": "APIM",
+ "category": "Cost Optimization",
+ "checklist": "Azure OpenAI Review",
+ "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "service": "Azure OpenAI",
"services": [
- "AzurePolicy",
- "WAF"
+ "Cost",
+ "Monitor"
],
"severity": "Medium",
- "text": "Apply throttling policies to control the number of requests per second",
- "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
- "waf": "Performance"
+ "subcategory": "Cost monitoring",
+ "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
- "service": "APIM",
+ "category": "Cost Optimization",
+ "checklist": "Azure OpenAI Review",
+ "guid": "166cd072-af9b-4141-a898-a535e737897e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Configure autoscaling to scale out the number of instances when the load increases",
- "waf": "Performance"
+ "subcategory": "Token limit",
+ "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
- "service": "APIM",
- "services": [
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
- "waf": "Performance"
+ "subcategory": "AI Search Reliability",
+ "text": "Review the guidance provided on setting up AI search for Reliability",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
- "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
- "service": "APIM",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+ "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "service": "Azure OpenAI",
"services": [
- "WAF"
+ "Storage"
],
"severity": "Medium",
- "text": "Use the premium tier for production workloads.",
- "waf": "Reliability"
+ "subcategory": "AI Search Vector Limits",
+ "text": "Plan and manage AI Search Vector storage",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
- "service": "APIM",
- "services": [
- "AzurePolicy",
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
- "waf": "Reliability"
+ "subcategory": "DevOps",
+ "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
- "service": "APIM",
+ "category": "Cost Optimization",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "service": "Azure OpenAI",
"services": [
- "APIM",
- "WAF",
- "Entra"
+ "Cost"
],
"severity": "High",
- "text": "Be aware of APIM's limits",
- "waf": "Reliability"
+ "subcategory": "Costing Model",
+ "text": "Evaluate usage of billing models - PAYG vs PTU",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
- "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
- "service": "APIM",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Ensure that the self-hosted gateway deployments are resilient.",
- "waf": "Reliability"
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+ "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "DevOps",
+ "text": "Evaluate the quality of prompts and applications when switching between model versions",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "7519e385-a88b-4d34-966b-6269d686e890",
- "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
- "service": "APIM",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "service": "Azure OpenAI",
"services": [
- "APIM",
- "WAF",
- "FrontDoor",
- "Entra"
+ "Monitor"
],
"severity": "Medium",
- "text": "Use Azure Front Door in front of APIM for multi-region deployment",
- "waf": "Performance"
+ "subcategory": "Development",
+ "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
- "service": "APIM",
- "services": [
- "WAF",
- "VNet"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Deploy the service within a Virtual Network (VNet)",
- "waf": "Security"
+ "subcategory": "Development",
+ "text": "Evaluate your Azure AI Search results based on different search parameters",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
- "service": "APIM",
- "services": [
- "APIM",
- "Monitor",
- "VNet",
- "Entra",
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
- "waf": "Security"
+ "subcategory": "Development",
+ "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
- "service": "APIM",
- "services": [
- "APIM",
- "VNet",
- "Entra",
- "WAF",
- "PrivateLink"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
- "waf": "Security"
+ "subcategory": "Development",
+ "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
- "service": "APIM",
- "services": [
- "WAF"
- ],
- "severity": "High",
- "text": "Disable Public Network Access",
+ "category": "Governance and Security",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "service": "Azure OpenAI",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Security Audits and Penetration Testing",
+ "text": "Red team your GenAI applications",
"waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
- "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
- "service": "APIM",
- "services": [
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+ "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "service": "Azure OpenAI",
+ "services": [],
"severity": "Medium",
- "text": "Simplify management with PowerShell automation scripts",
- "waf": "Operations"
+ "subcategory": "End user feedback",
+ "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
- "service": "APIM",
+ "category": "Cost Optimization",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"services": [
- "APIM",
- "WAF",
- "Entra"
+ "Cost"
],
- "severity": "Medium",
- "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Quota Management",
+ "text": "Consider Quota management practices",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
- "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
- "service": "APIM",
+ "category": "Operations Management",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+ "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "service": "Azure OpenAI",
"services": [
+ "Entra",
"APIM",
- "WAF",
- "Entra"
+ "LoadBalancer",
+ "ACR"
],
"severity": "Medium",
- "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
- "waf": "Operations"
+ "subcategory": "Load Balancing",
+ "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
- "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
- "service": "APIM",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Implement DevOps and CI/CD in your workflow",
- "waf": "Operations"
+ "category": "BC and DR",
+ "checklist": "IoT Hub Review",
+ "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+ "service": "IoT",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "b6439493-426a-45f3-9697-cf65baee208d",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
- "service": "APIM",
- "services": [
- "WAF"
- ],
+ "category": "BC and DR",
+ "checklist": "IoT Hub Review",
+ "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
+ "services": [],
"severity": "Medium",
- "text": "Secure APIs using client certificate authentication",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "2a67d143-1033-4c0a-8732-680896478f08",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
- "service": "APIM",
- "services": [
- "WAF"
- ],
- "severity": "Medium",
- "text": "Secure backend services using client certificate authentication",
- "waf": "Security"
+ "category": "BC and DR",
+ "checklist": "IoT Hub Review",
+ "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+ "service": "IoT",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "IoT Hub Review",
+ "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Learn how to trigger a manual failover.",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "IoT Hub Review",
+ "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+ "service": "IoT",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Learn how to fail back after a failover.",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Container Apps Review",
+ "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
+ "service": "Container Apps",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Leverage Availability Zones if regionally applicable",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Container Apps Review",
+ "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
+ "service": "Container Apps",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Use more than one replica and enable Zone Redundancy.",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Container Apps Review",
+ "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Container Apps",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
- "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
- "service": "APIM",
+ "category": "BC and DR",
+ "checklist": "Container Apps Review",
+ "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Container Apps",
"services": [
- "WAF"
+ "TrafficManager",
+ "FrontDoor"
],
- "severity": "Medium",
- "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
- "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
- "service": "APIM",
+ "category": "Operations Management",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
+ "service": "PostgreSQL",
"services": [
- "WAF"
+ "SQL"
],
"severity": "Medium",
- "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
- "waf": "Security"
+ "subcategory": "Best Practices",
+ "text": "Leverage Flexible Server",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
- "service": "APIM",
+ "category": "Operations Management",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
+ "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
+ "service": "PostgreSQL",
"services": [
- "WAF"
+ "SQL"
],
"severity": "High",
- "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
- "waf": "Security"
+ "subcategory": "Best Practices",
+ "text": "Leverage Availability Zones where regionally applicable",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "f8af3d94-1d2b-4070-846f-849197524258",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
- "service": "APIM",
+ "category": "Operations Management",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "31b67c67-be59-4519-8083-845d587cb391",
+ "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
+ "service": "PostgreSQL",
"services": [
- "WAF",
- "AKV"
+ "SQL"
],
+ "severity": "Medium",
+ "subcategory": "Best Practices",
+ "text": "Leverage cross-region read replicas for BCDR",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "Stream Analytics Review Checklist",
+ "guid": "32e52e36-11c8-418b-8a0b-c511e43a18a9",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-stream_analytics_v1.docx",
+ "services": [],
"severity": "High",
- "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
- "waf": "Security"
+ "subcategory": "High Availablity ",
+ "text": "Leverage FTA Resiliency Handbook for Stream Analytics",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "791abd8b-7706-4e31-9569-afefde724be3",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
- "service": "APIM",
- "services": [
- "WAF",
- "Entra"
- ],
+ "category": "Operations Management",
+ "checklist": "Stream Analytics Review Checklist",
+ "description": "Azure Stream Analytics provides high availability (99.9% SLA) for jobs and clusters within a region, the details of which are transparent to the end customer. If failures occur within the service, per the documentation �Azure Stream Analytics guarantees exactly once event processing and at-least-once delivery of events, so events are never lost.�",
+ "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+ "link": "https://azure.microsoft.com/en-in/products/stream-analytics",
+ "services": [],
"severity": "Medium",
- "text": "Use managed identities to authenticate to other Azure resources whenever possible",
- "waf": "Security"
+ "subcategory": "High Availablity ",
+ "text": "Understand High Availability 99% SLA and use it to plan your DR strategy",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "WAF checklist",
- "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
- "service": "APIM",
- "services": [
- "APIM",
- "AppGW",
- "WAF",
- "Entra"
- ],
- "severity": "High",
- "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
- "waf": "Security"
+ "category": "Operations Management",
+ "checklist": "Stream Analytics Review Checklist",
+ "description": "Azure Stream Analytics resources (jobs, clusters, etc.) are regional and do not provide automatic geo-failover. However, you can achieve geo-redundancy by deploying identical Stream Analytics jobs in multiple Azure regions. Each job connects to local input and output sources. It is the responsibility of your application to both send input data into the two regional inputs and reconcile between the two regional outputs.",
+ "guid": "fc833934-8b26-42d6-ac5f-512925498e6d",
+ "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Geo Redundancy",
+ "text": "Plan for Geo Redudancy of the service",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Azure Storage",
- "services": [
- "Storage",
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Stream Analytics Review Checklist",
+ "guid": "b9d37dac-43bc-46cd-8d7a-a9b24604489a",
+ "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy",
+ "services": [],
"severity": "Medium",
- "text": "Consider the 'Azure security baseline for storage'",
- "waf": "Security"
+ "subcategory": "Geo Redundancy",
+ "text": "Depending on your availablity requirement, configure Active/Active configuration or Active/Passive configuration ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Azure Storage",
+ "category": "Application Deployment",
+ "checklist": "Azure AKS Review",
+ "guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"services": [
- "Storage",
- "WAF",
- "PrivateLink"
+ "AKS"
],
- "severity": "High",
- "text": "Consider using private endpoints for Azure Storage",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Development",
+ "text": "Use canary or blue/green deployments",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Azure Storage",
+ "category": "Application Deployment",
+ "checklist": "Azure AKS Review",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
"services": [
- "RBAC",
- "Storage",
- "WAF",
- "Subscriptions"
+ "AKS"
],
- "severity": "Medium",
- "text": "Ensure older storage accounts are not using 'classic deployment model'",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Development",
+ "text": "If required for AKS Windows workloads HostProcess containers can be used",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Azure Storage",
+ "category": "Application Deployment",
+ "checklist": "Azure AKS Review",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF",
- "Defender"
+ "AKS"
],
- "severity": "High",
- "text": "Enable Microsoft Defender for all of your storage accounts",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Development",
+ "text": "Use KEDA if running event-driven workloads",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Azure Storage",
+ "category": "Application Deployment",
+ "checklist": "Azure AKS Review",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "Enable 'soft delete' for blobs",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Development",
+ "text": "Use Dapr to ease microservice development",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
+ "category": "Application Deployment",
+ "checklist": "Azure AKS Review",
+ "guid": "3acbe04b-be20-49d3-afda-47778424d116",
+ "link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
"services": [
- "Storage",
- "WAF"
+ "AKS"
],
"severity": "Medium",
- "text": "Disable 'soft delete' for blobs",
- "waf": "Security"
+ "subcategory": "Infrastructure as Code",
+ "text": "Use automation through ARM/TF to create your Azure resources",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Azure Storage",
+ "category": "BC and DR",
+ "checklist": "Azure AKS Review",
+ "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"services": [
- "WAF"
+ "ASR",
+ "AKS"
],
"severity": "High",
- "text": "Enable 'soft delete' for containers",
- "waf": "Security"
+ "subcategory": "Disaster Recovery",
+ "text": "Schedule and perform DR tests regularly",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "category": "BC and DR",
+ "checklist": "Azure AKS Review",
+ "guid": "170265f4-bb46-4a39-9af7-f317284797b1",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"services": [
- "Storage",
- "WAF"
+ "LoadBalancer",
+ "TrafficManager",
+ "FrontDoor",
+ "AKS"
],
"severity": "Medium",
- "text": "Disable 'soft delete' for containers",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Use Azure Traffic Manager or Azure Front Door as a global load balancer for region failover",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
+ "category": "BC and DR",
+ "checklist": "Azure AKS Review",
+ "graph": "resources | where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(properties.agentPoolProfiles[0].availabilityZones) | distinct id,compliant",
+ "guid": "578a219a-46be-4b54-9350-24922634292b",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones",
"services": [
- "Storage",
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "Enable resource locks on storage accounts",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "High Availability",
+ "text": "Use Availability Zones if they are supported in your Azure region",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Azure Storage",
+ "category": "BC and DR",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF",
- "AzurePolicy",
- "Subscriptions"
+ "AKS"
],
"severity": "High",
- "text": "Consider immutable blobs",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Use the SLA-backed AKS offering",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Azure Storage",
+ "category": "BC and DR",
+ "checklist": "Azure AKS Review",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF"
+ "Cost",
+ "AKS"
],
- "severity": "High",
- "text": "Require HTTPS, i.e. disable port 80 on the storage account",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "High Availability",
+ "text": "Use Disruption Budgets in your pod and deployment definitions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Azure Storage",
+ "category": "BC and DR",
+ "checklist": "Azure AKS Review",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
"services": [
- "Storage",
- "WAF"
+ "ACR",
+ "AKS"
],
"severity": "High",
- "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "If using a private registry, configure region replication to store images in multiple regions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Azure Storage",
+ "category": "BC and DR",
+ "checklist": "Azure AKS Review",
+ "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"services": [
"Storage",
- "WAF"
+ "ASR",
+ "AKS"
],
- "severity": "Medium",
- "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Disaster Recovery",
+ "text": "Use Zone-Redundant Storage (ZRS) with stateful workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "AAD tokens should be favored over shared access signatures, wherever possible",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Azure Storage",
+ "category": "BC and DR",
+ "checklist": "Azure AKS Review",
+ "guid": "bc14aea6-e65d-48d9-a3ad-c218e6436b06",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
"services": [
- "Storage",
- "WAF",
- "Entra"
+ "AKS"
],
"severity": "High",
- "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
- "waf": "Security"
+ "subcategory": "Requirements",
+ "text": "Define non-functional requirements such as SLAs, RTO (Recovery Time Objective) and RPO (Recovery Point Objective).",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Azure Storage",
+ "category": "Cost Governance",
+ "checklist": "Azure AKS Review",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
"services": [
- "RBAC",
- "WAF"
+ "Cost",
+ "AKS"
],
- "severity": "Medium",
- "text": "Least privilege in IaM permissions",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Cost",
+ "text": "Use an external application such as kubecost to allocate costs to different users",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Azure Storage",
+ "category": "Cost Governance",
+ "checklist": "Azure AKS Review",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF",
- "Entra"
+ "Cost",
+ "AKS"
],
- "severity": "High",
- "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Cost",
+ "text": "Use scale down mode to delete/deallocate nodes",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Azure Storage",
+ "category": "Cost Governance",
+ "checklist": "Azure AKS Review",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
"services": [
- "AKV",
- "Storage",
- "Monitor",
- "Entra",
- "WAF"
+ "Cost",
+ "AKS"
],
- "severity": "High",
- "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Cost",
+ "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
- "service": "Azure Storage",
+ "category": "Cost Governance",
+ "checklist": "Azure AKS Review",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
"services": [
- "AzurePolicy",
- "AKV",
- "Storage",
- "Monitor",
- "WAF"
+ "Cost",
+ "AKS"
],
- "severity": "High",
- "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Cost",
+ "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF",
"AzurePolicy",
- "AKV"
+ "AKS"
],
"severity": "Medium",
- "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+ "subcategory": "Compliance",
+ "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"services": [
- "AzurePolicy",
- "WAF"
+ "AKS"
],
"severity": "Medium",
- "text": "Consider configuring an SAS expiration policy",
+ "subcategory": "Compliance",
+ "text": "Separate applications from the control plane with user/system node pools",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"services": [
- "AzurePolicy",
- "WAF",
- "Storage",
- "AKV"
+ "AKS"
],
- "severity": "Medium",
- "text": "Consider linking SAS to a stored access policy",
+ "severity": "Low",
+ "subcategory": "Compliance",
+ "text": "Add taint to your system nodepool to make it dedicated",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF",
- "AKV"
+ "ACR",
+ "AKS"
],
"severity": "Medium",
- "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
+ "subcategory": "Compliance",
+ "text": "Use a private registry for your images, such as ACR",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
"services": [
- "Storage",
- "WAF",
- "Entra"
+ "AKS"
],
- "severity": "High",
- "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+ "severity": "Medium",
+ "subcategory": "Compliance",
+ "text": "Scan your images for vulnerabilities",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "cc639637-a652-42ac-89e8-06965388e9de",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
"services": [
- "Storage",
- "WAF",
- "AzurePolicy"
+ "Defender",
+ "AKS"
],
- "severity": "High",
- "text": "Strive for short validity periods for ad-hoc SAS",
+ "severity": "Medium",
+ "subcategory": "Compliance",
+ "text": "Use Azure Security Center to detect security posture vulnerabilities",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "42d4aefe-2383-470e-b019-c30df24996b2",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "Apply a narrow scope to a SAS",
+ "severity": "Low",
+ "subcategory": "Compliance",
+ "text": "If required configure FIPS",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "Consider scoping SAS to a specific client IP address, wherever possible",
+ "severity": "High",
+ "subcategory": "Compliance",
+ "text": "Define app separation requirements (namespace/nodepool/cluster)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF"
+ "AKV",
+ "AKS"
],
- "severity": "Low",
- "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
+ "severity": "Medium",
+ "subcategory": "Secrets",
+ "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
"services": [
- "RBAC",
- "Storage",
- "WAF",
- "Entra"
+ "AKV",
+ "AKS"
],
"severity": "High",
- "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
+ "subcategory": "Secrets",
+ "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
"services": [
- "WAF"
+ "AKV",
+ "AKS"
],
"severity": "Medium",
- "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
+ "subcategory": "Secrets",
+ "text": "If required add Key Management Service etcd encryption",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF",
- "AzurePolicy"
+ "AKV",
+ "AKS"
],
- "severity": "High",
- "text": "Avoid overly broad CORS policies",
+ "severity": "Low",
+ "subcategory": "Secrets",
+ "text": "If required consider using Confidential Compute for AKS",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "Azure Storage",
+ "category": "Governance and Security",
+ "checklist": "Azure AKS Review",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF"
+ "AKV",
+ "Defender",
+ "AKS"
],
- "severity": "High",
- "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
+ "severity": "Medium",
+ "subcategory": "Secrets",
+ "text": "Consider using Defender for Containers",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
- "service": "Azure Storage",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
"services": [
- "WAF"
+ "Entra",
+ "AKS"
],
- "severity": "Medium",
- "text": "Determine which/if platform encryption should be used.",
+ "severity": "High",
+ "subcategory": "Identity",
+ "text": "Use managed identities instead of Service Principals",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
- "service": "Azure Storage",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
"services": [
- "WAF"
+ "Entra",
+ "AKS"
],
"severity": "Medium",
- "text": "Determine which/if client-side encryption should be used.",
+ "subcategory": "Identity",
+ "text": "Integrate authentication with AAD (using the managed integration)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
- "service": "Azure Storage",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF"
+ "Entra",
+ "AKS"
],
- "severity": "High",
- "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
+ "severity": "Medium",
+ "subcategory": "Identity",
+ "text": "Limit access to admin kubeconfig (get-credentials --admin)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
- "service": "Azure Storage",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF"
+ "Entra",
+ "RBAC",
+ "AKS"
],
- "severity": "High",
- "text": "Leverage a storagev2 account type for better performance and reliability",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Identity",
+ "text": "Integrate authorization with AAD RBAC",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Azure Storage",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
"services": [
- "Storage",
- "WAF"
+ "Entra",
+ "RBAC",
+ "AKS"
],
"severity": "High",
- "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
- "service": "Azure Storage",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
"services": [
- "WAF"
+ "Entra",
+ "AKS"
],
"severity": "Medium",
- "text": "For write operation after failover, use customer-Managed Failover ",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
- "service": "Azure Storage",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
"services": [
- "WAF"
+ "Entra",
+ "AKS"
],
"severity": "Medium",
- "text": "Understand Microsoft-Managed Failover details",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "For AKS non-interactive logins use kubelogin (preview)",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "WAF checklist",
- "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
- "service": "Azure Storage",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
"services": [
- "WAF"
+ "Entra",
+ "AKS"
],
"severity": "Medium",
- "text": "Enable Soft Delete",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Disable AKS local accounts",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
"service": "AKS",
"services": [
- "WAF",
+ "Entra",
"AKS"
],
"severity": "Low",
- "text": "If required for AKS Windows workloads HostProcess containers can be used",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Configure if required Just-in-time cluster access",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
"service": "AKS",
"services": [
- "WAF"
+ "Entra",
+ "AKS"
],
"severity": "Low",
- "text": "Use KEDA if running event-driven workloads",
- "waf": "Performance"
+ "subcategory": "Identity",
+ "text": "Configure if required AAD conditional access for AKS",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
"service": "AKS",
"services": [
- "WAF"
+ "Entra",
+ "AKS"
],
"severity": "Low",
- "text": "Use Dapr to ease microservice development",
- "waf": "Operations"
+ "subcategory": "Identity",
+ "text": "If required for Windows AKS workloads configure gMSA ",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "category": "Identity and Access Management",
+ "checklist": "Azure AKS Review",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
"service": "AKS",
"services": [
- "WAF",
+ "Entra",
"AKS"
],
- "severity": "High",
- "text": "Use the SLA-backed AKS offering",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Identity",
+ "text": "For finer control consider using a managed Kubelet Identity",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
"service": "AKS",
"services": [
- "Cost",
- "WAF"
+ "ACR",
+ "AppGW",
+ "AKS"
],
- "severity": "Low",
- "text": "Use Disruption Budgets in your pod and deployment definitions",
+ "severity": "Medium",
+ "subcategory": "Best practices",
+ "text": "If using AGIC, do not share an AppGW across clusters",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
"services": [
- "ACR",
- "WAF"
+ "AKS"
],
"severity": "High",
- "text": "If using a private registry, configure region replication to store images in multiple regions",
+ "subcategory": "Best practices",
+ "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
"service": "AKS",
"services": [
- "Cost",
- "WAF"
+ "AKS"
],
- "severity": "Low",
- "text": "Use an external application such as kubecost to allocate costs to different users",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Best practices",
+ "text": "For Windows workloads use Accelerated Networking",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"service": "AKS",
"services": [
- "WAF"
+ "LoadBalancer",
+ "AKS"
],
- "severity": "Low",
- "text": "Use scale down mode to delete/deallocate nodes",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Best practices",
+ "text": "Use the standard ALB (as opposed to the basic one)",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
"service": "AKS",
"services": [
- "WAF",
+ "VNet",
"AKS"
],
"severity": "Medium",
- "text": "When required use multi-instance partitioning GPU on AKS Clusters",
- "waf": "Cost"
+ "subcategory": "Best practices",
+ "text": "If using Azure CNI, consider using different Subnets for NodePools",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
"service": "AKS",
"services": [
- "WAF"
+ "PrivateLink",
+ "VNet",
+ "Cost",
+ "AKS"
],
- "severity": "Low",
- "text": "If running a Dev/Test cluster use NodePool Start/Stop",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Cost",
+ "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
- "service": "AKS",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"services": [
- "AzurePolicy",
- "WAF",
+ "VPN",
"AKS"
],
"severity": "Medium",
- "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
- "waf": "Security"
+ "subcategory": "HA",
+ "text": "If hybrid connectivity is required, use 2xER or ER+VPN for better availability",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "Separate applications from the control plane with user/system node pools",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "IPAM",
+ "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"service": "AKS",
"services": [
- "WAF"
+ "VNet",
+ "AKS"
],
- "severity": "Low",
- "text": "Add taint to your system nodepool to make it dedicated",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "IPAM",
+ "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"service": "AKS",
"services": [
- "ACR",
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "Use a private registry for your images, such as ACR",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "IPAM",
+ "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "WAF checklist",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "service": "AKS",
"services": [
- "WAF"
+ "VNet",
+ "AKS"
],
- "severity": "Medium",
- "text": "Scan your images for vulnerabilities",
+ "severity": "Low",
+ "subcategory": "IPAM",
+ "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
"severity": "High",
- "text": "Define app separation requirements (namespace/nodepool/cluster)",
- "waf": "Security"
+ "subcategory": "IPAM",
+ "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
"service": "AKS",
"services": [
- "WAF",
- "AKV"
+ "AKS"
],
- "severity": "Medium",
- "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
+ "severity": "Low",
+ "subcategory": "Operations",
+ "text": "If required add your own CNI plugin",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Operations",
+ "text": "If required configure Public IP per node in AKS",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
"severity": "Medium",
- "text": "If required add Key Management Service etcd encryption",
- "waf": "Security"
+ "subcategory": "Scalability",
+ "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
"service": "AKS",
"services": [
- "WAF",
"AKS"
],
"severity": "Low",
- "text": "If required consider using Confidential Compute for AKS",
- "waf": "Security"
+ "subcategory": "Scalability",
+ "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
"service": "AKS",
"services": [
- "WAF",
- "Defender"
+ "AKS"
],
"severity": "Medium",
- "text": "Consider using Defender for Containers",
- "waf": "Security"
+ "subcategory": "Scalability",
+ "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
"service": "AKS",
"services": [
- "WAF",
- "Entra"
+ "NVA",
+ "AKS"
],
"severity": "High",
- "text": "Use managed identities instead of Service Principals",
+ "subcategory": "Security",
+ "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"service": "AKS",
"services": [
- "WAF",
- "Entra"
+ "AKS"
],
"severity": "Medium",
- "text": "Integrate authentication with AAD (using the managed integration)",
+ "subcategory": "Security",
+ "text": "If using a public API endpoint, restrict the IP addresses that can access it",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "Limit access to admin kubeconfig (get-credentials --admin)",
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Use private clusters if your requirements mandate it",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
"service": "AKS",
"services": [
- "RBAC",
- "WAF",
- "Entra"
+ "AzurePolicy",
+ "AKS"
],
"severity": "Medium",
- "text": "Integrate authorization with AAD RBAC",
+ "subcategory": "Security",
+ "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
"service": "AKS",
"services": [
- "RBAC",
- "WAF",
+ "AzurePolicy",
"AKS"
],
"severity": "High",
- "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
+ "subcategory": "Security",
+ "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"service": "AKS",
"services": [
- "WAF",
- "Entra"
+ "AzurePolicy",
+ "AKS"
],
- "severity": "Medium",
- "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Use Kubernetes network policies to increase intra-cluster security",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"service": "AKS",
"services": [
"WAF",
"AKS"
],
- "severity": "Medium",
- "text": "For AKS non-interactive logins use kubelogin (preview)",
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Use a WAF for web workloads (UIs or APIs)",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
"service": "AKS",
"services": [
- "WAF",
+ "VNet",
+ "DDoS",
"AKS"
],
"severity": "Medium",
- "text": "Disable AKS local accounts",
+ "subcategory": "Security",
+ "text": "Use DDoS Standard in the AKS Virtual Network",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
"severity": "Low",
- "text": "Configure if required Just-in-time cluster access",
+ "subcategory": "Security",
+ "text": "If required add company HTTP Proxy",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure AKS Review",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
"service": "AKS",
"services": [
- "WAF",
- "AKS",
- "Entra"
+ "AKS"
],
- "severity": "Low",
- "text": "Configure if required AAD conditional access for AKS",
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Consider using a service mesh for advanced microservice communication management",
"waf": "Security"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"service": "AKS",
"services": [
- "WAF",
+ "Monitor",
+ "AKS"
+ ],
+ "severity": "High",
+ "subcategory": "Alerting",
+ "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
+ "waf": "Operations"
+ },
+ {
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "service": "AKS",
+ "services": [
+ "Entra",
"AKS"
],
"severity": "Low",
- "text": "If required for Windows AKS workloads configure gMSA ",
- "waf": "Security"
+ "subcategory": "Compliance",
+ "text": "Check regularly Azure Advisor for recommendations on your cluster",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
"service": "AKS",
"services": [
- "WAF",
- "Entra"
+ "AKS"
],
- "severity": "Medium",
- "text": "For finer control consider using a managed Kubelet Identity",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Compliance",
+ "text": "Enable AKS auto-certificate rotation",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
"service": "AKS",
"services": [
- "AppGW",
- "ACR",
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "If using AGIC, do not share an AppGW across clusters",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Compliance",
+ "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
"service": "AKS",
"services": [
- "WAF",
"AKS"
],
"severity": "High",
- "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
- "waf": "Reliability"
+ "subcategory": "Compliance",
+ "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "For Windows workloads use Accelerated Networking",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Compliance",
+ "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"service": "AKS",
"services": [
- "LoadBalancer",
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "Use the standard ALB (as opposed to the basic one)",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Compliance",
+ "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
"service": "AKS",
"services": [
- "WAF",
- "VNet"
+ "AKS"
],
- "severity": "Medium",
- "text": "If using Azure CNI, consider using different Subnets for NodePools",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Compliance",
+ "text": "Consider using AKS command invoke on private clusters",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
"service": "AKS",
"services": [
- "WAF",
- "VNet",
- "PrivateLink"
+ "AKS"
],
- "severity": "Medium",
- "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Compliance",
+ "text": "For planned events consider using Node Auto Drain",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
"severity": "High",
- "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
- "waf": "Reliability"
+ "subcategory": "Compliance",
+ "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"service": "AKS",
"services": [
- "WAF",
- "VNet"
+ "AKS"
],
- "severity": "High",
- "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
- "waf": "Performance"
+ "severity": "Low",
+ "subcategory": "Compliance",
+ "text": "Use custom Node RG (aka 'Infra RG') name",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "If using Azure CNI, check the maximum pods/node (default 30)",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Compliance",
+ "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"service": "AKS",
"services": [
- "WAF",
- "VNet",
"AKS"
],
"severity": "Low",
- "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
- "waf": "Security"
+ "subcategory": "Compliance",
+ "text": "Taint Windows nodes",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Compliance",
+ "text": "Keep windows containers patch level in sync with host patch level",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "description": "Via Diagnostic Settings at the cluster level",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
"service": "AKS",
"services": [
- "WAF"
+ "Monitor",
+ "AKS"
],
"severity": "Low",
- "text": "If required add your own CNI plugin",
- "waf": "Security"
+ "subcategory": "Compliance",
+ "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
"service": "AKS",
"services": [
- "WAF",
"AKS"
],
"severity": "Low",
- "text": "If required configure Public IP per node in AKS",
- "waf": "Performance"
+ "subcategory": "Compliance",
+ "text": "If required use nodePool snapshots",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
"service": "AKS",
"services": [
- "WAF"
+ "Cost",
+ "AKS"
],
- "severity": "Medium",
- "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Cost",
+ "text": "Consider spot node pools for non time-sensitive workloads",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"service": "AKS",
"services": [
- "WAF"
+ "Cost",
+ "AKS"
],
"severity": "Low",
- "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
- "waf": "Reliability"
+ "subcategory": "Cost",
+ "text": "Consider AKS virtual node for quick bursting",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"service": "AKS",
"services": [
- "WAF"
+ "Monitor",
+ "AKS"
],
- "severity": "Medium",
- "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Monitoring",
+ "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"service": "AKS",
"services": [
- "WAF",
- "NVA"
+ "Monitor",
+ "AKS"
],
"severity": "High",
- "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
- "waf": "Security"
+ "subcategory": "Monitoring",
+ "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"service": "AKS",
"services": [
- "WAF"
+ "Monitor",
+ "AKS"
],
"severity": "Medium",
- "text": "If using a public API endpoint, restrict the IP addresses that can access it",
- "waf": "Security"
+ "subcategory": "Monitoring",
+ "text": "Monitor CPU and memory utilization of the nodes",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"service": "AKS",
"services": [
- "WAF"
+ "Monitor",
+ "AKS"
],
- "severity": "High",
- "text": "Use private clusters if your requirements mandate it",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
"service": "AKS",
"services": [
- "AzurePolicy",
- "WAF",
+ "Storage",
+ "Monitor",
+ "EventHubs",
+ "ServiceBus",
"AKS"
],
"severity": "Medium",
- "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
- "waf": "Security"
+ "subcategory": "Monitoring",
+ "text": "Monitor OS disk queue depth in nodes",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"service": "AKS",
"services": [
- "AzurePolicy",
- "WAF",
+ "LoadBalancer",
+ "Monitor",
+ "NVA",
"AKS"
],
- "severity": "High",
- "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
"service": "AKS",
"services": [
- "AzurePolicy",
- "WAF",
+ "Monitor",
"AKS"
],
- "severity": "High",
- "text": "Use Kubernetes network policies to increase intra-cluster security",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Subscribe to resource health notifications for your AKS cluster",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
"severity": "High",
- "text": "Use a WAF for web workloads (UIs or APIs)",
- "waf": "Security"
+ "subcategory": "Resources",
+ "text": "Configure requests and limits in your pod specs",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"service": "AKS",
"services": [
- "DDoS",
- "WAF",
- "VNet",
"AKS"
],
"severity": "Medium",
- "text": "Use DDoS Standard in the AKS Virtual Network",
- "waf": "Security"
+ "subcategory": "Resources",
+ "text": "Enforce resource quotas for namespaces",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"service": "AKS",
"services": [
- "WAF"
+ "Subscriptions",
+ "AKS"
],
- "severity": "Low",
- "text": "If required add company HTTP Proxy",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Resources",
+ "text": "Ensure your subscription has enough quota to scale out your nodepools",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
+ "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "Medium",
- "text": "Consider using a service mesh for advanced microservice communication management",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Resources",
+ "text": "Configure Liveness and Readiness probes for all deployments",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"service": "AKS",
"services": [
- "Monitor",
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Scalability",
+ "text": "Use the Cluster Autoscaler",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
"service": "AKS",
"services": [
- "WAF",
- "Entra"
+ "AKS"
],
"severity": "Low",
- "text": "Check regularly Azure Advisor for recommendations on your cluster",
- "waf": "Operations"
+ "subcategory": "Scalability",
+ "text": "Customize node configuration for AKS node pools",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"service": "AKS",
"services": [
- "WAF",
"AKS"
],
- "severity": "Low",
- "text": "Enable AKS auto-certificate rotation",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Scalability",
+ "text": "Use the Horizontal Pod Autoscaler when required",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
"service": "AKS",
"services": [
- "WAF",
"AKS"
],
"severity": "High",
- "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
- "waf": "Operations"
+ "subcategory": "Scalability",
+ "text": "Consider an appropriate node size, not too large or too small",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Scalability",
+ "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
- "severity": "High",
- "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Scalability",
+ "text": "Consider subscribing to EventGrid Events for AKS automation",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
"service": "AKS",
"services": [
- "WAF"
+ "AKS"
],
"severity": "Low",
- "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
- "waf": "Operations"
+ "subcategory": "Scalability",
+ "text": "For long running operation on an AKS cluster consider event termination",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
"service": "AKS",
"services": [
- "WAF",
"AKS"
],
"severity": "Low",
- "text": "Consider using AKS command invoke on private clusters",
- "waf": "Operations"
+ "subcategory": "Scalability",
+ "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"service": "AKS",
"services": [
- "WAF"
+ "Storage",
+ "AKS"
],
- "severity": "Low",
- "text": "For planned events consider using Node Auto Drain",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Use ephemeral OS disks",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"service": "AKS",
"services": [
- "WAF"
+ "Storage",
+ "AKS"
],
"severity": "High",
- "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
- "waf": "Operations"
+ "subcategory": "Storage",
+ "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
"service": "AKS",
"services": [
- "WAF"
+ "Storage",
+ "AKS"
],
"severity": "Low",
- "text": "Use custom Node RG (aka 'Infra RG') name",
- "waf": "Operations"
+ "subcategory": "Storage",
+ "text": "For hyper performance storage option use Ultra Disks on AKS",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"service": "AKS",
"services": [
- "WAF",
+ "Storage",
+ "SQL",
"AKS"
],
"severity": "Medium",
- "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
- "waf": "Operations"
+ "subcategory": "Storage",
+ "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
"service": "AKS",
"services": [
- "WAF"
+ "Storage",
+ "AKS"
],
- "severity": "Low",
- "text": "Taint Windows nodes",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+ "category": "Operations",
+ "checklist": "Azure AKS Review",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"service": "AKS",
"services": [
- "WAF"
+ "Storage",
+ "AKS"
],
- "severity": "Low",
- "text": "Keep windows containers patch level in sync with host patch level",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "description": "Via Diagnostic Settings at the cluster level",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "service": "Azure Monitor",
"services": [
- "Monitor",
- "WAF"
+ "Cost",
+ "Monitor"
],
- "severity": "Low",
- "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Azure Monitor - enforce data collection rules",
+ "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "45901365-d38e-443f-abcb-d868266abca2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Azure Backup",
"services": [
- "WAF"
+ "Backup",
+ "Cost"
],
- "severity": "Low",
- "text": "If required use nodePool snapshots",
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "check backup instances with the underlying datasource not found",
"waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "VM",
"services": [
- "WAF"
+ "Cost"
],
- "severity": "Low",
- "text": "Consider spot node pools for non time-sensitive workloads",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Delete/archive",
+ "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "659d3958-fd77-4289-a835-556df2bfe456",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
"services": [
- "WAF",
- "AKS"
+ "Cost"
],
- "severity": "Low",
- "text": "Consider AKS virtual node for quick bursting",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Delete/archive",
+ "text": "Consider snooze and stop technique (snooze a service after x days, stop after 2x, delete/deallocate after 3x)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3b0d834a-3487-426d-b69c-6b5c2a26494b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
"services": [
- "Monitor",
- "WAF"
+ "Backup",
+ "Storage",
+ "Cost"
],
- "severity": "High",
- "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Delete/archive",
+ "text": "Delete or archive unused resources (old backups, logs, storage accounts, etc...)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Azure Backup",
"services": [
- "WAF"
+ "Backup",
+ "Storage",
+ "Cost",
+ "ASR"
],
- "severity": "High",
- "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Delete/archive",
+ "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "service": "Azure Monitor",
"services": [
- "Monitor",
- "WAF"
+ "Cost",
+ "Monitor"
],
"severity": "Medium",
- "text": "Monitor CPU and memory utilization of the nodes",
- "waf": "Operations"
+ "subcategory": "Log Analytics retention for workspaces",
+ "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Azure Monitor",
"services": [
- "Monitor",
- "WAF"
+ "Storage",
+ "Cost",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
- "waf": "Operations"
+ "subcategory": "Policy",
+ "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "59bb91a3-ed90-4cae-8cc8-4c37b6b780cb",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
"services": [
- "Storage",
- "Monitor",
- "EventHubs",
- "ServiceBus",
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Monitor OS disk queue depth in nodes",
- "waf": "Operations"
+ "subcategory": "Run orphaned resources workbook - delete or snooze ghost items",
+ "text": "https://github.com/dolevshor/azure-orphan-resources",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9fe5c464-89d4-457a-a27c-3874d0102cac",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
"services": [
- "NVA",
- "LoadBalancer",
- "WAF",
- "Monitor"
+ "Cost"
],
"severity": "Medium",
- "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
- "waf": "Operations"
+ "subcategory": "Shutdown/deallocate",
+ "text": "Shutdown underutilized instances",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/understand/analyze-unexpected-charges",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
"services": [
- "WAF",
- "AKS"
+ "VM",
+ "Backup",
+ "Storage",
+ "Cost"
],
"severity": "Medium",
- "text": "Subscribe to resource health notifications for your AKS cluster",
- "waf": "Operations"
+ "subcategory": "stopped/deallocated VMs: check disks",
+ "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
"services": [
- "WAF"
+ "Storage",
+ "Cost",
+ "AzurePolicy"
],
- "severity": "High",
- "text": "Configure requests and limits in your pod specs",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "storage accounts lifecycle policy",
+ "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "category": "Cleanup",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "f2bfe456-3b0d-4834-a348-726de69c6b5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
"services": [
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Enforce resource quotas for namespaces",
- "waf": "Operations"
+ "subcategory": "Tagging",
+ "text": "Use specific tags for temporary items with 'delete by DATE' format - and automate monthly cleanup",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
+ "category": "DB/App tuning",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a26494b-69ba-4d37-aad5-3cc78e1d7666",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice",
"services": [
- "WAF",
- "Subscriptions"
+ "Cost"
],
- "severity": "High",
- "text": "Ensure your subscription has enough quota to scale out your nodepools",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "DB optimization",
+ "text": "Plan for db optimization with the intent of downsizing the related services (and improve performance)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
- "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
- "service": "AKS",
+ "category": "DB/APP tuning",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7357c449-674b-45ed-a5a8-59c7733be2a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
"services": [
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "Configure Liveness and Readiness probes for all deployments",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "App modernization",
+ "text": "Modernizing the app towards a microservices architecture will have the effect of letting the app scale according to the single service and not the entire stack",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "category": "DB/APP tuning",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a27b765a-91be-41f3-a8ef-394c2bd463cb",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
"services": [
- "WAF"
+ "VM",
+ "Storage",
+ "Cost"
],
"severity": "Medium",
- "text": "Use the Cluster Autoscaler",
- "waf": "Performance"
+ "subcategory": "DB optimization",
+ "text": "optimizing the DB queries will increase performance and allow better right-sizing of storage and VMs",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
+ "category": "DB/APP tuning",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "bac75819-59bb-491a-9ed9-0cae2cc84c37",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
"services": [
- "WAF",
- "AKS"
+ "Cost"
],
- "severity": "Low",
- "text": "Customize node configuration for AKS node pools",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Demand shaping",
+ "text": "Using demand shaping on PaaS services will optimize costs and performances",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b6b780cb-9fe5-4c46-989d-457a927c3874",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging",
"services": [
- "WAF"
+ "Entra",
+ "Cost"
],
"severity": "Medium",
- "text": "Use the Horizontal Pod Autoscaler when required",
- "waf": "Performance"
+ "subcategory": "Advisor",
+ "text": "Start from the Azure Advisor page suggestions.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
"services": [
- "WAF"
+ "VM",
+ "Cost"
],
- "severity": "High",
- "text": "Consider an appropriate node size, not too large or too small",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Advisor",
+ "text": "Make sure advisor is configured for VM right sizing ",
+ "waf": "Cost"
+ },
+ {
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "881a1bd5-d1e4-44a1-a659-d3958fd77289",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "services": [
+ "Cost"
+ ],
+ "severity": "Medium",
+ "subcategory": "Automation",
+ "text": "Consider implementing IaC scripts or devops pipelines to match the cost governance process",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b835556d-f2bf-4e45-93b0-d834a348726d",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
"services": [
- "WAF",
- "AKS"
+ "Cost",
+ "Monitor"
],
- "severity": "Low",
- "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Automation",
+ "text": "Set up cost alerts for applications that have variable costs (ideally for all of them)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e69c6b5c-2a26-4494-a69b-ad37aad53cc7",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
"services": [
- "WAF",
- "AKS"
+ "Cost"
],
- "severity": "Low",
- "text": "Consider subscribing to EventGrid Events for AKS automation",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Automation",
+ "text": "Use Azure Automation: Automate repetitive tasks can help you save time and resources, reducing costs in the process. ",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8e1d7666-7357-4c44-a674-b5ed85a859c7",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
"services": [
- "WAF",
- "AKS"
+ "Cost"
],
- "severity": "Low",
- "text": "For long running operation on an AKS cluster consider event termination",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Automation",
+ "text": "Run orphaned resources workbook",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "733be2a1-a27b-4765-a91b-e1f388ef394c",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
"services": [
- "WAF",
- "AKS"
+ "Storage",
+ "Cost"
],
- "severity": "Low",
- "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Baseline",
+ "text": "Try and establish a baseline of monthly spending and an acceptable saving target against the baseline (new services will not be optimized at this stage)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2bd463cb-bac7-4581-a59b-b91a3ed90cae",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
"services": [
- "WAF"
+ "Cost",
+ "AzurePolicy"
],
- "severity": "High",
- "text": "Use ephemeral OS disks",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Baseline",
+ "text": "Establish a cost optimization baseline by using a policy that tags every new resource as #NEW",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2cc84c37-b6b7-480c-a9fe-5c46489d457a",
+ "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config",
"services": [
- "WAF",
- "AKS"
+ "Cost"
],
- "severity": "High",
- "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Baseline",
+ "text": "Organize resources to maximize cost insights and accountability",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "927c3874-d010-42ca-a6aa-e01e6a84de5d",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json",
"services": [
- "Storage",
- "WAF",
- "AKS"
+ "Cost"
],
- "severity": "Low",
- "text": "For hyper performance storage option use Ultra Disks on AKS",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Budgets",
+ "text": "Create budgets",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e36d1d92-881a-41bd-9d1e-44a19659d395",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator",
"services": [
- "SQL",
- "WAF",
- "Storage"
+ "Cost"
],
"severity": "Medium",
- "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
- "waf": "Performance"
+ "subcategory": "Cost Analysis",
+ "text": "In cost analysis - use daily granularity, grouped by service name to analyze the spending of the past 3 months and identify the top 3 spenders",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8fd77289-b835-4556-bf2b-fe4563b0d834",
+ "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server",
"services": [
- "Storage",
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
- "waf": "Performance"
+ "subcategory": "Cost Analysis",
+ "text": "Check daily for cost spikes and anomalies (ideally with automatic billing exports)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "WAF checklist",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a348726d-e69c-46b5-a2a2-6494b69bad37",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
"services": [
- "Storage",
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
- "waf": "Performance"
+ "subcategory": "Cost Analysis",
+ "text": "Automate cost retrieval for deep analysis or integration",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "WAF checklist",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "aad53cc7-8e1d-4766-9735-7c449674b5ed",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
"services": [
- "WAF"
+ "Cost",
+ "ACR"
],
"severity": "Medium",
- "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
- "waf": "Reliability"
+ "subcategory": "Free services",
+ "text": "Take advantage of Azure free services: Azure offers a number of free services, such as DevOps, Azure Container Registry, and Azure Logic Apps, that can help you save costs on development and operations. ",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "WAF checklist",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "96c96ad8-844c-4f3b-8b38-c886ba2c0214",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
"services": [
- "WAF",
- "FrontDoor",
- "TrafficManager"
+ "Cost"
],
"severity": "Medium",
- "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
- "waf": "Reliability"
+ "subcategory": "Tagging",
+ "text": "Tag shared resources",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "WAF checklist",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
+ "category": "Process Administration",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "99014a5d-3ce5-474d-acbd-9792a6bcca2b",
+ "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
"services": [
- "ACR",
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
- "waf": "Reliability"
+ "subcategory": "Tagging",
+ "text": "Consider using tags to all services for cost allocation",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "WAF checklist",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
+ "category": "reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4fea1dbf-3dd9-45d4-ac7c-891dcb1f7d57",
+ "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
"services": [
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Use more than 1 app instance for your apps",
- "waf": "Reliability"
+ "subcategory": "automation",
+ "text": "Consider Reservation automation to track and promptly react to changes",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "WAF checklist",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "description": "check by searching the Meter Category Licenses in the Cost analysys",
+ "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "service": "VM",
"services": [
- "Monitor",
- "WAF"
+ "VM",
+ "SQL",
+ "Cost",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
- "waf": "Reliability"
+ "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL",
+ "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "WAF checklist",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "VM",
"services": [
- "WAF"
+ "LoadBalancer",
+ "Cost"
],
"severity": "Medium",
- "text": "Set up autoscaling in Spring Cloud Gateway",
- "waf": "Reliability"
+ "subcategory": "Check Red Hat Licences if applicable",
+ "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "WAF checklist",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a76af4a6-91e8-4839-ada4-6667e13c1056",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
"services": [
- "WAF"
+ "AppSvc",
+ "Cost"
],
- "severity": "Low",
- "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Functions",
+ "text": "Saving plans will provide 17% on select app service plans",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "WAF checklist",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "VM",
"services": [
- "WAF"
+ "VM",
+ "Cost"
],
"severity": "Medium",
- "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
- "waf": "Reliability"
+ "subcategory": "Planning",
+ "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
+ "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "service": "VM",
"services": [
- "WAF"
+ "VM",
+ "ARS",
+ "Cost"
],
- "severity": "High",
- "text": "Select the right Function hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Reservations/savings plans",
+ "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a785c6fe-96c9-46ad-a844-cf3b2b38c886",
+ "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/",
"services": [
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Reservations/savings plans",
+ "text": "Plan for Azure Savings Plans for all the workloads that are dynamic and need maximum flexibility",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Azure Functions",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ba2c0214-9901-44a5-b3ce-574dccbd9792",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
"services": [
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "subcategory": "Reservations/savings plans",
+ "text": "Plan for Azure Reservations for all the workloads that are less dynamic and won't change much",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Azure Functions",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+ "service": "VM",
"services": [
- "WAF",
- "AppSvc"
+ "Storage",
+ "Cost"
],
- "severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Reserve storage",
+ "text": "Only larger disks can be reserved => 1 TiB -",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Azure Functions",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "service": "VM",
"services": [
- "WAF",
- "AppSvc"
+ "VM",
+ "Cost"
],
- "severity": "High",
- "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Reserve VMs with normalized and rationalized sizes",
+ "text": "After the right-sizing optimization",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Azure Functions",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Azure SQL",
"services": [
- "Storage",
- "WAF"
+ "SQL",
+ "Cost",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
- "waf": "Reliability"
+ "subcategory": "SQL Database AHUB",
+ "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Azure Functions",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "VM",
"services": [
- "WAF"
+ "VM",
+ "SQL",
+ "Cost"
],
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
- "waf": "Operations"
+ "subcategory": "SQL Database Reservations",
+ "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
- "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
- "service": "Logic Apps",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e13c1056-75c1-4e94-9b45-9837ff7ae7c6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities",
"services": [
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Tracking",
+ "text": "Make sure you Azure Reservations and Savings plans are close to 100% utilization or make the necessary changes to reach it.",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
- "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "Logic Apps",
+ "category": "Reservations",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3b475a5-c7ac-4be4-abbe-64dd89f2e877",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations",
"services": [
- "WAF"
+ "Cost",
+ "AzurePolicy"
],
- "severity": "High",
- "text": "Protect logic apps from region failures with zone redundancy and availability zones",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Tracking",
+ "text": "Make sure that your reservations usage is close to 100%. If not, either enforce an allowed SKU policy or exchange the reservation",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
- "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Logic Apps",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "78468d55-a785-4c6f-b96c-96ad8844cf3b",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review",
"services": [
- "WAF"
+ "Cost",
+ "AzurePolicy"
],
- "severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Automation",
+ "text": "Plan and enforce a On/Off policy for production services, where possible",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
- "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
- "service": "Logic Apps",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2b38c886-ba2c-4021-9990-14a5d3ce574d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"services": [
- "WAF",
- "AppSvc"
+ "Cost",
+ "AzurePolicy"
],
- "severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Automation",
+ "text": "Plan and enforce a On-Demand policy with auto-shutdown for non-production services, where possible",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "WAF checklist",
- "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
- "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
- "service": "Logic Apps",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "VM",
"services": [
- "WAF"
+ "VM",
+ "Cost"
],
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
- "waf": "Operations"
+ "subcategory": "Autoscale",
+ "text": "Consider using a VMSS to match demand rather than flat sizing",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "WAF checklist",
- "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
- "service": "Container Apps",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "AKS",
"services": [
- "WAF"
+ "Cost",
+ "AKS"
],
- "severity": "High",
- "text": "Leverage Availability Zones if regionally applicable",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Autoscale",
+ "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "WAF checklist",
- "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
- "service": "Container Apps",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "93665720-2bff-4456-9b0d-934a359c363e",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
"services": [
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "Use more than one replica and enable Zone Redundancy.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Autoscale",
+ "text": "Right-size PaaS service according to average use and accomodate spikes with auto or manual scaling",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "WAF checklist",
- "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
- "service": "Container Apps",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7dd61623-a364-4a90-9eba-e38ead53cc7d",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
"services": [
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Autoscale",
+ "text": "Plan for demand shaping where applicable",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "WAF checklist",
- "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
- "service": "Container Apps",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e2e8aaab-3571-4549-ab91-53d89f89dc7b",
"services": [
- "WAF",
- "FrontDoor",
- "TrafficManager"
+ "Cost"
],
- "severity": "High",
- "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Autoscale",
+ "text": "Consider implementing a service re-scaling logic within the application",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/savings-plan/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Azure Backup",
"services": [
- "SAP",
- "WAF"
+ "Backup",
+ "Cost"
],
"severity": "Medium",
- "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "Backup",
+ "text": "Move recovery points to vault-archive where applicable (Validate)",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+ "service": "Databricks",
"services": [
- "SAP",
- "WAF"
+ "LoadBalancer",
+ "Cost",
+ "VM"
],
"severity": "Medium",
- "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
- "training": "https://github.com/Azure/sap-automation",
- "waf": "Operations"
+ "subcategory": "Databricks",
+ "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+ "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+ "service": "Azure Functions",
"services": [
- "SAP",
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
- "waf": "Reliability"
+ "subcategory": "Functions",
+ "text": "Functions - Reuse connections",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+ "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "service": "Azure Functions",
"services": [
- "WAF",
- "Backup"
+ "Cost"
],
"severity": "Medium",
- "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
- "waf": "Reliability"
+ "subcategory": "Functions",
+ "text": "Functions - Cache data locally",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Azure Functions",
"services": [
"Storage",
- "ASR",
- "SQL",
- "SAP",
- "WAF",
- "Backup"
+ "Cost"
],
- "severity": "High",
- "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Functions",
+ "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "Azure Functions",
"services": [
- "SAP",
- "WAF"
+ "Cost"
],
"severity": "Medium",
- "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "Functions",
+ "text": "Functions - Keep your functions warm",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Azure Functions",
"services": [
- "VPN",
- "ExpressRoute",
- "WAF",
- "ASR"
+ "Cost"
],
- "severity": "High",
- "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Functions",
+ "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+ "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+ "service": "Azure Functions",
"services": [
- "ACR",
- "WAF",
- "AKV"
+ "Cost"
],
- "severity": "Low",
- "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Functions",
+ "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+ "service": "Azure Functions",
"services": [
- "SAP",
- "WAF",
- "VNet",
- "ASR"
+ "Cost"
],
"severity": "Medium",
- "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
- "waf": "Reliability"
+ "subcategory": "Functions",
+ "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "df03a822-cd46-43cb-abc8-ac299ebc91a4",
+ "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
"services": [
- "SAP",
- "Storage",
- "WAF"
+ "Cost"
],
- "severity": "Low",
- "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Evaluate your network topology against networking costs and where applicable reduce the egress and peering data",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Front Door",
"services": [
- "WAF"
+ "EventHubs",
+ "Cost",
+ "FrontDoor"
],
- "severity": "High",
- "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Front Door",
"services": [
- "WAF",
- "VNet"
+ "AppSvc",
+ "Cost",
+ "FrontDoor"
],
- "severity": "High",
- "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "f843e52f-4722-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview",
"services": [
- "Entra",
- "WAF",
- "VM",
- "ASR"
+ "Cost"
],
- "severity": "High",
- "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "PaaS",
+ "text": "Consider using free tiers where applicable for all non-production environments",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b9de39ac-0e7c-428d-a936-657202bff456",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
"services": [
- "SAP",
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Serverless",
+ "text": "Using serverless patterns for spikes can help keeping costs down",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+ "service": "Storage",
"services": [
- "SAP",
- "WAF"
+ "Storage",
+ "Cost"
],
- "severity": "High",
- "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Consider archiving tiers for less used data",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "VM",
"services": [
"Storage",
- "WAF",
- "VM"
+ "Cost"
],
- "severity": "High",
- "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "Storage",
"services": [
- "SAP",
"Storage",
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Consider using standard SSD rather than Premium or Ultra where possible",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "Storage",
"services": [
- "SAP",
- "WAF"
+ "Storage",
+ "Cost"
],
- "severity": "High",
- "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "Site Recovery",
"services": [
- "SAP",
- "LoadBalancer",
- "WAF"
+ "ASR",
+ "Cost",
+ "Storage"
],
- "severity": "High",
- "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+ "service": "Storage",
"services": [
- "LoadBalancer",
- "WAF"
+ "Storage",
+ "Cost"
],
- "severity": "High",
- "text": "Make sure the Floating IP is enabled on the Load balancer",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "storage",
+ "text": "Storage accounts: check hot tier and/or GRS necessary",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "VM",
"services": [
- "WAF"
+ "Storage",
+ "Cost"
],
- "severity": "High",
- "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "Synapse",
"services": [
- "SAP",
- "WAF",
- "VM",
- "Entra"
+ "EventHubs",
+ "Cost",
+ "Monitor"
],
- "severity": "High",
- "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Synapse",
+ "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "Synapse",
"services": [
- "RBAC",
- "WAF",
- "VM",
- "Entra"
+ "Storage",
+ "Cost"
],
- "severity": "High",
- "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Synapse",
+ "text": "Export cost data to a storage account for additional data analysis.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Synapse",
"services": [
- "WAF"
+ "SQL",
+ "Cost"
],
"severity": "Medium",
- "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "waf": "Reliability"
+ "subcategory": "Synapse",
+ "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+ "service": "Synapse",
"services": [
- "WAF",
- "VM"
+ "Cost"
],
- "severity": "High",
- "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Synapse",
+ "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Synapse",
"services": [
- "SAP",
- "WAF",
- "Entra"
+ "Cost"
],
- "severity": "High",
- "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Synapse",
+ "text": "Create multiple Apache Spark pool definitions of various sizes.",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "service": "Synapse",
"services": [
- "SAP",
- "ACR",
- "WAF"
+ "Cost"
],
- "severity": "High",
- "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Synapse",
+ "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "VM",
"services": [
- "SAP",
- "WAF",
- "Entra"
+ "VM",
+ "Cost"
],
- "severity": "High",
- "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "VM",
+ "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "VM",
"services": [
- "WAF",
"VM",
- "Entra"
+ "Cost"
],
"severity": "Medium",
- "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "VM",
+ "text": "Right-sizing all VMs",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "VM",
"services": [
- "Storage",
- "WAF",
- "VM"
+ "VM",
+ "Cost"
],
"severity": "Medium",
- "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
- "waf": "Reliability"
+ "subcategory": "VM",
+ "text": "Swap VM sized with normalized and most recent sizes",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
"services": [
- "SAP",
- "WAF"
+ "VM",
+ "Cost",
+ "Monitor"
],
"severity": "Medium",
- "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "VM",
+ "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "category": "Right-sizing",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
"services": [
- "Storage",
- "WAF"
+ "VM",
+ "Cost"
],
- "severity": "High",
- "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "VM",
+ "text": "Containerizing an application can improve VM density and save money on scaling it",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
- "service": "SAP",
- "services": [
- "SAP",
- "Storage",
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "services": [],
"severity": "High",
- "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "subcategory": "High Availablity",
+ "text": "Enable 2 replicas to have 99.9% availability for read operations",
"waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
- "service": "SAP",
- "services": [
- "SAP",
- "Storage",
- "WAF",
- "ASR"
- ],
- "severity": "High",
- "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "category": "Operations Management",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "High Availablity",
+ "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
"waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
- "services": [
- "SAP",
- "Storage",
- "WAF"
- ],
+ "category": "Operations Management",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+ "service": "Cognitive Search",
+ "services": [],
"severity": "High",
- "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+ "subcategory": "High Availablity",
+ "text": "Leverage Availability Zones by enabling read and/or write replicas",
"waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+ "service": "Cognitive Search",
"services": [
- "SAP",
- "Cost",
- "WAF"
+ "ACR"
],
"severity": "Medium",
- "text": "Automate SAP System Start-Stop to manage costs.",
- "waf": "Cost"
+ "subcategory": "Georeplication",
+ "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+ "service": "Cognitive Search",
"services": [
- "Storage",
- "Cost",
- "VM",
- "SAP",
- "WAF"
+ "ACR"
],
- "severity": "Low",
- "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Georeplication",
+ "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+ "service": "Cognitive Search",
"services": [
- "Storage",
- "Cost",
- "VM",
- "SAP",
- "WAF"
+ "TrafficManager"
],
- "severity": "Low",
- "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Georeplication",
+ "text": "Use Azure Traffic Manager to coordinate requests",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+ "service": "Cognitive Search",
"services": [
- "RBAC",
- "WAF",
- "Subscriptions"
+ "Storage",
+ "Backup",
+ "ASR"
],
"severity": "High",
- "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
- "services": [
- "SAP",
- "WAF",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
- "waf": "Security"
+ "subcategory": "Disaster Recovery",
+ "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "When you are creating a SQL Server on Azure VM, carefully consider the type of workload necessary. If you are migrating an existing environment, collect a performance baseline to determine your SQL Server on Azure VM requirements. If this is a new VM, then create your new SQL Server VM based on your vendor requirements.",
+ "guid": "1fc3fc14-eea6-4e69-b8d9-a3eec218e687",
+ "link": "https://learn.microsoft.com/sql/dma/dma-sku-recommend-sql-db?view=sql-server-ver16",
"services": [
- "SAP",
- "WAF",
- "Entra"
+ "VM",
+ "SQL"
],
- "severity": "Medium",
- "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "VM Size",
+ "text": "Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "The memory optimized virtual machine sizes are a primary target for SQL Server VMs and the recommended choice by Microsoft. The memory optimized virtual machines offer stronger memory-to-CPU ratios and medium-to-large cache options.Consider Ebdsv5-series series first for most SQL Server workloads.",
+ "guid": "e04abe1f-8d39-4fda-9776-8424c116775c",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size?view=azuresql#memory-optimized",
"services": [
- "SAP",
- "WAF"
+ "VM",
+ "SQL"
],
"severity": "Medium",
- "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "Security"
+ "subcategory": "VM Size",
+ "text": "Use memory optimized virtual machine sizes for the best performance of SQL Server workloads.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "To find the most effective configuration for SQL Server workloads on an Azure VM, start by measuring the storage performance of your business application. Once storage requirements are known, select a virtual machine that supports the necessary IOPS and throughput with the appropriate memory-to-vCore ratio.",
+ "guid": "2ea55b56-ad48-4408-be72-734b476ba18f",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance#counters-to-measure-application-performance-requirements",
"services": [
- "SAP",
- "WAF"
+ "VM",
+ "Storage",
+ "SQL"
],
"severity": "Medium",
- "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
- "waf": "Security"
+ "subcategory": "Storage",
+ "text": "Determine storage bandwidth and latency requirements for SQL Server data, log, and tempdb files before choosing the disk type.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "This provides more dedicated disk IOPS and throughput on the disk level and also allows you to configure the Azure disk host caching setting for each disk to the optimal setting for that data type.",
+ "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
"services": [
- "SAP",
- "WAF"
- ],
- "severity": "Medium",
- "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "Security"
+ "Storage",
+ "SQL"
+ ],
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Place data, log, and tempdb files on separate drives",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Premium SSD is always recommend as a minimum for SQL Server in order to obtain better performance and lower latency. P30 and P40 are recommended because disk caching is not supported for disks 4 TiB and larger ( P50 and above) and they provide the optimal price to performance ratio",
+ "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
"services": [
- "SAP",
- "WAF",
- "AKV"
+ "Storage",
+ "SQL"
],
- "severity": "Medium",
- "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "For the data drive, use premium P30 and P40 or smaller disks to ensure the availability of cache support",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Log files have primarily write-heavy operations. Therefore, they do not benefit from the ReadOnly cache. Hence evaluate your price vs performance vs capacity and chose the right storage disk.",
+ "guid": "25659d35-58fd-4772-99c9-31112d027fe4",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
"services": [
- "SAP",
- "WAF",
- "AKV"
+ "Storage",
+ "SQL",
+ "Cost"
],
- "severity": "Medium",
- "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "For the log drive plan for capacity and test performance versus cost while evaluating the premium P30 - P80 disks",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Placing TempDB on the D drive can help performance. Consider the size required and always test performance.",
+ "guid": "12f70983-f630-4472-8ee6-9d6b5c2622f5",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
"services": [
- "SAP",
- "WAF"
+ "VM",
+ "Storage",
+ "SQL"
],
"severity": "Medium",
- "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
- "waf": "Security"
+ "subcategory": "Storage",
+ "text": "Place tempdb on the local ephemeral SSD (default D:\\) drive for most SQL Server workloads that are not part of Failover Cluster Instance (FCI) after choosing the optimal VM size.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Striping Data and Log disk can increase bandwidth. Ensure that VM size also matches expected output",
+ "guid": "4b69bad3-4aad-45e8-a78e-1d76667313c4",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
"services": [
- "SAP",
- "WAF"
+ "VM",
+ "Storage",
+ "SQL"
],
- "severity": "Medium",
- "text": "Implement SSO to SAP HANA",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Stripe multiple Azure data disks using Storage Spaces to increase I/O bandwidth",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Your storage caching policy varies depending on the type of SQL Server data files that are hosted on the drive.Enable Read-only caching for the disks hosting SQL Server data files.Reads from cache will be faster than the uncached reads from the data disk.Set the caching policy to None for disks hosting the transaction log. There is no performance benefit to enabling caching for the Transaction log disk.",
+ "guid": "05674b5e-985b-4859-a773-e7e261623b77",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
"services": [
- "SAP",
- "WAF",
- "Entra"
+ "Storage",
+ "SQL",
+ "AzurePolicy"
],
- "severity": "Medium",
- "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Set host caching to read-only for data file disks and none for log file disks.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Check that you storage is in the same region as your VM. For exaplme if your VM is in EAST US 2 ensure your storage is in East US 2.",
+ "guid": "5a917e1f-348e-4f35-9c27-d42e8bbac868",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
"services": [
- "SAP",
- "WAF"
+ "VM",
+ "Storage",
+ "SQL"
],
- "severity": "Medium",
- "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Provision the storage account in the same region as the SQL Server VM",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "SQL Server uses extents to store data. These are 64KB in size. Therefore, on a SQL Server machine, the NTFS allocation unit size for hosting SQL database files should be 64 KB.",
+ "guid": "155abb91-63e9-4908-ae28-c84c33b6b780",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
"services": [
- "SAP",
- "WAF",
- "Entra"
+ "Storage",
+ "SQL"
],
- "severity": "Medium",
- "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Format your data disk to use 64 KB block size (allocation unit size) for all data files placed on a drive other than the temporary D:\\ drive",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "It is recommended that you determine BCDR needs and requirements ensuring that you are able to meet you SLAs of the environment.",
+ "guid": "8b9fe5c4-2049-4d41-9a92-3c3474d11028",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#azure-only-disaster-recovery-solutions",
"services": [
- "SAP",
- "WAF"
+ "VM",
+ "SQL"
],
"severity": "Medium",
- "text": "Implement SSO to SAP BTP",
- "waf": "Security"
+ "subcategory": "HADR",
+ "text": "Determine HA/DR requirements for each VM to be migrated.",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "When depoying High Availability you need to use availability sets or availability zones to avoid unexpected outages.",
+ "guid": "ac6aae01-e6a8-44de-9df4-3d1992481718",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#high-availability-nodes-in-an-availability-set",
"services": [
- "SAP",
- "WAF",
- "Entra"
+ "VM",
+ "SQL"
],
- "severity": "Medium",
- "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "HADR",
+ "text": "Place your VMs in an availability set or different availability zones.",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Prefered option when deploying an Availability Group. The recommended solution is to use multi-subnets when deploying Always on Availability Groups.",
+ "guid": "d5d1e5f6-2565-49d3-958f-d77249c93111",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure?view=azuresql&tabs=azure-cli",
"services": [
- "SAP",
- "AzurePolicy",
- "WAF",
- "Subscriptions"
+ "VM",
+ "SQL",
+ "LoadBalancer",
+ "VNet"
],
"severity": "Medium",
- "text": "enforce existing Management Group policies to SAP Subscriptions",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
- "waf": "Operations"
+ "subcategory": "HADR",
+ "text": "Deploy your SQL Server VMs to multiple subnets whenever possible to avoid the dependency on an Azure Load Balancer or a distributed network name (DNN) to route traffic to your HADR solution. ( If one is implementing FCI or AG)",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "High availability and disaster recovery (HADR) features, such as the Always On availability group and the failover cluster instance rely on underlying Windows Server Failover Cluster technology. Review the best practices for modifying your HADR settings to better support the cloud environment.",
+ "guid": "2d027fe4-12f7-4098-9f63-04722ee69d6b",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#hadr-configuration",
"services": [
- "SAP",
- "WAF",
- "Subscriptions"
+ "ASR",
+ "SQL"
],
"severity": "High",
- "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
- "waf": "Operations"
+ "subcategory": "HADR",
+ "text": "Change the cluster to less aggressive parameters to avoid unexpected outages from transient network failures or Azure platform maintenance. ( If one is implementing FCI or AG)",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Ensure that quorum is set correct for the number of instances deployed.",
+ "guid": "5c2622f5-4b69-4bad-94aa-d5e8c78e1d76",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/hadr-cluster-best-practices?view=azuresql-vm&tabs=windows2012#quorum-voting",
"services": [
- "WAF",
- "Subscriptions"
+ "SQL"
],
"severity": "High",
- "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "HADR",
+ "text": "Configure cluster quorum voting to use 3 or more odd number of votes. Don't assign votes to DR regions. ( If one is implementing FCI or AG)",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "On Azure virtual machines, clusters use a load balancer to hold an IP address that needs to be on one cluster node at a time. In this solution, the load balancer holds the IP address for the virtual network name (VNN) listener for the Always On availability group when the SQL Server VMs are in a single subnet.",
+ "guid": "667313c4-0567-44b5-b985-b859c773e7e2",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure?view=azuresql-vm&tabs=ilb",
"services": [
- "WAF",
- "VM",
- "Subscriptions"
+ "LoadBalancer",
+ "SQL",
+ "VNet",
+ "VM"
],
"severity": "High",
- "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "waf": "Operations"
+ "subcategory": "HADR",
+ "text": "When using the virtual network name (VNN) and Azure Load Balancer to connect to your HADR solution, specify MultiSubnetFailover = true in the connection string, even if your cluster only spans one subnet. ( If one is implementing FCI or AG)",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "SQL Server, Azure SQL Database, and Azure SQL Managed Instance support row and page compression for rowstore tables and indexes, and support columnstore and columnstore archival compression for columnstore tables and indexes.",
+ "guid": "61623b77-5a91-47e1-b348-ef354c27d42e",
+ "link": "https://learn.microsoft.com/sql/relational-databases/data-compression/data-compression?view=sql-server-ver16",
"services": [
- "WAF"
+ "Storage",
+ "SQL"
],
"severity": "Low",
- "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
- "waf": "Operations"
+ "subcategory": "SQL Server",
+ "text": "Enable database page compression where appropriate.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "By default, data and log files are initialized to overwrite any existing data left on the disk from previously deleted files. Data and log files are first initialized by zeroing the files (filling with zeros).In SQL Server, for data files only, instant file initialization (IFI) allows for faster execution of the previously mentioned file operations, since it reclaims used disk space without filling that space with zeros. Instead, disk content is overwritten as new data is written to the files.",
+ "guid": "8bbac868-155a-4bb9-863e-9908ae28c84c",
+ "link": "https://learn.microsoft.com/sql/relational-databases/databases/database-instant-file-initialization?view=sql-server-ver16",
"services": [
- "WAF",
- "VM",
- "Subscriptions"
+ "Storage",
+ "SQL"
],
"severity": "High",
- "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
+ "subcategory": "SQL Server",
+ "text": "Enable instant file initialization for data files.",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Recommended for best performance and availability migrate all databases to data and log disks",
+ "guid": "33b6b780-8b9f-4e5c-9204-9d413a923c34",
+ "link": "https://learn.microsoft.com/sql/relational-databases/databases/move-database-files?view=sql-server-ver16",
"services": [
- "WAF"
+ "SQL"
],
- "severity": "High",
- "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "severity": "Medium",
+ "subcategory": "SQL Server",
+ "text": "Move all databases to data disks, including system databases.",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+ "guid": "b824546c-e1ae-4e34-93ae-c8239248725d",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#sql-server-features",
"services": [
- "Cost",
- "WAF",
- "TrafficManager"
+ "VM",
+ "Storage",
+ "SQL"
],
- "severity": "Medium",
- "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "severity": "Low",
+ "subcategory": "SQL Server",
+ "text": "Move SQL Server error log and trace file directories to data disks.",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+ "guid": "d68c5b5c-2925-4394-a69a-9d2799c42bb6",
+ "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/server-memory-server-configuration-options#use-",
"services": [
- "WAF",
- "Backup"
+ "VM",
+ "SQL"
],
"severity": "High",
- "text": "Help protect your HANA database by using the Azure Backup service.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "SQL Server",
+ "text": "Set max SQL Server memory limit to leave enough memory for the Operating System.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+ "guid": "8d1d7555-6246-4b43-a563-b4dc74a748b6",
+ "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows",
"services": [
- "Storage",
- "WAF",
"VM",
- "Entra"
- ],
- "severity": "Medium",
- "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
- "waf": "Reliability"
- },
- {
- "checklist": "WAF checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
- "services": [
- "SAP",
- "WAF"
+ "SQL"
],
"severity": "High",
- "text": "Ensure time-zone matches between the operating system and the SAP system.",
- "waf": "Operations"
- },
- {
- "checklist": "WAF checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
- "services": [
- "WAF",
- "Entra"
- ],
- "severity": "Medium",
- "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "SQL Server",
+ "text": "Enable lock pages in memory.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+ "guid": "633ad2a0-916a-4664-a8fa-d0e278ee293c",
+ "link": "https://learn.microsoft.com/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store",
"services": [
- "Cost",
- "WAF"
+ "VM",
+ "SQL"
],
"severity": "Low",
- "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
- "waf": "Cost"
+ "subcategory": "SQL Server",
+ "text": "Enable Query Store on all production SQL Server databases following best practices.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+ "guid": "1bc352ba-aab7-4571-a49a-b8093dc9ec9d",
+ "link": "https://learn.microsoft.com/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server",
"services": [
- "SAP",
- "WAF",
- "Entra"
+ "VM",
+ "SQL"
],
- "severity": "Medium",
- "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "SQL Server",
+ "text": "Ensure that all tempdb best practices are followed.",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+ "guid": "1bb73b36-a5a6-47fb-a9ed-5b35478c3479",
+ "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
"services": [
- "WAF",
- "VM"
+ "VM",
+ "SQL"
],
- "severity": "Medium",
- "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "severity": "High",
+ "subcategory": "SQL Server",
+ "text": "Schedule SQL Server Agent jobs to run DBCC CHECKDB, index reorganize, index rebuild, and update statistics jobs.",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
+ "guid": "816b2863-cffe-41ca-a599-ef0d5a73dd4c",
+ "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
"services": [
- "SAP",
- "WAF"
+ "VM",
+ "SQL"
],
- "severity": "Low",
- "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "severity": "Medium",
+ "subcategory": "SQL Server",
+ "text": "Limit autogrowth of the database and Disable autoshrink",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Constrained vCPU virtual machines (VMs) are a type of VM where the vCPU count can be constrained to a half or a quarter of the original VM size. This allows customers to reduce the cost of software licensing while maintaining the same memory, storage, and I/O bandwidth",
+ "guid": "e36c1c81-770a-4fbc-9c0d-43918648d285",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/constrained-vcpu",
"services": [
- "SAP",
+ "VM",
+ "Storage",
"SQL",
- "WAF",
- "Monitor"
+ "Cost"
],
- "severity": "Medium",
- "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Cost Optimization",
+ "text": "Optimize SQL Server License cost with Constrained vCPU VM's",
+ "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Azure Hybrid Benefit allows you to exchange your existing licenses for discounted rates on Azure SQL Database and Azure SQL Managed Instance. Y",
+ "guid": "7ed67178-b824-4546-ae1a-ee3453aec823",
+ "link": "https://azure.microsoft.com/en-ca/pricing/hybrid-benefit/",
"services": [
- "Monitor",
- "VM",
- "Entra",
- "SAP",
- "WAF"
+ "SQL",
+ "Cost"
],
- "severity": "High",
- "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Cost Optimization",
+ "text": "Leverage Azure Hybrid benefit to maximize the value of your on premises licenses in the cloud",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "The SQL Server IaaS Agent extension (SqlIaasExtension) runs on SQL Server on Azure Windows Virtual Machines (VMs) to automate management and administration tasks.",
+ "guid": "9248725d-d68c-45b5-a292-5394a69a9d27",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms?view=azuresql-vm&tabs=azure-cli",
"services": [
- "AzurePolicy",
- "WAF"
+ "VM",
+ "SQL"
],
"severity": "Medium",
- "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "subcategory": "Azure",
+ "text": "Register with the SQL IaaS Agent Extension to unlock a number of feature benefits.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Accelerated Networking provides consistent ultra-low network latency via Azure's in-house programmable hardware and technologies",
+ "guid": "99c42bb6-8d1d-4755-9624-6b438563b4dc",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
"services": [
- "SAP",
- "Monitor",
- "WAF",
- "NetworkWatcher"
+ "VM",
+ "SQL"
],
- "severity": "Medium",
- "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "severity": "High",
+ "subcategory": "Azure",
+ "text": "Ensure Accelerated Networking is enabled on the virtual machine.",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
+ "category": "SQL Server on Azure VM",
+ "checklist": "SQL Migration Review",
+ "description": "Microsoft Defender detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases on the SQL server.",
+ "guid": "74a748b6-633a-4d2a-8916-a66498fad0e2",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
"services": [
- "SAP",
- "WAF",
- "VM"
+ "VM",
+ "SQL",
+ "Defender"
],
- "severity": "Medium",
- "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Azure",
+ "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture of your virtual machine deployment.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "There are some PaaS limitations that are introduced in SQL Managed Instance and some behavior changes compared to SQL Server. It is important to review and understand these differences.",
+ "guid": "78ee293c-1bc3-452b-aaab-7571849ab809",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server?view=azuresql",
"services": [
- "SAP",
- "WAF",
- "Subscriptions"
+ "EventHubs",
+ "SQL"
],
"severity": "High",
- "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "Performance"
+ "subcategory": "Pre Migration",
+ "text": "Review the major differences between SQL Server and Managed Instance",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. It is important to review these limits.",
+ "guid": "3dc9ec9d-1bb7-43b3-9a5a-67fba9ed5b35",
+ "link": "https://docs.microsoft.com/azure/azure-sql/managed-instance/resource-limits",
"services": [
- "Storage",
- "WAF",
- "ASR"
+ "SQL"
],
- "severity": "Medium",
- "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Pre Migration",
+ "text": "Review capacity limits for SQL MI",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "The instance settings between managed instance and your source SQL Server can be different . It is important to review those differences that can impact performance.",
+ "guid": "8bc178bd-c5a0-46ca-9144-351e19dd3442",
+ "link": "https://medium.com/azure-sqldb-managed-instance/compare-environment-settings-on-sql-server-and-azure-sql-that-may-impact-performance-e90c21fa9b08",
"services": [
- "SAP",
- "Sentinel",
- "WAF",
- "Monitor"
+ "SQL"
],
- "severity": "Medium",
- "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Pre Migration",
+ "text": "Compare instance settings on SQL Server and Azure SQL MI that may impact performance",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "Assess on-premises SQL Server instance(s) migrating to Azure SQL Managed Instance. The assessment workflow helps you to detect issues that block the migration itself and also partially supported and unsupported features",
+ "guid": "9eb72281-37a1-451c-9bb4-e4f1814287d5",
+ "link": "https://docs.microsoft.com/azure/dms/ads-sku-recommend",
"services": [
- "Cost",
- "WAF"
+ "SQL"
],
- "severity": "Medium",
- "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "severity": "High",
+ "subcategory": "Pre Migration",
+ "text": "Run Data Migration assistant or Azure Data Studio Migration Extension to detect compatibility issues that can impact database functionality on Managed Instance",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "The SKU recommendation feature can evaluate the source SQL Server performance and utilization characteristics to recommend a right-sized Azure SQL Managed Instance to assist with your migration journey.",
+ "guid": "ca8c26c9-b32a-4b5b-afc6-898a135e3378",
+ "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend",
"services": [
- "Monitor",
- "WAF",
- "VM"
+ "SQL"
],
- "severity": "Low",
- "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
+ "severity": "High",
+ "subcategory": "Pre Migration",
+ "text": "Select the right compute resources for your workload by leveraging the SKU recommendation tools.",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "Review Unsupported Features, Migration Blockers and Breaking Changes for each database from the Assessment",
+ "guid": "97e31c67-d68c-4b69-82ac-19f906d697c8",
+ "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend",
"services": [
- "SAP",
- "Monitor",
- "WAF",
- "ASR"
+ "SQL"
],
- "severity": "Medium",
- "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Pre Migration",
+ "text": "Review and address the issues highlighted in DMA/Azure Data Studio",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "The SQL Managed Instance default DNS zone .database.windows.net can be changed with your own. However, the managed instance hostname part of its FQDN should remain the same.",
+ "guid": "eaded26b-dd18-46f0-ac25-1b999a68af87",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/frequently-asked-questions-faq?view=azuresql-mi#can-a-managed-instance-have-the-same-name-as-a-sql-server-on-premises-instance",
"services": [
- "SAP",
- "Storage",
- "WAF"
+ "DNS",
+ "SQL"
],
- "severity": "Medium",
- "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Pre Migration",
+ "text": "Plan for connection string changes as changing a managed instance name is not supported",
+ "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "There are addional requirements in configuring a vnet and subnet hosting the managed instance.",
+ "guid": "c9a7f821-b8eb-48c0-aa77-e25e4d5aeaa8",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-existing-add-subnet?view=azuresql-mi",
"services": [
- "SAP",
- "WAF"
+ "VNet",
+ "SQL"
],
- "severity": "Low",
- "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Pre Migration",
+ "text": "Review managed instance VNet requirements",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "Though it's possible to deploy managed instances to a subnet with a number of IP addresses that's less than the output of the subnet formula, always consider using bigger subnets instead. Using a bigger subnet can help avoid future issues stemming from a lack of IP addresses, such as the inability to create additional instances within the subnet or scale existing instances.",
+ "guid": "dc4e2436-bb33-46d7-85f1-7960eee0b9b5",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-subnet-determine-size?view=azuresql-mi",
"services": [
- "SAP",
- "Storage",
- "WAF"
+ "VNet",
+ "SQL"
],
- "severity": "Medium",
- "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Deployment",
+ "text": "Ensure managed instance subnet has sufficient IP addresses available",
+ "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. SQL Managed Instance can be deployed on multiple hardware configurations.",
+ "guid": "c8defc4d-721d-431d-850f-b707ae9eab40",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/resource-limits?view=azuresql-mi#service-tier-characteristics",
"services": [
- "SAP",
- "SQL",
- "WAF"
+ "SQL"
],
- "severity": "Medium",
- "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+ "severity": "High",
+ "subcategory": "Pre Migration",
+ "text": "Plan between General Purpose and Business Critical tiers of MI",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
"waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "The auto-failover groups feature allows you to manage the replication and failover of user databases in a managed instance to a managed instance in another Azure region. Auto-failover groups are designed to simplify deployment and management of geo-replicated databases at scale.",
+ "guid": "ed329079-8bc1-478b-bc5a-06ca7144351e",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-sql-mi?view=azuresql-mi&tabs=azure-powershell",
"services": [
- "SAP",
- "Monitor",
- "WAF",
- "ASR"
+ "SQL"
],
"severity": "High",
- "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "Pre Migration",
+ "text": "Based on your RPO/RTO's , determine if Auto failover Group needs to be implemented. If so, plan for the deployment attributes of the second instance.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "There are multiple ways to connect your application to the managed instance. Review and understand the pros and cons and decide on the best approach for your application.",
+ "guid": "5d226886-d30b-466c-97be-595190f83845",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi",
"services": [
- "AzurePolicy",
- "AppGW",
- "WAF"
+ "SQL"
],
- "severity": "Medium",
- "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Pre Migration",
+ "text": "Review the Connectivity Design between Database and Application, test & validate it",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "Compare migration options to choose the path that's appropriate to your business needs.",
+ "guid": "c586cb29-1ec1-46a1-b076-ef9f141acdce",
+ "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview?view=azuresql-mi#migration-tools",
"services": [
- "DNS",
- "SAP",
- "WAF",
- "VM"
+ "SQL"
],
"severity": "Medium",
- "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "subcategory": "Pre Migration",
+ "text": "Plan for the Migration Method. Depending on the DB Size and Application downtime window, select the preferred Migration Method.",
+ "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "After you verify that data is the same on both source and target, you can cut over from the source to the target environment. It's important to plan the cutover process with business / application teams to ensure minimal interruption during cutover doesn't affect business continuity.",
+ "guid": "579377bc-db37-451a-a2ac-1fad66e15d4d",
+ "link": "https://learn.microsoft.com/azure/dms/tutorial-sql-server-managed-instance-online#performing-migration-cutover",
"services": [
- "DNS",
- "SAP",
- "WAF",
- "VNet"
+ "SQL"
],
"severity": "Medium",
- "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "Operations"
+ "subcategory": "Pre Migration",
+ "text": "Plan the cutover process with business / application teams to ensure minimal interruption during cutover and it does not affect business continuity.",
+ "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "A time zone of a managed instance can be set during instance creation only. The default time zone is UTC",
+ "guid": "4a2adb1c-3d23-426a-b225-ca44e1695fdd",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/timezones-overview?view=azuresql#set-a-time-zone",
"services": [
- "SAP",
- "ACR",
- "WAF",
- "VNet"
+ "SQL"
],
- "severity": "Medium",
- "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Deployment",
+ "text": "Ensure you customize your time zone setting at the instance creation time. One cannot change it later.",
+ "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "Server-level collation in Azure SQL Managed Instance can be specified when the instance is created and cannot be changed later.Default server-level collation is SQL_Latin1_General_CP1_CI_AS.",
+ "guid": "deace4cb-1deb-44c6-90c3-fc14eebb3693",
+ "link": "https://learn.microsoft.com/sql/relational-databases/collations/set-or-change-the-server-collation?view=sql-server-ver16",
"services": [
- "SAP",
- "WAF",
- "NVA"
+ "SQL"
],
"severity": "High",
- "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "Performance"
+ "subcategory": "Deployment",
+ "text": "Ensure you select the right collation setting at the instance creation time. One cannot change it later",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "When you're migrating a database protected by Transparent Data Encryption (TDE) to Azure SQL Managed Instance using the native restore option, the corresponding certificate from the SQL Server instance needs to be migrated before database restore.",
+ "guid": "829e3eec-2183-4687-a007-7a2b5945bda4",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/tde-certificate-migrate?view=azuresql-mi&tabs=azure-powershell",
"services": [
- "SAP",
- "VWAN",
- "ACR",
- "WAF"
+ "VM",
+ "SQL"
],
"severity": "Medium",
- "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "subcategory": "Deployment",
+ "text": "For TDE Enabled Database, corresponding certificate from the on-premises or Azure VM SQL Server needs to be migrated before database restore",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "System databases can be restored only from backups that are created on the version of SQL Server that the server instance is currently running. This is not the case when you are migrating to SQL Managed Instance.Azure PowerShell and DBATools PowerShell libraries enable you to easily script and automate and customize all parts of the migration process.",
+ "guid": "3334fdf9-1c23-4418-8b65-275269440b4b",
+ "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide?view=azuresql-mi#backup-and-restore",
"services": [
- "WAF",
- "NVA",
- "VNet"
+ "Backup",
+ "SQL"
],
- "severity": "Medium",
- "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "severity": "Low",
+ "subcategory": "Migration",
+ "text": "Restore of system databases is not supported. To migrate instance-level objects (stored in master or msdb databases), we recommend to script them out and run T-SQL scripts on the destination instance.",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "When using migration options that continuously replicate / sync data changes from source to the target, the source data and schema can change and drift from the target. During data sync, ensure that all changes on the source are captured and applied to the target during the migration process.",
+ "guid": "e3d3e084-3276-4d4b-bc01-5bcf219e4a1e",
"services": [
- "VWAN",
- "NVA",
- "VNet",
- "SAP",
- "WAF"
+ "SQL"
],
- "severity": "Medium",
- "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "severity": "High",
+ "subcategory": "Migration",
+ "text": "Ensure that all changes on the source are captured and applied to the target during the migration process.",
"waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "Ensure that the application is able to succesffuly connect to the managed instance post migration of the databases.",
+ "guid": "b5887952-5d22-4688-9d30-b66c57be5951",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi",
"services": [
- "SAP",
- "WAF",
- "VM"
+ "SQL"
],
- "severity": "High",
- "text": "Public IP assignment to VM running SAP Workload is not recommended.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Migration",
+ "text": "Test Application Connectivity to MI and Databases",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "High availability is a fundamental part of SQL Managed Instance platform that works transparently for your database applications. Failovers from primary to secondary nodes in case of node degradation or fault detection, or during regular monthly software updates are an expected occurrence for all applications using SQL Managed Instance in Azure.",
+ "guid": "90f83845-c586-4cb2-a1ec-16a1d076ef9f",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/user-initiated-failover?view=azuresql",
"services": [
- "WAF",
- "ASR"
+ "SQL"
],
"severity": "High",
- "text": "Consider reserving IP address on DR side when configuring ASR",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Operations"
+ "subcategory": "Post Migration",
+ "text": "Consider executing a manual failover on SQL Managed Instance to test for fault and failover resiliency.",
+ "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "Ensuring that your applications are failover resilient prior to deploying to production will help mitigate the risk of application faults in production and will contribute to application availability for your customers.",
+ "guid": "141acdce-5793-477b-adb3-751ab2ac1fad",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-configure-sql-mi?view=azuresql&tabs=azure-portal#test-failover",
"services": [
- "WAF"
+ "LoadBalancer",
+ "EventHubs",
+ "SQL"
],
"severity": "High",
- "text": "Avoid using overlapping IP address ranges for production and DR sites.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "Post Migration",
+ "text": "If failover groups have been implemented, Test Manual Failover and Failback and test application connectivity behavior during failover/failback",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "This provides more dedicated disk IOPS and throughput",
+ "guid": "aa359272-8e6e-4205-8726-76ae46691e88",
+ "link": "https://techcommunity.microsoft.com/t5/azure-sql-blog/storage-performance-best-practices-and-considerations-for-azure/ba-p/305525",
"services": [
"Storage",
- "WAF",
- "VNet"
+ "SQL"
],
- "severity": "Medium",
- "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Post Migration",
+ "text": "Optimize Storage Performance for General Purpose Managed Instance",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "Many organizations have policies that require that certificates or encryption keys be created and managed internally. If your organization has a similar policy, this architecture might apply to you. If your customers require internal management of these items, the architecture also might apply to you.",
+ "guid": "35ad9422-23e1-4381-8523-081a94174158",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/data/sql-managed-instance-cmk",
"services": [
- "WAF",
- "Firewall"
+ "AKV",
+ "Backup",
+ "SQL",
+ "AzurePolicy"
],
- "severity": "Medium",
- "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+ "severity": "Low",
+ "subcategory": "Post Migration",
+ "text": "Enable Customer managed TDE for taking your own copy only full backups",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "The maintenance window feature provides you with the ability to onboard Azure SQL resource to prescheduled time blocks outside of business hours.",
+ "guid": "33ef7ad7-c6d3-4733-865c-7acbe44bbe60",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/planned-maintenance?view=azuresql",
"services": [
- "SAP",
- "AppGW",
- "WAF"
+ "SQL"
],
"severity": "Medium",
- "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
- "waf": "Security"
+ "subcategory": "Post Migration",
+ "text": "Plan for Azure maintenance events",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "By using the long-term retention (LTR) feature, you can store specified SQL Database and SQL Managed Instance full backups in Azure Blob storage with configured redundancy for up to 10 years.",
+ "guid": "9d89f2e8-7778-4424-b516-785c6fa96b96",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/long-term-retention-overview?view=azuresql-mi",
"services": [
- "AzurePolicy",
- "ACR",
- "WAF",
- "FrontDoor"
+ "ARS",
+ "Backup",
+ "SQL",
+ "Storage"
],
- "severity": "Medium",
- "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Post Migration",
+ "text": "Configure Long Term backup retention, view backups and restore from backups",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "By using Azure Hybrid Benefit, you can achieve cost savings, modernise and maintain a flexible hybrid environment while optimising business applications.",
+ "guid": "ad88408f-3727-434c-a76b-a28021459014",
+ "link": "https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/#overview",
"services": [
- "AzurePolicy",
- "AppGW",
- "WAF",
- "FrontDoor"
+ "SQL",
+ "Cost"
],
- "severity": "Medium",
- "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Post Migration",
+ "text": "Take advantage of Azure Hybrid Benefit and Azure Reservations where applicable.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "Cost"
},
{
- "checklist": "WAF checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "category": "SQL Managed Instance",
+ "checklist": "SQL Migration Review",
+ "description": "If you don't have threat protection Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities.",
+ "guid": "65d38e53-f9cc-4bd8-9926-6acca274faa1",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview?view=azuresql",
"services": [
- "LoadBalancer",
- "AppGW",
- "WAF"
+ "SQL",
+ "Defender"
],
"severity": "Medium",
- "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "subcategory": "Post Migration",
+ "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "Security"
},
{
- "checklist": "WAF checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "DNS Review Checklist",
+ "guid": "a96b96ad-8840-48f3-9273-4c876ba28021",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency",
"services": [
- "SAP",
- "VWAN",
- "ACR",
- "WAF"
+ "DNS",
+ "VNet"
],
- "severity": "Medium",
- "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Azure Private DNS",
+ "text": "Verify that Zones are linked to Vnets in multiple regions",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "DNS Review Checklist",
+ "guid": "45901465-d38e-453f-accb-d969266acca2",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-resiliency",
"services": [
- "Storage",
- "ACR",
- "VNet",
- "WAF",
- "Backup",
- "PrivateLink"
+ "DNS"
],
- "severity": "Medium",
- "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Azure Private DNS",
+ "text": "If different Zones are used between regions, verify a plan for making sure that Zones are up to date in a DR failover situation",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "DNS Review Checklist",
+ "guid": "74faa19b-f39d-495d-94c7-c8919ca1f6d5",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-traffic-manager?toc=%2Fazure%2Fdns%2Ftoc.json",
"services": [
- "SAP",
- "WAF",
- "VM"
+ "DNS",
+ "TrafficManager",
+ "ASR"
],
- "severity": "High",
- "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Azure DNS",
+ "text": "Plan for disaster recovery with Azure DNS and Traffic Manager",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "DNS Review Checklist",
+ "guid": "315ae524-ba34-4d45-a5e1-2139bd7bb012",
+ "link": "https://learn.microsoft.com/azure/dns/private-resolver-reliability#availability-zones",
"services": [
- "LoadBalancer",
- "WAF"
+ "DNS"
],
"severity": "Medium",
- "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Azure DNS Resolver",
+ "text": "Enable availability zones with Private Resolver",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "DNS Review Checklist",
+ "guid": "f7b95e06-e154-4e2a-a359-2828e6e20517",
+ "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
"services": [
- "SAP",
- "WAF",
- "VNet",
- "VM"
+ "DNS",
+ "ASR"
],
"severity": "Medium",
- "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Azure DNS Resolver",
+ "text": "Plan for failover with Private Resolvers in a Disaster Recovery",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "DNS Review Checklist",
+ "guid": "2676ae46-691e-4883-9ad9-42223e138105",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-virtual-machines?toc=%2Fazure%2Fvirtual-machines%2Ftoc.json&bc=%2Fazure%2Fvirtual-machines%2Fbreadcrumb%2Ftoc.json&tabs=graph",
"services": [
- "SAP",
- "WAF",
- "VNet"
+ "DNS",
+ "VM"
],
- "severity": "High",
- "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "VM Based DNS Service",
+ "text": "Follow VM Guidance for resillency of VM",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "DNS Review Checklist",
+ "guid": "23081a94-1741-4583-9ff7-ad7c6d373316",
+ "link": "https://www.windows-active-directory.com/azure-ad-dns-for-custom-domain-names-with-advanced-dns-settings.html",
"services": [
- "SAP",
- "WAF"
+ "DNS",
+ "VM",
+ "Entra"
],
"severity": "Medium",
- "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
- "waf": "Performance"
+ "subcategory": "VM Based DNS Service",
+ "text": "IF AD based DNS, follow the Identity -> Windows Server AD path",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
+ "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
+ "service": "Azure Data Explorer",
"services": [
- "SAP",
- "WAF"
+ "Storage",
+ "Cost"
],
- "severity": "High",
- "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Performance"
+ "subcategory": "Replication",
+ "text": "Leverage External Tables and Continuous data export overview to reduce costs",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
+ "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
+ "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
+ "service": "Azure Data Explorer",
"services": [
- "SAP",
- "Cost",
- "WAF",
- "VNet"
+ "Storage"
],
- "severity": "High",
- "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Cost"
+ "subcategory": "Replication",
+ "text": "To share data, explore Leader-follower cluster configuration",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
+ "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
+ "service": "Azure Data Explorer",
"services": [
- "LoadBalancer",
- "WAF"
+ "ASR"
],
- "severity": "High",
- "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Performance"
+ "subcategory": "Replication",
+ "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
+ "service": "Azure Data Explorer",
"services": [
- "SAP",
- "WAF",
- "VNet"
+ "RBAC",
+ "Storage"
],
- "severity": "Medium",
- "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
- "waf": "Security"
+ "subcategory": "Replication",
+ "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
- "services": [
- "SAP",
- "WAF",
- "Backup",
- "VM"
- ],
- "severity": "High",
- "text": "Review SAP HANA database backups for Azure VMs.",
- "waf": "Cost"
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
+ "service": "Azure Data Explorer",
+ "services": [],
+ "subcategory": "Replication",
+ "text": "Ingest data into each cluster in parallel",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
+ "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
+ "service": "Azure Data Explorer",
"services": [
- "SAP",
- "Monitor",
- "WAF",
- "ASR"
+ "ACR"
],
- "severity": "Medium",
- "text": "Review Site Recovery built-in monitoring, where used for SAP.",
- "waf": "Cost"
+ "subcategory": "DR Configuration",
+ "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
+ "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
+ "service": "Azure Data Explorer",
"services": [
- "SAP",
- "Monitor",
- "WAF"
+ "ACR"
],
- "severity": "High",
- "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
- "waf": "Operations"
+ "subcategory": "DR Configuration",
+ "text": "For critical applications, create Active-Active configuration in two paired regions",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
+ "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
+ "service": "Azure Data Explorer",
+ "services": [],
+ "subcategory": "DR Configuration",
+ "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
+ "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
+ "service": "Azure Data Explorer",
"services": [
- "WAF",
- "Backup",
- "VM"
+ "Storage",
+ "Cost",
+ "ASR",
+ "AzurePolicy"
],
- "severity": "Medium",
- "text": "Review Oracle Database in Azure Linux VM backup strategies.",
- "waf": "Operations"
+ "subcategory": "DR Configuration",
+ "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
+ "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
"services": [
- "SQL",
- "WAF",
- "Storage"
+ "AzurePolicy"
],
- "severity": "Medium",
- "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
- "waf": "Operations"
+ "subcategory": "IaC",
+ "text": "Wrap DevOps and source control around all your code",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
+ "services": [],
+ "subcategory": "IaC",
+ "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
- "services": [
- "WAF",
- "Backup",
- "VM"
- ],
- "severity": "Medium",
- "text": "Review the use of Automated Backup v2 for Azure VMs.",
- "waf": "Operations"
+ "category": "Operations Management",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
+ "services": [],
+ "subcategory": "IaC",
+ "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD control plane does not offer a financially backed service level agreement. We strive to attain at least 99.9% availability for the Azure Virtual Desktop service URLs. The availability of the session host virtual machines in your subscription is covered by the Virtual Machines SLA. Dependent resources/services and infrastructure availability must be also considered to properly satisfy global high-availability requirements.",
+ "guid": "56c57ba5-9119-4bf8-b8f5-c586c7d9cdc1",
+ "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/",
"services": [
- "WAF"
+ "VM",
+ "ASR",
+ "AVD",
+ "Subscriptions"
],
"severity": "High",
- "text": "Enabling Write accelerator for M series when using premium disks(V1)",
- "waf": "Operations"
+ "subcategory": "Compute",
+ "text": "Determine the expected High Availability SLA for applications/desktops published through AVD",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "'Active-Active' model can be achieved with multiple host pools in different regions. A single Host Pool with VMs from different regions is not recommended. If multiple pools for same users will be used, the problem of how to synchronize/replicate user profiles must be solved. FSLogix Cloud Cache could be used, but need to be carefully reviewed and planned, or customers can decide to do not synchronize/replicate at all. 'Active-Passive' can be achieved using Azure Site Recovery (ASR) or on-demand Pool deployment with automated mechanism. For a detailed discussion on multi-region BCDR, please read the companion article in the 'More Info' column and this FSLogix related page: https://learn.microsoft.com/fslogix/concepts-container-recovery-business-continuity.",
+ "guid": "6acc076e-f9b1-441a-a989-579e76b897e7",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr",
"services": [
- "WAF"
+ "VM",
+ "Storage",
+ "ASR",
+ "AVD"
],
"severity": "Medium",
- "text": "Test availability zone latency.",
- "waf": "Performance"
+ "subcategory": "Compute",
+ "text": "Assess Geo Disaster Recovery requirements for AVD Host Pools",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Before approaching Azure Virtual Desktop BCDR planning and design, it is important to initially consider which applications consumed through AVD are critical. You may want to separate them from non-critical apps and use a separate Host Pool with a different disaster recovery approach and capabilities.",
+ "guid": "10a7da7b-e996-46e1-9d3c-4ada97cc3d13",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"services": [
- "SAP",
- "WAF"
+ "ASR",
+ "AVD"
],
- "severity": "Medium",
- "text": "Activate SAP EarlyWatch Alert for all SAP components.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
- "waf": "Performance"
+ "severity": "Low",
+ "subcategory": "Compute",
+ "text": "Separate critical applications in different AVD Host Pools",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Each Host Pool can be deployed using Availability Zones (AZ) or Availability Set (AS). To maximize resiliency, usage of AZ is recommended: at Host Pool creation time you can decide to spread Host Pool Session Hosts across all available AZ. Usage of AS will not protect from single datacenter failure, then should be used only in regions where AZ are not available. More details on AZ and AVD in the companion article. For a comparison between AZ and AS you can read here: https://learn.microsoft.com/azure/virtual-machines/availability.",
+ "guid": "25ab225c-6f4e-4168-9fdd-dea8a4b7cdeb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262",
"services": [
- "SAP",
- "WAF"
+ "ASR",
+ "AVD",
+ "ACR"
],
- "severity": "Medium",
- "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
- "training": "https://me.sap.com/notes/0002879613",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Compute",
+ "text": "Plan the best resiliency option for AVD Host Pool deployment",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Azure Backup can be used to protect Host Pool VMs. For Pooled Pools, this is not necessary since should be stateless. Instead, this option can be considered for Personal Host Pools.",
+ "guid": "4c61fc3f-c14e-4ea6-b69e-8d9a3eec218e",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"services": [
- "SQL",
- "WAF",
- "Monitor"
+ "Backup",
+ "VM",
+ "AVD",
+ "ASR"
],
"severity": "Medium",
- "text": "Review SQL Server performance monitoring using CCMS.",
- "waf": "Performance"
+ "subcategory": "Compute",
+ "text": "Assess the requirement to backup AVD Session Host VMs",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Even for Personal Pools, usage of Availability Zones, when available, is recommended. Three possible in-region DR strategies are possible, it is recommended to select the best one based on cost, RTO/RPO, and if it is really necessary to save the entire VM OS disk: (1) create each session host in a specific zone (AZ) and then use Azure Site Recovery (ASR) to replicate to a different zone. (2) Use Azure Backup to backup and restore the specific session host in a different AZ. (3) Create a new session host in a different AZ and rely on FSLogix and/or OneDrive to make data and settings available on the new machine. All options require administrator intervention for DR and direct user assignment at Host Pool level, then must be planned and configured in advance.",
+ "guid": "5da58639-ca3a-4961-890b-29663c5e10d",
+ "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery",
"services": [
- "SAP",
- "WAF",
- "VM"
+ "Backup",
+ "VM",
+ "ASR",
+ "AVD",
+ "Cost"
],
"severity": "Medium",
- "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "Performance"
+ "subcategory": "Compute",
+ "text": "Prepare a local DR strategy for Personal Host Pool Session Hosts",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If custom images are used to deploy AVD Host Pool VMs, it is important to ensure those artifacts are available in all regions where AVD is deployed. Azure Compute Gallery service can be used to replicate images across all regions where a Host Pool is deployed, with redundant storage and in multiple copies. Please be aware that the Azure Compute Gallery service isn't a global resource. For disaster recovery scenarios, the best practice is to have at least two galleries, in different regions.",
+ "guid": "dd2e0d5d-771d-441e-9610-cc57b4a4a141",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery",
"services": [
- "SAP",
- "Monitor",
- "WAF"
+ "Storage",
+ "VM",
+ "ASR",
+ "AVD",
+ "ACR"
],
- "severity": "Medium",
- "text": "Review SAP HANA studio alerts.",
- "waf": "Performance"
+ "severity": "Low",
+ "subcategory": "Dependencies",
+ "text": "Plan for Golden Image cross-region availability",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If users of the AVD infrastructure need on-premises resource access, high availability of network infrastructure required to connect is also critical and should be considered. Resiliency of authentication infrastructure needs to be assessed and evaluated. BCDR aspects for dependent applications and other resources need to be considered to ensure availability in the secondary DR location.",
+ "guid": "fd339489-8c12-488b-9c6a-57cfb644451e",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"services": [
- "SAP",
- "WAF"
+ "ASR",
+ "AVD"
],
"severity": "Medium",
- "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
- "waf": "Performance"
+ "subcategory": "Dependencies",
+ "text": "Assess Infrastructure & Application dependencies ",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Not all data inside FSLogix user profiles may deserve protection from disaster. Additionally, if external storage is used, for example OneDrive or File Servers/Shares, what is remaining in the FSLogix profile is minimal and could be lost in some extreme circumstances. In other cases, data inside the profile can be rebuilt from other storages (for example Outlook Inbox in cached mode).",
+ "guid": "687ab077-adb5-49e5-a960-3334fdf8cc23",
+ "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt",
"services": [
- "WAF",
- "VM"
+ "Storage",
+ "ASR",
+ "AVD"
],
"severity": "Medium",
- "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "waf": "Security"
+ "subcategory": "Storage",
+ "text": "Assess which data need to be protected in the Profile and Office Containers",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Preventing data loss for critical user data is important, first step is to assess which data need to be saved and protected. If using OneDrive or other external storage, saving user Profile and/or Office Containers data maybe not necessary. Appropriate mechanism must be considered to provide protection for critical user data. Azure Backup service can be used to protect Profile and Office Containers data when stored on Azure Files Standard and Premium tiers. Azure NetApp Files Snapshots and Policies can be used for Azure NetApp Files (all tiers).",
+ "guid": "fc4972cc-3cd2-45bf-a707-6e9eab4bed32",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"services": [
- "SAP",
- "WAF"
+ "Storage",
+ "Backup",
+ "ASR",
+ "AVD",
+ "AzurePolicy"
],
"severity": "Medium",
- "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
- "waf": "Security"
+ "subcategory": "Storage",
+ "text": "Build a backup protection strategy for Profile and Office Containers",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "In AVD, multiple replication mechanisms and strategies can be used for user data residing in FSLogix containers: [Profile Pattern #1]: Native Azure storage replication mechanisms, for example Azure Files Standard GRS replication, Azure NetApp Files Cross Region Replication. Use Zone Replicated Storage (ZRS) or Geo replicated storage (GRS) for Azure Files is recommended. LRS with local-only resiliency can be used if no zone/region protection is required. NOTE: Azure Files Share Standard is LRS/ZRS/GRS, but with 100TB large support enabled only LRS/ZRS are supported. [Profile Pattern #2]: FSLogix Cloud Cache is built in automatic mechanism to replicate containers between different (up to 4) storage accounts. Cloud Cache should be used only when:(1) User Profile or Office containers data availability required high-availability SLA is critical and need to be resilient to region failure. (2) Selected storage option is not able to satisfy BCDR requirements. For example, with Azure File Share Premium tier, or Azure File Share Standard with Large File Support enabled, GRS is not available. (3) When replication between disparate storage is required. [Profile Pattern #3]: Only set up geo disaster recovery for application data and not for user data/profile containers: store important application data in separate storages, like OneDrive or other external storage with its own built-in DR mechanism.",
+ "guid": "9f7547c1-746d-4c56-868a-714435bd09dd",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery",
"services": [
- "SAP",
- "SQL",
- "WAF"
+ "Storage",
+ "ASR",
+ "AVD"
],
- "severity": "Low",
- "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Assess Profile Container storage replication requirements and resiliency for BCDR purpose",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "For local disaster recovery, Azure Backup for Azure Files can be used. For cross-region geo disaster recovery: GRS for Azure Files is only available with standard SKU and no large share support, then not suitable in most customer scenarios. If geo-replication is required with Azure File Share Premium, replication with FSLogix Cloud Cache can be evaluated, or 'in-region' Availability Zone (AZ) only resiliency should be considered.",
+ "guid": "3d4f3537-c134-46dc-9602-7a71efe1bd05",
+ "link": "https://docs.microsoft.com/azure/backup/backup-afs",
"services": [
- "SQL",
- "WAF"
+ "Backup",
+ "Storage",
+ "ASR",
+ "AVD"
],
- "severity": "High",
- "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
- "training": "https://me.sap.com/notes/3019299/E",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Storage",
+ "text": "Review Azure Files disaster recovery strategy",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Zone Redundant Storage will maximize in-region resiliency for the user profile data. ZRS is supported for premium file shares through the 'FileStorage' storage account kind. ZRS is supported in standard general-purpose v2 storage accounts. Usage of zone redundant storage must be paired with zone redundant deployment of Session Hosts in each Host Pool. ",
+ "guid": "10d4e875-d502-4142-a795-f2b6eff34f88",
+ "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage",
"services": [
"Storage",
- "SQL",
- "SAP",
- "WAF",
- "Backup"
+ "ASR",
+ "AVD"
],
"severity": "High",
- "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "waf": "Security"
+ "subcategory": "Storage",
+ "text": "Use Zone Redundant Storage (ZRS) for Azure Files to maximize resiliency",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "SAP",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "For local disaster recovery, Azure NetApp Files (ANF) native backup is available. ANF is essentially locally redundant, then for cross-region geo disaster recovery it is necessary to use an additional mechanism that is Cross-Region Replication (CRR) https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering. Currently, ANF does not provide replication nor redundancy across different Availability Zones (AZ), only the possibility to select in which single AZ to place the ANF volume: https://learn.microsoft.com/azure/azure-netapp-files/manage-availability-zone-volume-placement.",
+ "guid": "23429db7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering",
"services": [
+ "Backup",
"Storage",
- "WAF"
+ "ASR",
+ "AVD",
+ "ACR"
],
"severity": "Medium",
- "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Storage",
+ "text": "Review Azure NetApp Files disaster recovery strategy",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Applications can be preinstalled in the golden image/s, can be attached using MSIX & AppAttach feature or distributed to the session hosts after host pool deployment using traditional software distribution methods.",
+ "guid": "86ba2802-1459-4014-95d3-8e5309ccbd97",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
"services": [
- "WAF",
- "AKV"
+ "AVD"
],
"severity": "High",
- "text": "Use Azure Key Vault to store your secrets and credentials",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Golden Images",
+ "text": "Determine how applications will be deployed in AVD Host Pools",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Multiple golden images can be required to support different OS versions and/or settings, different groups of applications that must be separated and cannot be included in a single image.",
+ "guid": "9266bcca-274f-4aa1-abf3-9d95d44c7c89",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
"services": [
- "RBAC",
- "AzurePolicy",
- "WAF",
- "Subscriptions"
+ "AVD"
],
"severity": "Medium",
- "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Golden Images",
+ "text": "Estimate the number of golden images that will be required",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Determine which Guest OS will be used to deploy each Host Pool: Windows 10 vs. Windows Server, Marketplace vs. Custom images",
+ "guid": "19ca1f6d-5315-4ae5-84ba-34d4585e2213",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#operating-systems-and-licenses",
"services": [
- "AzurePolicy",
- "WAF",
- "AKV"
+ "AVD"
],
"severity": "Medium",
- "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
- "service": "SAP",
- "services": [
- "RBAC",
- "AzurePolicy",
- "WAF"
- ],
- "severity": "High",
- "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Golden Images",
+ "text": "Determine which OS image/s you will use for Host Pool deployment",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Azure VM custom images can be created and stored in different ways: in an Azure Compute Gallery, as a managed image object or as a managed disk in the storage. The recommended way is to use Azure Compute Gallery.",
+ "guid": "5a2adb2c-3e23-426b-b225-ca44e1696fdd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries",
"services": [
- "SAP",
"Storage",
- "WAF",
- "Defender"
- ],
- "severity": "High",
- "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
- "service": "SAP",
- "services": [
- "RBAC",
- "SAP",
- "WAF",
- "Defender"
+ "VM",
+ "AVD"
],
- "severity": "High",
- "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Golden Images",
+ "text": "Select the proper store for custom images",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If custom images will be used, plan for an automated build process. If no pre-existing software factory exists, consider using Custom Image Templates and/or Azure Image Builder to automate the build process.",
+ "guid": "9bd7bb01-2f7b-495e-86e1-54e2aa359282",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/create-custom-image-templates",
"services": [
- "SAP",
- "WAF"
+ "AVD"
],
"severity": "Low",
- "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
- "waf": "Security"
+ "subcategory": "Golden Images",
+ "text": "Design your build process for custom images",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "There are some known best practices and recommendations for the golden image customization, be sure to check the referenced article.",
+ "guid": "deace4cb-1dec-44c6-90c3-fc14eebb36a3",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-golden-image",
"services": [
- "WAF",
- "AKV"
+ "AVD"
],
"severity": "Medium",
- "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
- "service": "SAP",
- "services": [
- "WAF",
- "AKV"
- ],
- "severity": "High",
- "text": "Use an Azure Key Vault per application per environment per region.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "WAF checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
- "service": "SAP",
- "services": [
- "SAP",
- "WAF",
- "AKV"
- ],
- "severity": "High",
- "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Golden Images",
+ "text": "If custom image will be used, check recommended best practices for AVD on how to build custom image",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "FSLogix stack installed in AVD session hosts does not provide auto-update capability. For this reason, it is recommended to download the latest version of FSLogix and include in the golden image update process.",
+ "guid": "ed5c9027-dd1a-4343-86ca-52b199223186",
+ "link": "https://learn.microsoft.com/fslogix/how-to-install-fslogix",
"services": [
- "RBAC",
- "SAP",
- "WAF",
- "Subscriptions"
+ "AVD"
],
"severity": "High",
- "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Golden Images",
+ "text": "Include the latest version of FSLogix in the golden image update process",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "This tool-set has been created to automatically apply setting referenced in white paper 'Optimizing Windows 10, version 2004 for a Virtual Desktop Infrastructure (VDI) role': https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004. Usage of the tool and/or optimizations mentioned in the white-paper should be considered. ",
+ "guid": "829e3fec-2183-4687-a017-7a2b5945bda4",
+ "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool",
"services": [
- "SAP",
- "WAF",
- "NVA",
- "PrivateLink"
+ "RBAC",
+ "AVD"
],
- "severity": "High",
- "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Golden Images",
+ "text": "Evaluate the usage of Virtual-Desktop-Optimization-Tool",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If OneDrive is used and included in a golden image, be sure to follow the configuration procedure reported in the companion article in the 'More Info' section. Not in scope in this AVD checklist, but OneDrive optimizations like 'Known Folder Redirection' and 'Files On-Demand' should be evaluated used to reduce the space used in FSLogix profiles and provide a better user experience. OneDrive today is not supported for Remote Apps.",
+ "guid": "e3d3e084-4276-4d4b-bc01-5bcf219e4a1e",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode",
"services": [
"Storage",
- "WAF",
- "VM"
+ "AVD"
],
"severity": "Low",
- "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
- "waf": "Security"
+ "subcategory": "Golden Images",
+ "text": "Determine if Microsoft OneDrive will be part of AVD deployment",
+ "waf": "Operations"
},
{
- "checklist": "WAF checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Be sure to review the requirements and configuration procedure contained in the companion article in the 'More Info' column. Since Teams automatic updates will be disabled, it is recommended to check and include Teams latest version in the golden image update process.",
+ "guid": "b5887953-5d22-4788-9d30-b66c67be5951",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/teams-on-AVD",
"services": [
- "WAF",
- "Defender"
+ "AVD"
],
"severity": "Low",
- "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Golden Images",
+ "text": "Determine if Microsoft Teams will be part of AVD deployment",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD can support users with different language and localization requirements in the same host pool. This can be done customizing golden images to ensure users can select whichever language they need. The procedure to configure additional language packs in Windows 11 is documented in the reference article.",
+ "guid": "7c336f3b-822a-498e-8cd1-667d1150df4a",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/windows-11-language-packs",
"services": [
- "SAP",
- "WAF",
- "VNet"
+ "AVD"
],
- "severity": "High",
- "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Golden Images",
+ "text": "Assess the requirement to support multiple languages",
+ "waf": "Reliability"
},
{
- "checklist": "WAF checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "It is highly recommended to use separate storage accounts/shares to store MSIX packages. If necessary, storage can scale out independently and not being impacted by profile I/O activities. Azure offers multiple storage options that can be used for MISX app attach. We recommend using Azure Files or Azure NetApp Files as those options offer the best value between cost and management overhead. ",
+ "guid": "90083845-c587-4cb3-a1ec-16a1d076ef9f",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"services": [
- "SAP",
- "WAF"
+ "Storage",
+ "Cost",
+ "AVD"
],
- "severity": "Low",
- "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "MSIX & AppAttach",
+ "text": "Do not use the same storage account/share as FSLogix profiles",
+ "waf": "Performance"
},
{
- "checklist": "WAF checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "In the referenced article, we reported few but important performance considerations for MSIX usage in AVD context, be sure to carefully review.",
+ "guid": "241addce-5793-477b-adb3-751ab2ac1fad",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"services": [
- "SAP",
- "Monitor",
- "WAF",
- "AKV"
+ "AVD"
],
"severity": "Medium",
- "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Security"
+ "subcategory": "MSIX & AppAttach",
+ "text": "Review performance considerations for MSIX",
+ "waf": "Performance"
},
{
- "category": "Automation",
- "checklist": "SAP Checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "MSIX app attach requires read-only permissions to access the file share. If you're storing your MSIX applications in Azure Files, then for your session hosts, you'll need to assign all session host VMs both storage account role-based access control (RBAC) and file share New Technology File System (NTFS) permissions on the share.",
+ "guid": "66e15d4d-5a2a-4db2-a3e2-326bf225ca41",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share",
"services": [
- "SAP"
+ "RBAC",
+ "Storage",
+ "VM",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "ACSS",
- "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "MSIX & AppAttach",
+ "text": "Check proper session host permissions for MSIX share",
+ "waf": "Security"
},
{
- "category": "Automation",
- "checklist": "SAP Checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "3rd-party software vendor must provide a MSIX package, it is not recommended for customer to attempt the conversion procedure without proper support from the application owner.",
+ "guid": "bd362caa-ab79-4b19-adab-81932c9fc9d1",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"services": [
- "SAP"
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "SDAF",
- "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
- "training": "https://github.com/Azure/sap-automation",
+ "severity": "Low",
+ "subcategory": "MSIX & AppAttach",
+ "text": "MSIX packages for 3rd-party applications",
+ "waf": "Cost"
+ },
+ {
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "MSIX app attach doesn't support auto-update for MSIX applications, so they should be disabled.",
+ "guid": "bb88037f-5e6b-4fbb-aed5-03547cc447e8",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
+ "services": [
+ "AVD"
+ ],
+ "severity": "Low",
+ "subcategory": "MSIX & AppAttach",
+ "text": "Disable auto-update for MSIX packages",
"waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "In order to leverage MSIX & App Attach, guest OS image for AVD Host pool must be Windows 10/11 Enterprise or Windows 10/11 Enterprise Multi-session, version 2004 or later.",
+ "guid": "26128a71-f0f1-4cac-9d9e-f1d5e832e42e",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-faq",
"services": [
- "SAP",
- "Backup",
- "ASR"
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Backup and restore",
- "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+ "subcategory": "MSIX & AppAttach",
+ "text": "Review operating systems support",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Once selected the VM SKU that will be used for Host Pool deployment, it is recommended to use Gen2 type of the SKU for higher security and improved capabilities.",
+ "guid": "e4633254-3185-40a1-b120-bd563a1c8e9d",
+ "link": "https://docs.microsoft.com/azure/virtual-machines/generation-2",
"services": [
- "SAP",
- "Backup",
- "ASR"
+ "VM",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Disaster recovery",
- "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
- "waf": "Reliability"
+ "subcategory": "Session Host",
+ "text": "Evaluate the usage of Gen2 VM for Host Pool deployment",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "SAP",
+ "category": "Compute",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "MMR redirects the media content from Session Host to your local machine for faster processing and rendering. It only works when you play media content on Microsoft Edge or Google Chrome. See linked URL for more details.",
+ "guid": "adecb27f-dc40-40f5-aca2-0090f633b1c9",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/multimedia-redirection",
"services": [
- "Storage",
- "ASR",
- "SQL",
- "SAP",
- "Backup"
+ "AVD"
],
- "severity": "High",
- "subcategory": "Disaster recovery",
- "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Session Host",
+ "text": "Consider using MMR (MultiMedia Redirection) to get better video performance on browser",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "A host pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts. A host pool can be one of two types: Personal and Pooled. Which type to use, and how many, is a key design decision that must be documented and validated. See companion article in 'More Info' column for more details.",
+ "guid": "8468c55a-775c-46ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology#host-pools",
"services": [
- "SAP",
- "ASR"
+ "VM",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Disaster recovery",
- "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Capacity Planning",
+ "text": "Determine the Host Pool type to use",
+ "waf": "Cost"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Use your design criteria to determine the number of Host Pools to deploy. This will be based on factors such as different OS images, multi-region support, guest VM hardware differences (such as GPU support or no), different user expectations and uptime requirements (examples might be 'Executives', 'Office Workers', 'Developers', etc.), and Host Pool RDP settings (such as drive redirection support). These will determine the number of host pools as well as how many hosts will be in each pool.",
+ "guid": "4e98495f-d3c0-4af2-aa59-a793395a32a7",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#host-pools",
"services": [
- "SAP",
- "ExpressRoute",
- "VPN",
- "ASR"
+ "VM",
+ "AVD"
],
"severity": "High",
- "subcategory": "Disaster recovery",
- "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
- "waf": "Reliability"
+ "subcategory": "Capacity Planning",
+ "text": "Estimate the number of different Host Pools to deploy ",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Confirm that the difference between automatic and direct assignment is well understood and the selected option is appropriate for the scenario in question. Automatic is the default setting.",
+ "guid": "b38b875b-a1cf-4204-a901-3a5d3ce474db",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type",
"services": [
- "SAP",
- "ACR",
- "AKV",
- "ASR"
+ "AVD"
],
"severity": "Low",
- "subcategory": "Disaster recovery",
- "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
- "waf": "Reliability"
+ "subcategory": "Capacity Planning",
+ "text": "For Personal Host Pool type, select the proper assignment type",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Check which one to use and available options, autoscale ignores existing load-balancing algorithms.",
+ "guid": "cbd8682a-6abc-4a2a-9fda-1dbf3dc95d48",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/host-pool-load-balancing",
"services": [
- "SAP",
- "VNet",
- "ASR"
+ "AVD"
+ ],
+ "severity": "Low",
+ "subcategory": "Capacity Planning",
+ "text": "For Pooled Host Pool type, select the best load balancing method",
+ "waf": "Performance"
+ },
+ {
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "The number of cores increase, the system's synchronization overhead also increases. Especially for multiple user's sign-in simultaneously. Make sure not to use a VM that is too large for the session host",
+ "guid": "b3724959-4943-4577-a3a9-e10ff6345f24",
+ "link": "https://learn.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
+ "services": [
+ "VM",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Disaster recovery",
- "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
- "waf": "Reliability"
+ "subcategory": "Capacity Planning",
+ "text": "For Pooled Host Pool type, VMs shouldn't have more than 32 cores",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD does not support assigning both the RemoteApp and Desktop Application Group (DAG) in a single host pool to the same set of users. Doing so will cause a single user to have two user sessions in a single host pool. Users aren't supposed to have two active sessions at the same time in the same host pool using the same profile.",
+ "guid": "b384b7ed-1cdd-457e-a2cd-c8d4d55bc144",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups",
"services": [
- "SAP",
"Storage",
- "ASR"
+ "AVD"
],
- "severity": "Low",
- "subcategory": "Disaster recovery",
- "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Capacity Planning",
+ "text": "Do not use the same Host Pool to offer both full desktops (DAG) and Remote Apps to the same set of users",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "There is a limit of 500 Application Groups that can be created in AVD for each Microsoft Entra ID (former Azure AD) tenant. The limit can be increased (see the companion link for details) but it is not recommended.",
+ "guid": "971cc4a4-b1f7-4c12-90e0-1ad96808f00c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits",
"services": [
- "SAP",
- "ASR"
+ "Entra",
+ "AVD",
+ "ACR"
],
- "severity": "High",
- "subcategory": "Disaster recovery",
- "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "severity": "Medium",
+ "subcategory": "Capacity Planning",
+ "text": "Estimate the number of Application Groups required across all Host Pools in the Microsoft Entra ID tenant",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Applications are grouped under Application Groups as containers for publishing and assigning permissions: we recommend that you do not publish more than 50 applications per application group.",
+ "guid": "fa9f2895-473d-439b-ab8e-5a5cf92c7f32",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations",
"services": [
- "SAP",
- "VNet",
- "ASR"
+ "AVD"
],
- "severity": "High",
- "subcategory": "Disaster recovery",
- "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "severity": "Low",
+ "subcategory": "Capacity Planning",
+ "text": "Estimate the number of Applications for each Application Group",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "FSLogix is not required for Personal Host Pools since each VM is statically assigned to a single user, then no immediate needs for a roaming profile solution. In some usage scenarios FSLogix can help. For example, a VM can be re-assigned, or user moved to another desktop, or roaming profile can be used to save user profile in a different location for DR purposes.",
+ "guid": "38b19ab6-0693-4992-9394-5590883916ec",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop",
"services": [
- "SAP",
- "Entra",
+ "Storage",
"VM",
- "ASR"
+ "AVD"
],
- "severity": "High",
- "subcategory": "Disaster recovery",
- "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "severity": "Low",
+ "subcategory": "Capacity Planning",
+ "text": "Evaluate the usage of FSLogix for Personal Host Pools",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Use the link provided to set a starting point for SKU decision, then validate using a performance test. Ensure a minimum of four cores for Production is selected per Session Host (multi-session)",
+ "guid": "e1112dbd-7ba0-412e-9b94-ef6e047d2ea2",
+ "link": "https://docs.microsoft.com/windows-server/remote/remote-desktop-services/virtual-machine-recs",
"services": [
- "SAP",
- "ASR"
+ "VM",
+ "AVD"
],
"severity": "High",
- "subcategory": "High availability",
- "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "Capacity Planning",
+ "text": "Run workload performance test to determine the best Azure VM SKU and size to use",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "It is critical to check AVD capacity and limits reported in the referenced article. Additional limits and thresholds apply for network, compute, storage and service management. ",
+ "guid": "992b1cd6-d2f5-44b2-a769-e3a691e8838a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations",
"services": [
- "SAP",
- "ASR"
+ "Storage",
+ "AVD"
],
"severity": "High",
- "subcategory": "High availability",
- "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "subcategory": "Capacity Planning",
+ "text": "Verify AVD scalability limits for the environment",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Host Pools with GPU require special configuration, please be sure to review the referenced article.",
+ "guid": "c936667e-13c0-4056-94b1-e945a459837e",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/configure-vm-gpu",
"services": [
- "SAP",
- "Storage",
- "VM",
- "ASR"
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Capacity Planning",
+ "text": "Determine if Session Hosts will require GPU",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Whenever is possible, it is recommended to leverage VM SKUs with Accelerated Networking feature. This feature does require specific VM SKU/size and OS versions, please see the list and requirement in the companion article.",
+ "guid": "b47a393a-0803-4272-a479-8b1578b219a4",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
"services": [
- "SAP",
- "Storage",
- "ASR"
+ "VM",
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Capacity Planning",
+ "text": "Use Azure VM SKUs able to leverage Accelerated Networking",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "For proper planning and deployment, it is important to assess the maximum number of concurrent and total users for each Host Pool. Additionally, users from different regions may require different Host Pools to ensure the best user experience.",
+ "guid": "bb91a33d-90ca-4e2c-a881-3706f7c0cb9f",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/overview",
"services": [
- "SAP",
- "ASR"
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Clients & Users",
+ "text": "Assess how many users will connect to AVD and from which regions",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "The dependencies on resources external to the AVD pool should be assessed and reviewed, for example Active Directory, external file shares or other storage, on-premises services and resources, network infrastructure components like VPN and or ExpressRoute, external services and 3rd-party components. For all these resources, latency from the AVD Host Pool needs to be evaluated and connectivity considered. Additionally, BCDR considerations need to be applied to these dependencies as well.",
+ "guid": "6abca2a4-fda1-4dbf-9dc9-5d48c7c791dc",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json",
"services": [
- "SAP",
- "LoadBalancer",
- "ASR"
+ "VPN",
+ "Storage",
+ "AVD",
+ "ExpressRoute"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Clients & Users",
+ "text": "Assess external dependencies for each Host Pool",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD offers a variety of client types (fat, thin, web) to connect over different platforms (Windows, MacOS, iOS, Android). Review limitations of each client and compare multiple options when possible.",
+ "guid": "a1f6d565-99e5-458b-a37d-4985e1112dbd",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/users/connect-windows",
"services": [
- "SAP",
- "LoadBalancer",
- "ASR"
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "Make sure the Floating IP is enabled on the Load balancer",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Clients & Users",
+ "text": "Review user client OS used and AVD client type",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Depending on the user locations, and AVD region deployment, users may have a non-optimal experience, hence is important to test as soon as possible in a small PoC environment. Run the 'Azure Virtual Desktop Experience Estimator' tool to select the best Azure region to deploy Host Pools. Beyond 150ms latency, user experience may be not optimal.",
+ "guid": "d2f54b29-769e-43a6-a1e8-838ac936667e",
+ "link": "https://azure.microsoft.com/services/virtual-desktop/assessment/",
"services": [
- "SAP",
- "ASR"
+ "AVD"
],
"severity": "High",
- "subcategory": "High availability",
- "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "Clients & Users",
+ "text": "Run a PoC to validate end-to-end user experience and impact of network latency",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "RDP settings can currently only be configured at the host pool level, not per user/group. If different settings are required for different set of users, it is recommended to create multiple Host Pools.",
+ "guid": "3b365a5c-7acb-4e48-abe5-4cd79f2e8776",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/customize-rdp-properties",
"services": [
- "SAP",
- "ASR",
- "VM",
- "Entra"
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Clients & Users",
+ "text": "Assess and document RDP settings for all user groups",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD is a non-regional service, Host Pools can be created in any region, automatic redirection from closest front-end will happen automatically.",
+ "guid": "42e52f47-21d9-428c-8b1b-d521e44a29a9",
+ "link": "https://azure.microsoft.com/global-infrastructure/services/?products=virtual-desktop",
"services": [
- "RBAC",
- "VM",
- "ASR",
- "Entra",
- "SAP"
+ "AVD"
],
"severity": "High",
- "subcategory": "High availability",
- "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "General",
+ "text": "Determine in which Azure regions AVD Host Pools will be deployed.",
+ "waf": "Performance"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD must store metadata to support the service; this is stored in the specified geography. However, this is independent of the regions where Host Pools are located.",
+ "guid": "bad37ead-53cc-47ce-8d7a-aab3571449ab",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/data-locations",
"services": [
- "SAP",
- "ASR"
+ "AVD"
],
"severity": "Medium",
- "subcategory": "High availability",
- "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "subcategory": "General",
+ "text": "Determine metadata location for AVD service",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "category": "Foundation",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Check for specific VM SKUs, especially if you need GPU or high-specs SKUs, and eventually Azure NetApp Files if used.",
+ "guid": "8053d89e-89dc-47b3-9be2-a1a27f7a9e91",
+ "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"services": [
- "SAP",
+ "Storage",
"VM",
- "ASR"
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "severity": "Low",
+ "subcategory": "General",
+ "text": "Check Azure quotas and availability for specific VM sizes and types in the selected regions",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AD DCs in Azure are recommended (at least two in different AZ) to reduce latency for users logging into AVD session hosts, and eventually for Azure NetApp Files and AD integration. A DC need to be able to talk to DCs for ALL child domains. As alternative, on-premise connectivity must be used to reach AD DCs.",
+ "guid": "c14aea7e-65e8-4d9a-9aec-218e6436b073",
+ "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
"services": [
- "SAP",
- "ASR",
- "Entra"
+ "Entra",
+ "Storage",
+ "VNet",
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
+ "severity": "Medium",
+ "subcategory": "Active Directory",
+ "text": "Create at least two Active Directory Domain Controllers (DCs) in Azure VNet environment close to AVD Host Pool",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Recommended to create a separate OU per Host Pool under a separate OU hierarchy. These OUs will contain machine accounts of AVD Session Hosts. ",
+ "guid": "6db55f57-9603-4334-adf9-cc23418db612",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace",
"services": [
- "SAP",
- "ACR",
- "ASR"
+ "Entra",
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Active Directory",
+ "text": "Create a specific OU in Active Directory for each Host Pool",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Carefully review, and potentially block/filter inheritance of GPOs to the OUs containing AVD Host Pools. ",
+ "guid": "7126504b-b47a-4393-a080-327294798b15",
+ "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy",
"services": [
- "SAP",
- "ASR",
- "Entra"
+ "Entra",
+ "AVD"
],
- "severity": "High",
- "subcategory": "High availability",
- "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Active Directory",
+ "text": "Review Domain GPOs that will be applied to OU and impacting Host Pool Session Hosts functionalities",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If Active Directory Domain GPOs are used, it is recommended to configure FSLogix using the built-in provided GPO ADMX template referenced in the companion article in the 'More Info' column",
+ "guid": "2226a8e3-50a4-4ac3-8bd6-ee150553051f",
+ "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates",
"services": [
- "SAP",
- "ASR",
- "VM",
- "Entra"
+ "Entra",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "High availability",
- "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "Active Directory",
+ "text": "Configure FSLogix settings using the built-in provided GPO ADMX template",
+ "waf": "Operations"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "It is recommended to have a specific dedicated account with minimal permissions, and without the default 10 joins limitation. Review the companion article for more details.",
+ "guid": "347dc560-28a7-41ff-b1cd-15dd2f0d5e77",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts",
"services": [
- "SAP",
- "Storage",
+ "Entra",
"VM",
- "ASR"
+ "AVD"
],
"severity": "Medium",
- "subcategory": "High availability",
- "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
- "waf": "Reliability"
+ "subcategory": "Active Directory",
+ "text": "Create a dedicated user account with only permissions to join VM to the domain",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Avoid granting access per user, instead use AD groups and replicate them using Active Directory Connector (ADC) in Microsoft Entra ID (former Azure AD). ",
+ "guid": "2d41e361-1cc5-47b4-a4b1-410d43958a8c",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups",
"services": [
- "SAP",
- "ASR"
+ "Entra",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "High availability",
- "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "Active Directory",
+ "text": "Create a domain user group for each set of users that will be granted access to each Host Pool Application Group (DAG or RAG)",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If Azure Files Active Directory (AD) integration is used, as part of the configuration procedure, an AD account to represent the storage account (file share) will be created. You can choose to register as a computer account or service logon account, see FAQ for details. For computer accounts, there is a default password expiration age set in AD at 30 days. Similarly, the service logon account may have a default password expiration age set on the AD domain or Organizational Unit (OU). For both account types, we recommend you check the password expiration age configured in your AD environment and plan to update the password of your storage account identity of the AD account before the maximum password age. You can consider creating a new AD Organizational Unit (OU) in AD and disabling password expiration policy on computer accounts or service logon accounts accordingly.",
+ "guid": "2289b3d6-b57c-4fc6-9546-1e1a3e3453a3",
+ "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable",
"services": [
- "SAP",
+ "Entra",
"Storage",
- "ASR"
+ "AVD",
+ "AzurePolicy"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "Active Directory",
+ "text": "Review your organization password expiration policy for accounts used by Azure Files AD integration",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "You can configure this using Active Directory Connect (ADC) or Azure AD Domain Services (for hybrid or cloud organizations). Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
+ "guid": "5119bf8e-8f58-4542-a7d9-cec166cd072a",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
"services": [
- "SAP",
- "Storage",
- "ASR"
+ "Entra",
+ "AVD"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "subcategory": "Active Directory",
+ "text": "A Windows Server Active Directory forest/domain must be in sync with Microsoft Entra ID",
"waf": "Reliability"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If Azure Files is used and pre-requisites can be satisfied, it is recommended to configure (Microsoft Entra ID) Kerberos authentication. This configuration will allow to store FSLogix profiles that can be accessed by hybrid user identities from Azure AD-joined session hosts without requiring network line-of-sight to domain controllers.",
+ "guid": "e777fd5e-c5f1-4d6e-8fa9-fc210b88e338",
+ "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable",
"services": [
- "SAP",
+ "Entra",
"Storage",
- "ASR"
+ "AVD"
],
- "severity": "High",
- "subcategory": "Storage",
- "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Microsoft Entra ID",
+ "text": "Configure Azure Files share for Microsoft Entra ID (former Azure AD) Kerberos authentication on Microsoft Entra ID Joined scenario",
+ "waf": "Security"
},
{
- "category": "Business Continuity and Disaster Recovery",
- "checklist": "SAP Checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "An Azure subscription must be parented to the same Microsoft Entra ID (former Azure AD) tenant, that contains a virtual network that either contains or is connected to the Windows Server Active Directory Domain Services or Microsoft Entra ID Domain Services instance.",
+ "guid": "6ceb5443-5125-4922-9442-93bb628537a5",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity",
"services": [
- "SAP",
- "Storage",
- "ASR"
+ "Entra",
+ "VNet",
+ "AVD",
+ "Subscriptions"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+ "subcategory": "Requirements",
+ "text": "A Microsoft Entra ID tenant must be available with at least one subscription linked",
"waf": "Reliability"
},
{
- "category": "Cost Optimization",
- "checklist": "SAP Checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
- "service": "SAP",
- "services": [
- "SAP",
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": " ",
- "text": "Automate SAP System Start-Stop to manage costs.",
- "waf": "Cost"
- },
- {
- "category": "Cost Optimization",
- "checklist": "SAP Checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Azure Virtual Desktop supports different types of identities depending on which configuration you choose. Please review the supported scenarios mentioned in the 'More Info' article and document the design decision accordingly in the 'Comment' column. Critically, external identities (B2B or B2C) are not supported. Be sure to review also the list of supported scenarios in https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios.",
+ "guid": "b4ce4781-7557-4a1f-8043-332ae199d44c",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication",
"services": [
- "SAP",
- "Storage",
- "Cost",
- "VM"
+ "Entra",
+ "AVD"
],
- "severity": "Low",
- "subcategory": " ",
- "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
- "waf": "Cost"
+ "severity": "High",
+ "subcategory": "Requirements",
+ "text": "Review and document your identity scenario",
+ "waf": "Security"
},
{
- "category": "Cost Optimization",
- "checklist": "SAP Checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Users need accounts that are in Microsoft Entra ID (former Azure AD). If you're also using AD DS or Azure AD Domain Services in your deployment of Azure Virtual Desktop, these accounts will need to be hybrid identities, which means the user accounts are synchronized. If you're using Microsoft Entra ID with AD DS, you'll need to configure Azure AD Connect to synchronize user identity data between AD DS and Microsoft Entra ID. If you're using Microsoft Entra ID with Azure AD Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Azure AD Domain Services. This synchronization process is automatic. AVD also supports Microsoft Entra ID native accounts with some restrictions. External identities (B2B or B2C) are not supported.",
+ "guid": "f9b141a8-98a5-435e-9378-97e71ca7da7b",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
"services": [
- "SAP",
- "Storage",
- "Cost",
- "VM"
+ "Entra",
+ "AVD"
],
- "severity": "Low",
- "subcategory": " ",
- "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Requirements",
+ "text": "Assess User Account types and requirements",
+ "waf": "Security"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD supports SSO using either Active Directory Federation Services (AD FS) or Microsoft Entra ID (former Azure AD) authentication. The latter is recommended, please check the requirements and limitation in the 'More Info' article. Using AD FS could be a viable choice if already present in the customer environment, it is not recommended to deploy a brand new ADFS infrastructure just for AVD SSO implementation.",
+ "guid": "5f9f680a-ba07-4429-bbf7-93d7071561f4",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso",
"services": [
- "RBAC",
- "SAP",
"Entra",
- "Subscriptions"
+ "AVD"
],
- "severity": "High",
- "subcategory": "Identity",
- "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Requirements",
+ "text": "If Single-Sign On (SSO) is a requirement, review the supported scenarios and prerequisites",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "VMs can be Windows Active Directory (AD) domain-joined, Hybrid AD-joined, Microsoft Entra ID (former Azure AD) Joined or Azure AD Domain Services joined. Be sure to review supported scenarios, limitations and requirements from the referenced article.",
+ "guid": "ea962a15-9394-46da-a7cc-3923266b2258",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios",
"services": [
- "SAP",
- "Entra"
+ "Entra",
+ "VM",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "severity": "High",
+ "subcategory": "Requirements",
+ "text": "Select the proper AVD Session Host domain join type",
"waf": "Security"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "category": "Identity",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Compare self-managed Windows Active Directory Domain Services, Microsoft Entra ID (former Azure AD), and managed Azure AD Domain Services (AAD-DS)",
+ "guid": "6f4a1651-bddd-4ea8-a487-cdeb4861bc3b",
+ "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions",
"services": [
- "SAP",
- "Entra"
+ "Entra",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Requirements",
+ "text": "Before using Azure AD Domain Services (AAD-DS) for AVD, be sure to review the limitations.",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD provides administrative templates for Intune and Active Directory GPO. Using these templates it is possible to centrally control several AVD configuration settings: Graphics related data logging, Screen capture protection, RDP Shortpath for managed networks, Watermarking. See companion article in 'More Info' colum for details. NOTE: FSLogix has its own separate template.",
+ "guid": "5549524b-36c0-4f1a-892b-ab3ca78f5db2",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template",
"services": [
- "SAP",
- "Entra"
+ "Entra",
+ "AVD",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Use built-in provided administrative templates for AVD settings configuration",
+ "waf": "Operations"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Determine if a configuration management tool is already in place to manage Host Pool VM configuration after initial deployment, For example SCCM/SCOM, Intune/ConfigurationManager, 3rd-party solutions.",
+ "guid": "3334fdf9-1c23-4418-8b65-285269440b4b",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/management",
"services": [
- "SAP",
- "Entra"
+ "VM",
+ "AVD",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Plan AVD Session Hosts configuration management strategy",
+ "waf": "Operations"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "We recommend using Microsoft Intune, if requirements can be satisfied, to manage your Azure Virtual Desktop environment. Review supported scenarios and requirements to enable Intune for AVD Session Host management in the referenced article in the More Info column. Document your choice in the 'Comment' column. In that article, review the different requirements and capabilities for single-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop and multi-session https://learn.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session AVD.",
+ "guid": "63a08be1-6004-4b4a-a79b-f3239faae113",
+ "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop",
"services": [
- "SAP",
- "Entra"
+ "AVD",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "Security"
+ "subcategory": "Management",
+ "text": "Evaluate Intune for AVD Session Hosts management",
+ "waf": "Operations"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "The scaling tool provides a low-cost automation option for customers who want to optimize their session host VM costs. You can use the scaling tool to schedule VMs to start and stop based on Peak and Off-Peak business hours, scale out VMs based on number of sessions per CPU core, scale in VMs during Off-Peak hours, leaving the minimum number of session host VMs running. Not available yet for Personal Host Pool type.",
+ "guid": "7138b820-102c-4e16-be30-1e6e872e52e3",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios",
"services": [
- "SAP",
- "AKV",
- "Entra"
+ "VM",
+ "AVD",
+ "Cost",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
- "waf": "Security"
+ "subcategory": "Management",
+ "text": "Assess the requirements for host pool auto-scaling capability",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Start VM On Connect lets you reduce costs by enabling end users to turn on their session host virtual machines (VMs) only when they need them. You can then turn off VMs when they're not needed. You can configure Start VM on Connect for personal or pooled host pools using the Azure portal or PowerShell. Start VM on Connect is a host pool wide setting.",
+ "guid": "55f612fe-f215-4f0d-a956-10e7dd96bcbc",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect",
"services": [
- "SAP",
- "AKV",
- "Entra"
+ "VM",
+ "AVD",
+ "Cost",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Consider the usage of Start VM on Connect for Personal Host Pools",
+ "waf": "Cost"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "'Start VM On Connect' provides a smart way to automatically start previously stopped Session Hosts but does not provide a mechanism to shut down when not in used. Administrators are encouraged to configure additional policies to sign users out of their sessions and run Azure automation scripts to de-allocate VMs. Users should be not allowed to shut down their Personal Hosts since will not be able to de-allocate Azure VMs, then billing will still be active with no cost reduction.",
+ "guid": "79a686ea-d971-4ea0-a9a8-1aea074c94cb",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them",
"services": [
- "SAP",
- "Entra"
+ "VM",
+ "AVD",
+ "AzurePolicy",
+ "Monitor",
+ "Cost"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Evaluate the implementation of an ad-hoc mechanism to shut down Personal AVD Session Hosts",
+ "waf": "Cost"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Azure Virtual Desktop billing is mainly based on cost associated to compute, networking and storage resources consumed by Host Pools. In addition to this, costs can be generated by dependent resources, for example VPN or ExpressRoute or vWAN, Active Directory Domain Controllers, DNS, etc. There is no direct cost associated to AVD objects like workspaces, host pools or application groups. To make AVD associated costs more evident and grouped by Host Pool, it is recommended to use 'cm-resource-parent' tag. ",
+ "guid": "51bcafca-476a-48fa-9b91-9645a7679f20",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources",
"services": [
- "SAP",
- "Entra"
+ "Storage",
+ "DNS",
+ "AVD",
+ "VPN",
+ "Monitor",
+ "Cost",
+ "ExpressRoute",
+ "VWAN"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Implement SSO to SAP HANA",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Review and adopt suggested Azure Tags for Azure Virtual Desktop",
+ "waf": "Cost"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Azure Advisor analyzes your configurations and telemetry to offer personalized recommendations to solve common problems. With these recommendations, you can optimize your Azure resources for reliability, security, operational excellence, performance, and cost.",
+ "guid": "611dd68c-5a4b-4252-8e44-a59a9c2399c4",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations",
"services": [
- "SAP",
- "Entra"
+ "Entra",
+ "Cost",
+ "AVD",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Periodically check Azure Advisor recommendations for AVD",
+ "waf": "Operations"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Customers have several options: Microsoft Configuration Manager, this article explains how to automatically apply updates to a Azure Virtual Desktop session hosts running Windows 10/11: https://learn.microsoft.com/azure/virtual-desktop/configure-automatic-updates, Microsoft Intune: https://docs.microsoft.com/mem/intune/fundamentals/windows-virtual-desktop-multi-session, Azure Update Management and WSUS for Windows Server OS only (client OS not supported: https://learn.microsoft.com/azure/automation/update-management/operating-system-requirements), 3rd Party tools. Outside an emergency security patching situation, it is recommended to move away from an 'in-place' update strategy patching strategy and adopt a re-imaging approach.",
+ "guid": "04722da2-9c2b-41cd-922f-54b29bade3aa",
+ "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session",
"services": [
- "SAP",
- "Entra"
+ "AVD",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
- "waf": "Security"
+ "subcategory": "Management",
+ "text": "Plan for a Session Host emergency patching and update strategy",
+ "waf": "Operations"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "The Scheduled Agent Updates feature lets you create up to two maintenance windows per Host Pool to update AVD components at a convenient time. It is recommended to specify maintenance windows then upgrading Session Hosts will not happen during peak business hours. Scheduled Agent Updates is disabled by default. This means that, unless you enable this setting, the agent can get updated at any time by the agent update flighting service.",
+ "guid": "c067939b-e5ca-4698-b9ce-3bd91843e73f",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates",
"services": [
- "SAP",
- "Entra"
+ "AVD",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Configure the Scheduled Agent Updates feature",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop environment. We highly recommend you create a validation host pool where service updates are applied first. This allows you to monitor service updates before the service applies them to your standard or non-validation environment.",
+ "guid": "d1e8c38e-c936-4667-913c-005674b1e944",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool",
"services": [
- "SAP",
- "Entra"
+ "VM",
+ "AVD",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Implement SSO to SAP BTP",
- "waf": "Security"
+ "subcategory": "Management",
+ "text": "Create a validation (canary) Host Pool",
+ "waf": "Operations"
},
{
- "category": "Identity and Access",
- "checklist": "SAP Checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "An AVD Host Pool can be deployed in several ways: Azure Portal, ARM templates, Azure CLI tool, Powershell, manual VM creation with registration token, Terraform, 3rd-party tools. It is important to adopt proper method/s to support automatic deployment through automation and CI/CD tools.",
+ "guid": "a459c373-e7ed-4616-83b3-65a917ecbe48",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops",
"services": [
- "SAP",
- "Entra"
+ "VM",
+ "AVD",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
- "waf": "Security"
+ "subcategory": "Management",
+ "text": "Determine Host Pool deployment strategy",
+ "waf": "Operations"
},
{
- "category": "Management Group and Subscriptions",
- "checklist": "SAP Checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components.",
+ "guid": "ebe54cd7-df2e-48bb-ac35-81559bb9153e",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/faq",
"services": [
- "SAP",
- "AzurePolicy",
- "Subscriptions"
+ "VM",
+ "AVD",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Subscriptions",
- "text": "enforce existing Management Group policies to SAP Subscriptions",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+ "subcategory": "Management",
+ "text": "Turn on Session Host VMs at least every 90 days for token refresh",
"waf": "Operations"
},
{
- "category": "Management Group and Subscriptions",
- "checklist": "SAP Checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. Read the referenced article to learn how to set up Azure Monitor for Azure Virtual Desktop to monitor your AVD environments.",
+ "guid": "63cfff1c-ac59-49ef-8d5a-83dd4de36c1c",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/insights",
"services": [
- "SAP",
- "Subscriptions"
+ "AVD",
+ "Monitor"
],
"severity": "High",
- "subcategory": "Subscriptions",
- "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
- "waf": "Operations"
+ "subcategory": "Monitoring",
+ "text": "Enable monitoring for AVD",
+ "waf": "Reliability"
},
{
- "category": "Management Group and Subscriptions",
- "checklist": "SAP Checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Azure Virtual Desktop uses Azure Monitor and Log Analytics for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories: Management, Feed, Connections, Host Registration, Errors, Checkpoints. ",
+ "guid": "81770afb-c4c0-4e43-a186-58d2857ed671",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/diagnostics-log-analytics",
"services": [
- "SAP",
- "Subscriptions"
+ "VM",
+ "AVD",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "Subscriptions",
- "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Enable diagnostic settings for Workspaces, Host Pools, Application Groups and Host VMs to Log Analytics workspace",
+ "waf": "Reliability"
},
{
- "category": "Management Group and Subscriptions",
- "checklist": "SAP Checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "See the referenced article and this additional one to setup proper monitoring and alerting for storage: https://docs.microsoft.com/azure/storage/files/storage-troubleshooting-files-performance. ",
+ "guid": "2463cffe-179c-4599-be0d-5973dd4ce32c",
+ "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal",
"services": [
- "SAP",
- "VM",
- "Subscriptions"
+ "Storage",
+ "AVD",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "Subscriptions",
- "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Create alerts on the profile storage to be alerted in case of high usage and throttling",
+ "waf": "Reliability"
},
{
- "category": "Management Group and Subscriptions",
- "checklist": "SAP Checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
+ "category": "Monitoring and Management",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "You can use Azure Service Health to monitor service issues and health advisories for Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts (for example, email or SMS), help you understand the effect of an issue, and keep you updated as the issue resolves.",
+ "guid": "18813706-f7c4-4c0d-9e51-4548d2457ed6",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts",
"services": [
- "SAP",
- "Subscriptions"
+ "AVD",
+ "Monitor"
],
- "severity": "Low",
- "subcategory": "Subscriptions",
- "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Configure Azure Service Health for AVD alerts ",
+ "waf": "Reliability"
},
{
- "category": "Management Group and Subscriptions",
- "checklist": "SAP Checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If required to connect to on-premises environment, assess the current connectivity option or plan for the required connectivity (ExpressRoute, Azure S2S or 3rd-party NVA VPN). ",
+ "guid": "dd399cfd-7b28-4dc8-9555-6202bfe4563b",
+ "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"services": [
- "SAP",
- "VM",
- "Subscriptions"
+ "VPN",
+ "AVD",
+ "NVA",
+ "ExpressRoute"
],
- "severity": "High",
- "subcategory": "Subscriptions",
- "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Determine if hybrid connectivity is required to connect to on-premises environment",
+ "waf": "Reliability"
},
{
- "category": "Management Group and Subscriptions",
- "checklist": "SAP Checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD Host Pools can be deployed in either Azure Virtual WAN or traditional 'Hub & Spoke' network topologies. It is recommended to deploy each Host Pool in a separate 'spoke' VNet, using 'hub' is not recommended.",
+ "guid": "c8639648-a652-4d6c-85e5-02965388e5de",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity",
"services": [
- "SAP",
- "Subscriptions"
+ "VNet",
+ "AVD",
+ "VWAN"
],
- "severity": "High",
- "subcategory": "Subscriptions",
- "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
- "waf": "Operations"
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Determine Azure Virtual Network (VNet) placement for each AVD Host Pool",
+ "waf": "Performance"
},
{
- "category": "Management Group and Subscriptions",
- "checklist": "SAP Checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Evaluate the bandwidth requirements, ensure VPN/ER bandwidth will be enough, ensure proper routing and firewall rules are in place, test end-to-end latency. ",
+ "guid": "d227dd14-2b06-4c21-a799-9a646f4389a7",
+ "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/",
"services": [
- "SAP",
- "Cost",
- "Subscriptions",
- "TrafficManager"
+ "VPN",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Subscriptions",
- "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "Operations"
+ "subcategory": "Networking",
+ "text": "Assess which on-premises resources are required from AVD Host Pools",
+ "waf": "Reliability"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Several options are available. You can use Azure Firewall or equivalent 3rd-party NVA, Network Security Group (NSG) and/or Proxy servers. NSG is not able to enable/disable by URL, only ports and protocols. Proxy should be used only as explicit setting in user browser. Details on using Azure Firewall Premium with AVD are reported in the companion article in the 'More Info' column. Be sure to allow proper access to required AVD URLs. Forced Tunneling to on-premises is not recommended.",
+ "guid": "fc4972cd-3cd2-41bf-9703-6e5e6b4bed3d",
+ "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
+ "services": [
+ "VNet",
+ "AVD",
+ "NVA",
+ "Firewall"
+ ],
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Need to control/restrict Internet outbound traffic for AVD hosts?",
+ "waf": "Security"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Required URLs for AVD control plane access by session hosts are documented here: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list. A check tool is available to verify connectivity from the session hosts: https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#required-url-check-tool. Forced Tunneling to on-premises is not recommended.",
+ "guid": "65c7acbe-45bb-4e60-ad89-f2e87778424d",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/safe-url-list",
"services": [
- "SAP",
- "Monitor",
- "Backup"
+ "AVD"
],
"severity": "High",
- "subcategory": "BCDR",
- "text": "Help protect your HANA database by using the Azure Backup service.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "subcategory": "Networking",
+ "text": "Ensure AVD control plane endpoints are accessible",
"waf": "Reliability"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Consider the usage of Azure Defender Endpoint or similar 3rd-party agents to control user web navigation, see the Security section for more details.",
+ "guid": "73676ae4-6691-4e88-95ad-a42223e13810",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide",
"services": [
- "Storage",
- "Monitor",
- "VM",
- "Entra",
- "SAP"
+ "AVD",
+ "Defender"
],
"severity": "Medium",
- "subcategory": "BCDR",
- "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
- "waf": "Reliability"
+ "subcategory": "Networking",
+ "text": "Need to control/restrict Internet outbound traffic only for users on AVD hosts? ",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Custom UDR and NSG can be applied to AVD Host Pool subnets, for example to redirect to Azure Firewall or NVA, or to filter/block network traffic. In this case is recommended to carefully review to ensure optimal path for outbound traffic to AVD control plane is used. Service Tags can now be used with UDR and NSG, then AVD management plane traffic can be easily allowed: https://learn.microsoft.com/azure/virtual-desktop/safe-url-list.",
+ "guid": "523181a9-4174-4158-93ff-7ae7c6d37431",
+ "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop",
"services": [
- "SAP",
- "Monitor"
+ "VNet",
+ "AVD",
+ "NVA",
+ "Firewall"
],
- "severity": "High",
- "subcategory": "Management",
- "text": "Ensure time-zone matches between the operating system and the SAP system.",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Networking",
+ "text": "Review custom UDR and NSG for AVD Host Pool subnets",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Network traffic from AVD Session Host VMs to AVD control plane should be as direct as possible. Redirecting this traffic through a Proxy or Firewall with deep packet inspection and/or SSL termination could cause serious issues and bad customer experience. It is recommended to bypass Proxy and Firewall just for the AVD control plane. User generated traffic surfing the web instead, should be filtered by Firewall and/or redirected to a Proxy. For details and guidelines, please see the companion article in the 'More Info' column.",
+ "guid": "cc6edca0-aeca-4566-9e92-cf246f1465af",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/proxy-server-support",
"services": [
- "SAP",
- "Monitor",
- "Entra"
+ "VM",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Management",
- "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "severity": "High",
+ "subcategory": "Networking",
+ "text": "Do not use Proxy servers, SSL termination and Deep Packet Inspection for AVD control plane traffic",
"waf": "Reliability"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "It is recommended to assess and review networking bandwidth requirements for users, based on the specific workload type. The referenced article provide general estimations and recommendations, but specific measure are required for proper sizing. ",
+ "guid": "516785c6-fa96-4c96-ad88-408f372734c8",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/rdp-bandwidth",
"services": [
- "SAP",
- "Monitor",
- "Cost"
+ "VM",
+ "AVD"
],
"severity": "Low",
- "subcategory": "Management",
- "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
- "waf": "Cost"
+ "subcategory": "Networking",
+ "text": "Check the network bandwidth required for each user and in total for the VM SKU",
+ "waf": "Performance"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If Azure Files SMB share will be used to store user profiles via FSLogix, the usage of Private Endpoint (PE) for private access to the storage is recommended. AVD Session Hosts will access the storage using a private IP in the same VNet, a separate subnet is recommended. This feature has an additional cost that must be evaluated. If PE will not be used, at least Service Endpoint is recommended (no cost associated).",
+ "guid": "ec27d589-9178-426d-8df2-ff60020f30a6",
+ "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints",
"services": [
- "SAP",
- "Monitor",
- "Entra"
+ "PrivateLink",
+ "Storage",
+ "AVD",
+ "VNet",
+ "Cost"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
- "waf": "Operations"
+ "subcategory": "Networking",
+ "text": "Evaluate usage Private Endpoint for Azure Files share",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
+ "category": "Networking",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Connections to Azure Virtual Desktop can use TCP or UDP. RDP Shortpath is a feature of AVD that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. if clients have line of sight to AVD session hosts from internal network (VPN usage is not recommended), this feature can provide lower latency and best performances as explained in https://learn.microsoft.com/azure/virtual-desktop/rdp-shortpath?tabs=managed-networks#key-benefits.",
+ "guid": "b2074747-d01a-4f61-b1aa-92ad793d9ff4",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/shortpath",
"services": [
- "SAP",
- "Monitor",
- "VM"
+ "VPN",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
- "waf": "Operations"
- },
- {
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
- "services": [
- "SAP",
- "Monitor"
- ],
- "severity": "Low",
- "subcategory": "Management",
- "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "Networking",
+ "text": "Evaluate usage of RDP ShortPath for clients connecting from managed internal networks",
+ "waf": "Performance"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Security mechanisms provided by GPO should be used, if available. For example, it is possible to impose desktop screen lock and idle session disconnection time. Existing GPOs applied to on-premises environment should be reviewed and eventually applied also to secure also AVD Hosts when joined to the domain.",
+ "guid": "a135e337-897e-431c-97d6-8cb6a22ac19f",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#establish-maximum-inactive-time-and-disconnection-policies",
"services": [
- "SAP",
- "SQL",
- "Monitor"
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "Active Directory",
+ "text": "Review Active Directory GPO to secure RDP sessions",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Microsoft Defender for Endpoint supports Azure Virtual Desktop for Windows 10/11 Enterprise multi-session. Check article for onboarding non-persistent virtual desktop infrastructure (VDI) devices: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi",
+ "guid": "b1172576-9ef6-4691-a483-5ac932223ece",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus",
"services": [
- "SAP",
- "Monitor",
- "VM",
- "Entra"
+ "AVD",
+ "Defender"
],
"severity": "High",
- "subcategory": "Monitoring",
- "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "Host Configuration",
+ "text": "Ensure anti-virus and anti-malware solutions are used",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Disks in Azure are already encrypted at rest by default with Microsoft managed keys. Host VM OS disk encryption is possible and supported using Azure Disk Encryption (ADE - BitLocker) and Disk Encryption Set (DES - Server Side Encryption), the latter is recommended. Encryption of FSLogix storage using Azure Files can be done using SSE on Azure Storage. For OneDrive encryption, see this article: https://docs.microsoft.com/compliance/assurance/assurance-encryption-for-microsoft-365-services.",
+ "guid": "0fd32907-98bc-4178-adc5-a06ca7144351",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview",
"services": [
- "SAP",
- "AzurePolicy",
- "Monitor"
+ "AKV",
+ "Storage",
+ "VM",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Host Configuration",
+ "text": "Assess disk encryption requirements for AVD Session Hosts",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Trusted launch are Gen2 Azure VMs with enhanced security features aimed to protect against bottom of the stack threats through attack vectors such as rootkits, boot kits, and kernel-level malware. Recommended to enable and leverage Secure Boot, Virtual TPM (vTPM) and Integrity Monitoring.",
+ "guid": "36a5a67f-bb9e-4d5b-9547-8c4479816b28",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#azure-virtual-desktop-support-for-trusted-launch",
"services": [
- "SAP",
- "Monitor",
- "NetworkWatcher"
+ "VM",
+ "AVD",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
- "waf": "Operations"
+ "subcategory": "Host Configuration",
+ "text": "Enable Trusted launch in Azure Gen2 VM Session Hosts",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Trusted Launch and Gen2 VM are not only security and performance enhancing features but also system requirements for Windows 11. When building an AVD environment based on Windows 11, it is essential to enable these features.",
+ "guid": "135d3899-4b31-44d3-bc8f-028871a359d8",
+ "link": "https://learn.microsoft.com/windows/whats-new/windows-11-requirements",
"services": [
- "SAP",
- "Monitor",
- "VM"
+ "VM",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Host Configuration",
+ "text": "Enable Trusted Launch and use Gen2 image are system requirements for Windows 11",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Displayed content will be automatically blocked or hidden in screenshots. Keep in mind screen sharing will also be blocked when using Teams or other collaboration software which use screen sharing.",
+ "guid": "a49dc137-7896-4343-b2bc-1a31bf1d30b6",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/screen-capture-protection",
"services": [
- "SAP",
- "Monitor",
- "Subscriptions"
+ "AVD"
],
- "severity": "High",
- "subcategory": "Monitoring",
- "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "Performance"
+ "severity": "Low",
+ "subcategory": "Host Configuration",
+ "text": "Consider enabling screen capture protection to prevent sensitive information from being captured",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If not absolutely required, redirecting drives, printers, and USB devices to a user's local device in a remote desktop session should be disabled or highly restricted. Restrict Windows Explorer access by hiding local and remote drive mappings is also a secure measure to adopt preventing users from discovering unwanted information about system configuration and users.",
+ "guid": "7ce2cd20-85b4-4f82-828e-6558736ede6a",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#other-security-tips-for-session-hosts",
"services": [
- "SAP",
- "Storage",
- "Monitor",
- "ASR"
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
- "waf": "Reliability"
+ "subcategory": "Host Configuration",
+ "text": "Restrict device redirection and drive mapping",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a seamless experience as the user works with apps on their virtual desktop. RemoteApps reduce risk by only letting the user work with a subset of the remote machine exposed by the application.",
+ "guid": "4e25d70e-3924-44f4-b66f-d6cdd4f4a973",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview",
"services": [
- "SAP",
- "Sentinel",
- "Monitor"
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "subcategory": "Management",
+ "text": "When possible, prefer Remote Apps over Full Desktops (DAG)",
"waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Web content filtering feature provided by Web Protection capability in Microsoft Defender for Endpoint, can be used to to control user web navigation. If this tool is used, configuration of web filtering for user Internet browsing is recommended. Access by the Guest OS system to required AVD control plane URLs must be guaranteed.",
+ "guid": "e19dd344-29eb-4722-a237-a151c5bb4e4f",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview",
"services": [
- "SAP",
- "Monitor",
- "Cost"
+ "AVD",
+ "Defender"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "Management",
+ "text": "Need to control/restrict user Internet navigation from AVD session hosts?",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available through configuration management utilities.",
+ "guid": "a0cdb3b5-4eb2-4eb0-9dda-a3592718e2ed",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/security-guide",
"services": [
- "SAP",
- "Monitor",
- "VM"
+ "AVD"
],
- "severity": "Low",
- "subcategory": "Performance",
- "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Management",
+ "text": "Ensure AVD users will not have local administrator privileges on AVD Hosts",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "We recommend you enable Defender for Cloud for the subscriptions, virtual machines, key vaults, and storage accounts used by AVD. With this tool is possible to assess and manage vulnerabilities, assess compliance with common frameworks like PCI, strengthen the overall security of your AVD environment and measure it over time using 'Secure Score': https://learn.microsoft.com/azure/virtual-desktop/security-guide#improve-your-secure-score.",
+ "guid": "1814387e-5ca9-4c26-a9b3-2ab5bdfc6998",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud",
"services": [
- "SAP",
- "Monitor",
- "ASR"
+ "AKV",
+ "Storage",
+ "Defender",
+ "VM",
+ "AVD",
+ "Subscriptions"
],
"severity": "Medium",
- "subcategory": "Performance",
- "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Reliability"
+ "subcategory": "Management",
+ "text": "Enable Microsoft Defender for Cloud to manage AVD Session Hosts security posture",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Enabling audit log collection lets you view user and admin activity related to Azure Virtual Desktop and store in a central repository like Log Analytics workspace. ",
+ "guid": "a0916a76-4980-4ad0-b278-ee293c1bc352",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs",
"services": [
- "SAP",
- "Storage",
+ "Entra",
+ "AVD",
"Monitor"
],
"severity": "Medium",
- "subcategory": "Performance",
- "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.",
- "waf": "Performance"
+ "subcategory": "Management",
+ "text": "Enable diagnostic and audit logging",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.",
+ "guid": "baaab757-1849-4ab8-893d-c9fc9d1bb73b",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac",
"services": [
- "SAP",
- "Monitor"
+ "Entra",
+ "RBAC",
+ "AVD"
],
"severity": "Low",
- "subcategory": "Performance",
- "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
- "waf": "Performance"
+ "subcategory": "Management",
+ "text": "Assess the requirement to use custom RBAC roles for AVD management",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "AVD users should not have permission to install application. If required, Windows Defender Application Control (WDAC) can be used to control which drivers and applications are allowed to run on their Windows clients. ",
+ "guid": "b9ea80c8-0628-49fc-ae63-125aa4c0a284",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control",
"services": [
- "SAP",
- "Storage",
- "Monitor"
+ "AVD",
+ "Defender"
],
"severity": "Medium",
- "subcategory": "Performance",
- "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
- "waf": "Performance"
+ "subcategory": "Management",
+ "text": "Restrict users from installing un-authorized applications",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Enabling MFA and CA lets you manage risks before you grant users access to your AVD environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using. Additional details and configuration procedures are provided in the companion article. Microsoft Entra ID is the new name for Azure Active Directory (Azure AD).",
+ "guid": "916d697d-8ead-4ed2-9bdd-186f1ac252b9",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa",
"services": [
- "SAP",
- "SQL",
- "Monitor"
+ "Entra",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Performance",
- "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
- "waf": "Performance"
- },
- {
- "category": "Management and Monitoring",
- "checklist": "SAP Checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
- "services": [
- "SAP",
- "Monitor",
- "ASR"
- ],
- "severity": "High",
- "subcategory": "Reliability",
- "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "Microsoft Entra ID",
+ "text": "Evaluate the usage of Multi-Factor Authentication (MFA) and Conditional Access (CA) for AVD users",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
+ "category": "Security",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If Zero Trust is a requirement, review the companion article in the 'More Info' column. It provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment.",
+ "guid": "221102d0-90af-49fc-b2b7-8d3fe397e43",
+ "link": "https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd",
"services": [
- "SAP",
- "AzurePolicy",
- "AppGW",
- "WAF"
+ "AVD"
],
"severity": "Medium",
- "subcategory": "App delivery",
- "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "subcategory": "Zero Trust",
+ "text": "Review and Apply Zero Trust principles and guidance",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If used, make sure to check the list of best practices and recommendations described in the referenced article.",
+ "guid": "9164e990-9ae2-48c8-9c33-b6b7808bafe6",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop",
"services": [
- "DNS",
- "SAP",
- "VM"
+ "Storage",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "DNS",
- "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "Operations"
+ "subcategory": "Azure Files",
+ "text": "Check best-practices for Azure Files",
+ "waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "SMB Multichannel enables clients to use multiple network connections that provide increased performance while lowering the cost of ownership. Increased performance is achieved through bandwidth aggregation over multiple NICs and utilizing Receive Side Scaling (RSS) support for NICs to distribute the IO load across multiple CPUs.",
+ "guid": "5784b6ca-5e9e-4bcf-8b54-c95459ea7369",
+ "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance",
"services": [
- "DNS",
- "SAP",
- "VNet"
+ "Storage",
+ "Cost",
+ "AVD",
+ "ACR"
+ ],
+ "severity": "Low",
+ "subcategory": "Azure Files",
+ "text": "Enable SMB multichannel when using a premium file share to host FSLogix profile containers.",
+ "waf": "Performance"
+ },
+ {
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "If a second region is required for DR purposes verify NetApp availability in there as well.",
+ "guid": "4a359836-ee79-4d6c-9d3a-364a5b7abae3",
+ "link": "https://azure.microsoft.com/global-infrastructure/services/",
+ "services": [
+ "Storage",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "DNS",
- "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "Operations"
+ "subcategory": "Azure NetApp Files",
+ "text": "If NetApp Files storage is required, check storage service availability in your specific region.",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "CA option is a recommended setting in the FSLogix scenario, as it enables a more resilient SMB session between the Session Host and NetApp Files.",
+ "guid": "a2661898-866a-4c8d-9d1f-8cfc86e88024",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container",
"services": [
- "SAP",
- "ACR",
- "VNet"
+ "Storage",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Hybrid",
- "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+ "subcategory": "Azure NetApp Files",
+ "text": "If NetApp Files storage is used enable CA (Continuous Availability) option to increase resiliency",
"waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "An Active Directory Site should be created for the Azure virtual network environment where Azure NetApp Files (ANF) subnet will be created, and that site name should be specified in the ANF connection property when executing the join procedure as explained in the reference article.",
+ "guid": "6647e977-db49-48a8-bc35-743f17499d42",
+ "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections",
"services": [
- "SAP",
- "NVA"
+ "Storage",
+ "VNet",
+ "AVD"
],
"severity": "High",
- "subcategory": "Hybrid",
- "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "Performance"
+ "subcategory": "Azure NetApp Files",
+ "text": "If Azure NetApp Files storage is used, check Active Directory Site name setting in the Active Directory Connection configuration",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Possible options: Standard HDD, Standard SSD, or Premium SSD. Ephemeral disks are not supported, Ultra-Disks not recommended. Recommended to evaluate Premium for OS disk if user density is not low, and if Cloud Cache will be used. ",
+ "guid": "3611c818-b0a0-4bc5-80e4-3a18a9cd289c",
+ "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types",
"services": [
- "SAP",
- "VWAN",
- "ACR"
+ "Storage",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Hybrid",
- "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "waf": "Operations"
+ "subcategory": "Capacity Planning",
+ "text": "Determine which type of managed disk will be used for the Session Hosts",
+ "waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Possible options are: Azure NetApp Files, Azure Files, VM based File Server. File-server it is not recommended. Azure Files Premium typically a good starting point. NetApp usually required for large scale / high-performant environment. For a detailed comparison see the article in the 'More Info' column.",
+ "guid": "ed6b17db-8255-4462-b2ae-e4553afc8339",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"services": [
- "SAP",
- "NVA",
- "VNet"
+ "Storage",
+ "VM",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Hybrid",
- "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Capacity Planning",
+ "text": "Determine which storage backend solution will be used for FSLogix Profiles",
+ "waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Every Host Pool should use a separate set of storage accounts/volumes (at least one) and shares. Users should have a different profile for each Host Pool since settings and configurations are specific to each Host Pool. Additionally, accessing different Host Pools at the same time can cause errors on the shared user profile VHD/X. Usage of different storage accounts/volumes for multiple shares is also recommended to scale independently.",
+ "guid": "2fad62bd-5004-453c-ace4-64d862e7f5a4",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile",
"services": [
- "SAP",
- "VWAN",
- "NVA",
- "VNet"
+ "Storage",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Hybrid",
- "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Capacity Planning",
+ "text": "Do not share storage and profiles between different Host Pools",
+ "waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "As a starting point for estimating profile container storage performance requirements we recommend to assume 10 IOPS per user in the steady state and 50 IOPS per user during sign-in/sign-out. Space requirements is simply obtained based on the maximum profiles size in FSLogix per the total number of users for each Host Pool. Multiple storage accounts can be used for the same Host Pool if required.",
+ "guid": "680e7828-9c93-4665-9d02-bff4564b0d93",
+ "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-",
"services": [
- "SAP",
- "VNet",
- "VM"
+ "Storage",
+ "AVD"
],
"severity": "High",
- "subcategory": "IP plan",
- "text": "Public IP assignment to VM running SAP Workload is not recommended.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Capacity Planning",
+ "text": "Verify storage scalability limits and Host Pool requirements",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Avoid introducing additional latency and costs associated with cross-region network traffic where possible.",
+ "guid": "8aad53cc-79e2-4e86-9673-57c549675c5e",
+ "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files",
"services": [
- "SAP",
- "VNet",
- "ASR"
+ "Storage",
+ "Cost",
+ "AVD"
],
"severity": "High",
- "subcategory": "IP plan",
- "text": "Consider reserving IP address on DR side when configuring ASR",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Operations"
+ "subcategory": "Capacity Planning",
+ "text": "For optimal performance, the storage solution and the FSLogix profile container should be in the same Azure region.",
+ "waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "The recommendation in Azure Virtual Desktop is to use Profile Container without Office Container (ODFC) split unless you are planning for specific Business Continuity and Disaster Recovery (BCDR) scenarios as described in the Disaster Recovery section below. https://docs.microsoft.com/fslogix/profile-container-office-container-cncpt ",
+ "guid": "df47d2d9-2881-4b1c-b5d1-e54a29759e39",
+ "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers",
"services": [
- "SAP",
- "VNet"
+ "Storage",
+ "ASR",
+ "AVD"
],
"severity": "High",
- "subcategory": "IP plan",
- "text": "Avoid using overlapping IP address ranges for production and DR sites.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Operations"
+ "subcategory": "FSLogix",
+ "text": "Do not use Office Containers (ODFC) if not strictly required and justified",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Make sure to configure the following antivirus exclusions for FSLogix Profile Container virtual hard drives, as documented in the referenced article in the 'More Info' column.",
+ "guid": "83f63047-22ee-479d-9b5c-3632054b69ba",
+ "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions",
"services": [
- "SAP",
"Storage",
- "VNet"
+ "AVD"
],
"severity": "Medium",
- "subcategory": "IP plan",
- "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
- "waf": "Operations"
+ "subcategory": "FSLogix",
+ "text": "Configure the recommended antivirus exclusions for FSLogix (includes not scanning VHD(x) files on connect).",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Profile containers have a default max size of 30GB. If large Profile Containers are anticipated, and customers wants to try to keep them small, consider using OneDrive to host Office 365 files outside the FSLogix profile.",
+ "guid": "01e6a84d-e5df-443d-8992-481718d5d1e5",
+ "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference",
"services": [
- "SAP",
- "Firewall"
+ "Storage",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "FSLogix",
+ "text": "Review and confirm configured maximum profile size in FSLogix",
+ "waf": "Cost"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Defaults and recommended settings are reported in the companion article in the 'More Info' column. If not recommended keys and/or values must be used, be sure to review with a Microsoft AVD expert and clearly document your choices.",
+ "guid": "d34aad5e-8c78-4e1d-9666-7313c405674c",
+ "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples",
"services": [
- "SAP",
- "AppGW",
- "WAF"
+ "AKV",
+ "Storage",
+ "AVD",
+ "ACR"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "FSLogix",
+ "text": "Review FSLogix registry keys and determine which ones to apply",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Concurrent or multiple connections are not recommended in Azure Virtual Desktop. Concurrent connections are also not supported by Session Hosts running in an Azure Virtual Desktop Host Pool. OneDrive, if used, doesn't support concurrent or multiple connections using the same container, under any circumstance. For multiple connections, usage of the same profile disk is not recommended.",
+ "guid": "5e985b85-9c77-43e7-b261-623b775a917e",
+ "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections",
"services": [
- "AzurePolicy",
- "ACR",
- "SAP",
- "WAF",
- "FrontDoor"
+ "Storage",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "FSLogix",
+ "text": "Avoid usage of concurrent or multiple connections",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "Cloud Cache uses OS drive as local cache storage and may generate lot of pressure on the VM disk. Depending on the VM SKU and size used, the VM temporary drive can be a viable and performant solution where to relocate Cloud Cache cached content. Before adopting this solution, tests should be executed to confirm performance and stability. More details on Cloud Cache can be found here: https://learn.microsoft.com/fslogix/concepts-fslogix-cloud-cache. ",
+ "guid": "b2d1215a-e114-4ba3-9df5-85ecdcd9bd3b",
+ "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference",
"services": [
- "AzurePolicy",
- "AppGW",
- "SAP",
- "WAF",
- "FrontDoor"
+ "Storage",
+ "VM",
+ "AVD"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "FSLogix",
+ "text": "If FSLogix Cloud Cache is used, consider moving the cache directory to the VM temporary drive.",
+ "waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "category": "Storage",
+ "checklist": "Azure Virtual Desktop Review",
+ "description": "REDIRECTION.XML file is used to control what folders are redirected out of the profile container to the 'C:' drive. Exclusions should be the exception and should never be used unless the specific exclusion is completely understood by the person configuring the exclusion. Exclusions should always be fully tested in the environment where they are intended to be implemented. Configuring exclusions may impact functionality, stability and performance.",
+ "guid": "0b50ca97-b1d2-473c-b4d9-6e98b0f912de",
+ "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml",
"services": [
- "SAP",
- "LoadBalancer",
- "AppGW",
- "WAF"
+ "Storage",
+ "AVD"
],
"severity": "Medium",
- "subcategory": "Internet",
- "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Security"
+ "subcategory": "FSLogix",
+ "text": "Review the usage of FSLogix redirection.",
+ "waf": "Cost"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
"services": [
- "SAP",
- "VWAN",
- "ACR"
+ "Entra"
],
"severity": "Medium",
- "subcategory": "Internet",
- "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
- "waf": "Performance"
+ "subcategory": "Entra ID",
+ "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
"services": [
- "Storage",
- "ACR",
- "VNet",
- "SAP",
- "Backup",
- "PrivateLink"
+ "Entra"
],
"severity": "Medium",
- "subcategory": "Internet",
- "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
- "waf": "Security"
+ "subcategory": "AAD B2C",
+ "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
"services": [
- "SAP",
- "VM"
+ "Entra"
],
- "severity": "High",
- "subcategory": "Segmentation",
- "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "severity": "Medium",
+ "subcategory": "AAD B2C",
+ "text": "Custom brand assets should be hosted on a CDN",
"waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
"services": [
- "SAP",
- "LoadBalancer"
+ "Entra"
],
- "severity": "Medium",
- "subcategory": "Segmentation",
- "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "AAD B2C",
+ "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "services": [
+ "Entra",
+ "VM"
+ ],
+ "severity": "Medium",
+ "subcategory": "Windows Server AD",
+ "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"services": [
- "SAP",
- "VNet",
- "VM"
+ "Entra"
],
"severity": "Medium",
- "subcategory": "Segmentation",
- "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Windows Server AD",
+ "text": "Don't replicate! Replication can create issues with directory synchronization",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"services": [
- "SAP",
- "VNet"
+ "Entra"
],
- "severity": "High",
- "subcategory": "Segmentation",
- "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Windows Server AD",
+ "text": "Have active-active for multi-regions",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"services": [
- "SAP"
+ "Entra"
],
"severity": "Medium",
- "subcategory": "Segmentation",
- "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
- "waf": "Performance"
+ "subcategory": "Entra Domain Services",
+ "text": "Add Azure AD Domain service stamps to additional regions and locations",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "Identity Review Checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"services": [
- "SAP"
+ "Entra"
],
- "severity": "High",
- "subcategory": "Segmentation",
- "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Entra Domain Services",
+ "text": "Use Replica Sets for DR",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
+ "service": "CosmosDB",
"services": [
- "SAP",
- "Cost",
- "VNet"
+ "CosmosDB"
],
- "severity": "High",
- "subcategory": "Segmentation",
- "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Best Practices",
+ "text": "FTA Resiliency Playbook",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+ "service": "CosmosDB",
"services": [
- "SAP",
- "LoadBalancer"
+ "CosmosDB"
],
"severity": "High",
- "subcategory": "Segmentation",
- "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Performance"
+ "subcategory": "High Availability",
+ "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "SAP Checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
+ "service": "CosmosDB",
"services": [
- "SAP",
- "VNet"
+ "CosmosDB"
],
"severity": "Medium",
- "subcategory": "Segmentation",
- "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Run multiple replicas of the database (>1 ) in Prod",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "SAP Checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
+ "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
+ "service": "CosmosDB",
"services": [
- "SAP",
- "Backup",
- "VM"
+ "CosmosDB",
+ "ACR"
],
- "severity": "High",
- "subcategory": " ",
- "text": "Review SAP HANA database backups for Azure VMs.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "High Availability",
+ "text": "Leverage Multi-Region Writes",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "SAP Checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Span Cosmos account across two or more regions with multi-region writes",
+ "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+ "service": "CosmosDB",
"services": [
- "SAP",
- "Monitor",
- "ASR"
+ "CosmosDB",
+ "ACR"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Review Site Recovery built-in monitoring, where used for SAP.",
- "waf": "Cost"
+ "subcategory": "High Availability",
+ "text": "Distribute your data globally",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "SAP Checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
+ "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
+ "service": "CosmosDB",
"services": [
- "SAP",
- "Monitor"
+ "CosmosDB"
],
"severity": "High",
- "subcategory": " ",
- "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
- "waf": "Operations"
+ "subcategory": "High Availability",
+ "text": "Choose from several well-defined consistency models",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "SAP Checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
+ "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
+ "service": "CosmosDB",
"services": [
- "SAP",
- "Backup",
- "VM"
+ "CosmosDB"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Review Oracle Database in Azure Linux VM backup strategies.",
- "waf": "Operations"
+ "subcategory": "High Availability",
+ "text": "Enable Service managed failover",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "SAP Checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
+ "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
+ "service": "CosmosDB",
"services": [
- "SAP",
- "SQL",
+ "Backup",
+ "CosmosDB",
"Storage"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
- "waf": "Operations"
+ "subcategory": "Backup Strategy",
+ "text": "Enable Automatic Backups",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "SAP Checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
+ "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
+ "service": "CosmosDB",
"services": [
- "SAP",
"Backup",
- "VM"
+ "CosmosDB"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Review the use of Automated Backup v2 for Azure VMs.",
- "waf": "Operations"
- },
- {
- "category": "Operational Excellence",
- "checklist": "SAP Checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
- "services": [
- "SAP"
- ],
- "severity": "High",
- "subcategory": " ",
- "text": "Enabling Write accelerator for M series when using premium disks(V1)",
- "waf": "Operations"
+ "subcategory": "Backup Strategy",
+ "text": "Perform Periodic Backups",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Reliability"
},
{
- "category": "Performant",
- "checklist": "SAP Checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
+ "category": "Operations Management",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
+ "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
+ "service": "CosmosDB",
"services": [
- "SAP"
+ "Backup",
+ "CosmosDB"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Test availability zone latency.",
- "waf": "Performance"
+ "subcategory": "Backup Strategy",
+ "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
+ "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "waf": "Reliability"
},
{
- "category": "Performant",
+ "category": "Automation",
"checklist": "SAP Checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
"service": "SAP",
"services": [
"SAP"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Activate SAP EarlyWatch Alert for all SAP components.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
- "waf": "Performance"
+ "subcategory": "ACSS",
+ "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Performant",
+ "category": "Automation",
"checklist": "SAP Checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
"service": "SAP",
"services": [
"SAP"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
- "training": "https://me.sap.com/notes/0002879613",
- "waf": "Performance"
- },
- {
- "category": "Performant",
- "checklist": "SAP Checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
- "services": [
- "SAP",
- "SQL",
- "Monitor"
- ],
- "severity": "Medium",
- "subcategory": " ",
- "text": "Review SQL Server performance monitoring using CCMS.",
- "waf": "Performance"
+ "subcategory": "SDAF",
+ "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
+ "training": "https://github.com/Azure/sap-automation",
+ "waf": "Operations"
},
{
- "category": "Performant",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
"service": "SAP",
"services": [
- "SAP",
- "VM"
+ "Backup",
+ "ASR",
+ "SAP"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "Performance"
+ "subcategory": "Backup and restore",
+ "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+ "waf": "Reliability"
},
{
- "category": "Performant",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
"service": "SAP",
"services": [
- "SAP",
- "Monitor"
+ "Backup",
+ "ASR",
+ "SAP"
],
"severity": "Medium",
- "subcategory": " ",
- "text": "Review SAP HANA studio alerts.",
- "waf": "Performance"
+ "subcategory": "Disaster recovery",
+ "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+ "waf": "Reliability"
},
{
- "category": "Performant",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
"service": "SAP",
"services": [
+ "Backup",
+ "SQL",
+ "Storage",
+ "ASR",
"SAP"
],
- "severity": "Medium",
- "subcategory": " ",
- "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
- "waf": "Performance"
+ "severity": "High",
+ "subcategory": "Disaster recovery",
+ "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
"service": "SAP",
"services": [
- "SAP",
- "VM"
+ "ASR",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Governance",
- "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "waf": "Security"
+ "subcategory": "Disaster recovery",
+ "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"service": "SAP",
"services": [
+ "VPN",
+ "ASR",
+ "ExpressRoute",
"SAP"
],
- "severity": "Medium",
- "subcategory": "Governance",
- "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Disaster recovery",
+ "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
"service": "SAP",
"services": [
- "SAP",
- "SQL"
+ "AKV",
+ "ACR",
+ "ASR",
+ "SAP"
],
"severity": "Low",
- "subcategory": "Governance",
- "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
- "waf": "Security"
+ "subcategory": "Disaster recovery",
+ "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
"service": "SAP",
"services": [
- "SAP",
- "SQL"
+ "VNet",
+ "ASR",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Governance",
- "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
- "training": "https://me.sap.com/notes/3019299/E",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Disaster recovery",
+ "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
"service": "SAP",
"services": [
- "AKV",
"Storage",
- "SQL",
- "SAP",
- "Backup"
+ "ASR",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Secrets",
- "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Disaster recovery",
+ "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
"service": "SAP",
"services": [
- "SAP",
- "Storage",
- "AKV"
- ],
- "severity": "Medium",
- "subcategory": "Secrets",
- "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
- "waf": "Security"
+ "ASR",
+ "SAP"
+ ],
+ "severity": "High",
+ "subcategory": "Disaster recovery",
+ "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
"service": "SAP",
"services": [
- "SAP",
- "AKV"
+ "ASR",
+ "VNet",
+ "SAP"
],
"severity": "High",
- "subcategory": "Secrets",
- "text": "Use Azure Key Vault to store your secrets and credentials",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
+ "subcategory": "Disaster recovery",
+ "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
"service": "SAP",
"services": [
- "AzurePolicy",
- "AKV",
- "RBAC",
- "SAP",
- "Subscriptions"
+ "Entra",
+ "ASR",
+ "VM",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Secrets",
- "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Disaster recovery",
+ "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
"service": "SAP",
"services": [
- "SAP",
- "AzurePolicy",
- "AKV"
+ "ASR",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Secrets",
- "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "High availability",
+ "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
"service": "SAP",
"services": [
- "RBAC",
- "SAP",
- "AzurePolicy",
- "AKV"
+ "ASR",
+ "SAP"
],
"severity": "High",
- "subcategory": "Secrets",
- "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
- "waf": "Security"
+ "subcategory": "High availability",
+ "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
"service": "SAP",
"services": [
- "SAP",
"Storage",
- "Defender",
- "AKV"
+ "VM",
+ "ASR",
+ "SAP"
],
"severity": "High",
- "subcategory": "Secrets",
- "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
- "waf": "Security"
+ "subcategory": "High availability",
+ "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
"service": "SAP",
"services": [
- "RBAC",
- "SAP",
- "Defender",
- "AKV"
+ "Storage",
+ "ASR",
+ "SAP"
],
"severity": "High",
- "subcategory": "Secrets",
- "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "waf": "Security"
+ "subcategory": "High availability",
+ "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
"service": "SAP",
"services": [
- "SAP",
- "AKV"
+ "ASR",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Secrets",
- "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "High availability",
+ "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
"service": "SAP",
"services": [
- "SAP",
- "AKV"
+ "LoadBalancer",
+ "ASR",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Secrets",
- "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "High availability",
+ "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
"service": "SAP",
"services": [
- "SAP",
- "AKV"
+ "LoadBalancer",
+ "ASR",
+ "SAP"
],
"severity": "High",
- "subcategory": "Secrets",
- "text": "Use an Azure Key Vault per application per environment per region.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
+ "subcategory": "High availability",
+ "text": "Make sure the Floating IP is enabled on the Load balancer",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
"service": "SAP",
"services": [
- "SAP",
- "AKV"
+ "ASR",
+ "SAP"
],
"severity": "High",
- "subcategory": "Secrets",
- "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
- "waf": "Security"
+ "subcategory": "High availability",
+ "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
"service": "SAP",
"services": [
- "RBAC",
- "SAP",
- "Subscriptions"
+ "Entra",
+ "ASR",
+ "VM",
+ "SAP"
],
"severity": "High",
- "subcategory": "Security",
- "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
- "waf": "Security"
+ "subcategory": "High availability",
+ "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
"service": "SAP",
"services": [
- "SAP",
- "NVA",
- "PrivateLink"
+ "Entra",
+ "ASR",
+ "VM",
+ "RBAC",
+ "SAP"
],
"severity": "High",
- "subcategory": "Security",
- "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
- "waf": "Security"
+ "subcategory": "High availability",
+ "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
"service": "SAP",
"services": [
- "SAP",
- "Storage",
- "VM"
+ "ASR",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Security",
- "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "High availability",
+ "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
"service": "SAP",
"services": [
- "SAP",
- "Defender"
+ "ASR",
+ "VM",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Security",
- "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "High availability",
+ "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
"service": "SAP",
"services": [
- "SAP",
- "VNet"
+ "Entra",
+ "ASR",
+ "SAP"
],
"severity": "High",
- "subcategory": "Security",
- "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
- "waf": "Security"
+ "subcategory": "High availability",
+ "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
"service": "SAP",
"services": [
- "SAP",
- "WAF"
+ "ACR",
+ "ASR",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Security",
- "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "High availability",
+ "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
+ "waf": "Reliability"
},
{
- "category": "Security, Governance and Compliance",
+ "category": "Business Continuity and Disaster Recovery",
"checklist": "SAP Checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
"service": "SAP",
"services": [
- "SAP",
- "Monitor",
- "AKV"
+ "Entra",
+ "ASR",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Security"
- },
- {
- "category": "Application Deployment",
- "checklist": "Azure Spring Apps Review",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
- "services": [],
- "severity": "Medium",
- "subcategory": "DevOps",
- "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
+ "severity": "High",
+ "subcategory": "High availability",
+ "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "Azure Spring Apps Review",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "SAP Checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
"services": [
+ "Entra",
"ASR",
- "FrontDoor",
- "TrafficManager"
+ "VM",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
+ "subcategory": "High availability",
+ "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "Azure Spring Apps Review",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "SAP Checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"services": [
- "ACR"
+ "Storage",
+ "VM",
+ "ASR",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Azure Spring Apps Review",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
- "services": [],
- "severity": "Medium",
- "subcategory": "High Availability",
- "text": "Use more than 1 app instance for your apps",
+ "subcategory": "High availability",
+ "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
"waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure Spring Apps Review",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "SAP Checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
"services": [
- "Monitor"
+ "ASR",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
- "waf": "Reliability"
- },
- {
- "category": "Operations",
- "checklist": "Azure Spring Apps Review",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
- "services": [],
- "severity": "Medium",
- "subcategory": "Scalability",
- "text": "Set up autoscaling in Spring Cloud Gateway",
+ "subcategory": "High availability",
+ "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure Spring Apps Review",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
- "services": [],
- "severity": "Low",
- "subcategory": "Scalability",
- "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "SAP Checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
+ "services": [
+ "Storage",
+ "ASR",
+ "SAP"
+ ],
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure Spring Apps Review",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
- "services": [],
- "severity": "Medium",
- "subcategory": "Support",
- "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "SAP Checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
+ "services": [
+ "Storage",
+ "ASR",
+ "SAP"
+ ],
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "SAP Checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
"services": [
- "Entra"
+ "Storage",
+ "ASR",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Entra ID",
- "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
+ "category": "Business Continuity and Disaster Recovery",
+ "checklist": "SAP Checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"services": [
- "Entra"
+ "Storage",
+ "ASR",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "AAD B2C",
- "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
+ "severity": "High",
+ "subcategory": "Storage",
+ "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
+ "category": "Cost Optimization",
+ "checklist": "SAP Checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
"services": [
- "Entra"
+ "Cost",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "AAD B2C",
- "text": "Custom brand assets should be hosted on a CDN",
- "waf": "Performance"
+ "subcategory": " ",
+ "text": "Automate SAP System Start-Stop to manage costs.",
+ "waf": "Cost"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
+ "category": "Cost Optimization",
+ "checklist": "SAP Checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
"services": [
- "Entra"
+ "Storage",
+ "VM",
+ "Cost",
+ "SAP"
],
"severity": "Low",
- "subcategory": "AAD B2C",
- "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
- "waf": "Reliability"
+ "subcategory": " ",
+ "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
+ "waf": "Cost"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "category": "Cost Optimization",
+ "checklist": "SAP Checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
"services": [
+ "Storage",
"VM",
- "Entra"
+ "Cost",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Windows Server AD",
- "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": " ",
+ "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
+ "waf": "Cost"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
"services": [
- "Entra"
+ "Entra",
+ "RBAC",
+ "Subscriptions",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Windows Server AD",
- "text": "Don't replicate! Replication can create issues with directory synchronization",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Identity",
+ "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"services": [
- "Entra"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Windows Server AD",
- "text": "Have active-active for multi-regions",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"services": [
- "Entra"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Entra Domain Services",
- "text": "Add Azure AD Domain service stamps to additional regions and locations",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Identity Review Checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"services": [
- "Entra"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Entra Domain Services",
- "text": "Use Replica Sets for DR",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "974a759c-763e-47d2-9161-3a7649907e0e",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ASB_v1.docx",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Leverage FTA Handbook",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "description": "This will be turned on automatically for a new SB namespace created from the portal with the Premium SKUs in a zone-enabled region. Both the Service Bus metadata and the messages data are replicated across datacenters in the availability zones configuration",
- "guid": "338ee253-c17d-432e-aaaa-b7571549ab81",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"services": [
- "ServiceBus",
- "ACR"
+ "Entra",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Best Practices",
- "text": "Leverage Availability Zones if regionally applicable",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Identity",
+ "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "description": "If enabled, Implements namespace metadata replication to a secondary region. Does not replicate queue/topic message data. Premium sku only.",
- "guid": "53d89f89-d17b-484b-93b5-a67f7b9ed5b3",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#geo-disaster-recovery",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
"services": [
- "ServiceBus",
- "Storage",
- "ASR"
+ "Entra",
+ "AKV",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Geo-Disaster Recovery",
- "text": "Plan for Metadata replication during regional failure",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "description": "If an outage cannot be tolerated, do not use the build-in metadata replication option. Leverage a replication pattern to replicate Service Bus messages across two or more sets of cross-region namespaces",
- "guid": "1f38c403-a822-4c24-93cf-0f18ac699ef1",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-federation-overview",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
"services": [
- "ServiceBus",
- "ACR",
- "ASR"
+ "Entra",
+ "AKV",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Geo-Disaster Recovery",
- "text": "Plan for Message replication during regional failure",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "description": "Azure Service Bus uses a message broker to handle messages that are sent to a Service Bus queue or topic. By default, all messages that are sent to a queue or topic are handled by the same message broker process. This architecture can place a limitation on the overall throughput of the message queue. However, you can also partition a queue or topic when it is created",
- "guid": "d5a83de4-de32-4c18-a147-0607c5c0e4e6",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/data-partitioning-strategies#partitioning-azure-service-bus",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
"services": [
- "ServiceBus",
- "Storage"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "For applications which require high throughput, use Patritioning ",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "14658d24-58ed-4671-99b8-21102df26ee4",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Evaluate Premier-tier benefits of Azure Service Bus",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Implement SSO to SAP HANA",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "11e6f883-e52f-4472-8dd6-8c5b5c2521e5",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-messaging-exceptions",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Entra",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Best Practices",
- "text": "Ensure that Service Bus Messaging Exceptions are handled properly",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Identity",
+ "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "4a69b9d3-39ac-44e7-a68d-1d75657202b4",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
"services": [
- "ServiceBus",
- "Storage",
- "PrivateLink"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Connect to Service Bus with the Advanced Messaging Queue Protocol (AMQP) and use Service Endpoints or Private Endpoints when possible.",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "f4564b4d-974a-4759-a763-e7d261613a76",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-performance-improvements?tabs=net-standard-sdk-2",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Entra",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Best Practices",
- "text": "Review the Best Practices for performance improvements using Service Bus Messaging",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Identity",
+ "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "49907e0e-338e-4e25-9c17-d32e8aaab757",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/operational-excellence",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Implement geo-replication on the sender and receiver side to protect against outages and disasters",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "Implement SSO to SAP BTP",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "1549ab81-53d8-49f8-ad17-b84b33b5a67f",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+ "category": "Identity and Access",
+ "checklist": "SAP Checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
"services": [
- "ServiceBus",
- "Storage",
- "ASR"
+ "Entra",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "If you need mission-critical messaging with queues and topics, Service Bus Premium is recommended with Geo-Disaster Recovery.",
- "waf": "Reliability"
+ "subcategory": "Identity",
+ "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "7b9ed5b3-1f38-4c40-9a82-2c2463cf0f18",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+ "category": "Management Group and Subscriptions",
+ "checklist": "SAP Checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Subscriptions",
+ "AzurePolicy",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Implement high availability for the Service Bus namespace",
- "waf": "Reliability"
+ "subcategory": "Subscriptions",
+ "text": "enforce existing Management Group policies to SAP Subscriptions",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "ac699ef1-d5a8-43de-9de3-2c1881470607",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+ "category": "Management Group and Subscriptions",
+ "checklist": "SAP Checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Subscriptions",
+ "SAP"
],
"severity": "High",
- "subcategory": "Best Practices",
- "text": "Ensure related messages are delivered in guaranteed order",
- "waf": "Reliability"
+ "subcategory": "Subscriptions",
+ "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "c5c0e4e6-1465-48d2-958e-d67139b82110",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+ "category": "Management Group and Subscriptions",
+ "checklist": "SAP Checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Subscriptions",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Best Practices",
- "text": "Evaluate different Java Messaging Service (JMS) features through the JMS API",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Subscriptions",
+ "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "2df26ee4-11e6-4f88-9e52-f4722dd68c5b",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+ "category": "Management Group and Subscriptions",
+ "checklist": "SAP Checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "VM",
+ "Subscriptions",
+ "SAP"
+ ],
+ "severity": "High",
+ "subcategory": "Subscriptions",
+ "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "waf": "Operations"
+ },
+ {
+ "category": "Management Group and Subscriptions",
+ "checklist": "SAP Checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
+ "services": [
+ "Subscriptions",
+ "SAP"
],
"severity": "Low",
- "subcategory": "Best Practices",
- "text": "Use .NET Nuget packages to communicate with Service Bus messaging entities",
- "waf": "Reliability"
+ "subcategory": "Subscriptions",
+ "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Service Bus Review Checklist",
- "guid": "5c2521e5-4a69-4b9d-939a-c4e7c68d1d75",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
+ "category": "Management Group and Subscriptions",
+ "checklist": "SAP Checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "VM",
+ "Subscriptions",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Implement resilience for transient fault handling when sending or receiving messages",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Subscriptions",
+ "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
+ "waf": "Operations"
},
{
- "category": "Security",
- "checklist": "Service Bus Review Checklist",
- "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
- "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
- "service": "Service Bus",
+ "category": "Management Group and Subscriptions",
+ "checklist": "SAP Checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Subscriptions",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Data Protection",
- "text": "Use customer-managed key option in data at rest encryption when required",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Subscriptions",
+ "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Security",
- "checklist": "Service Bus Review Checklist",
- "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
- "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
- "service": "Service Bus",
+ "category": "Management Group and Subscriptions",
+ "checklist": "SAP Checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "TrafficManager",
+ "Cost",
+ "Subscriptions",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Data Protection",
- "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
- "waf": "Security"
+ "subcategory": "Subscriptions",
+ "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "Operations"
},
{
- "category": "Security",
- "checklist": "Service Bus Review Checklist",
- "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
- "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
- "service": "Service Bus",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"services": [
- "AzurePolicy",
- "Entra",
- "RBAC",
- "TrafficManager",
- "ServiceBus"
+ "Monitor",
+ "Backup",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "Avoid using root account when it is not necessary",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "BCDR",
+ "text": "Help protect your HANA database by using the Azure Backup service.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Service Bus Review Checklist",
- "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
- "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
- "service": "Service Bus",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
"services": [
- "AKV",
+ "Entra",
"Storage",
"VM",
- "Entra",
- "ServiceBus",
- "AppSvc"
+ "Monitor",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Security"
+ "subcategory": "BCDR",
+ "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Service Bus Review Checklist",
- "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
- "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
- "service": "Service Bus",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"services": [
- "RBAC",
- "Storage",
- "Entra",
- "ServiceBus",
- "Subscriptions"
+ "Monitor",
+ "SAP"
],
"severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "Use least privilege data plane RBAC",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Security"
+ "subcategory": "Management",
+ "text": "Ensure time-zone matches between the operating system and the SAP system.",
+ "waf": "Operations"
},
{
- "category": "Security",
- "checklist": "Service Bus Review Checklist",
- "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
- "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
- "service": "Service Bus",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
"services": [
- "ServiceBus",
+ "Entra",
"Monitor",
- "VNet"
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Security"
+ "subcategory": "Management",
+ "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Service Bus Review Checklist",
- "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
- "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
- "service": "Service Bus",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
"services": [
- "ServiceBus",
- "VNet",
- "PrivateLink"
+ "Monitor",
+ "Cost",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Networking",
- "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
+ "waf": "Cost"
},
{
- "category": "Security",
- "checklist": "Service Bus Review Checklist",
- "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
- "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
- "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
- "service": "Service Bus",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
"services": [
- "ServiceBus"
+ "Entra",
+ "Monitor",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Security"
+ "subcategory": "Management",
+ "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
+ "waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure API Management Review",
- "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy"
+ "Monitor",
+ "VM",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Development best practices",
- "text": "Implement an error handling policy at the global level",
+ "subcategory": "Management",
+ "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
"waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure API Management Review",
- "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
- "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy"
+ "Monitor",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Development best practices",
- "text": "Ensure all APIs policies include a element.",
+ "severity": "Low",
+ "subcategory": "Management",
+ "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
"waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure API Management Review",
- "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
- "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy",
- "ACR"
+ "Monitor",
+ "SQL",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Development best practices",
- "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
+ "subcategory": "Monitoring",
+ "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure API Management Review",
- "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
- "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
"services": [
- "APIM"
+ "Entra",
+ "Monitor",
+ "VM",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Monetization",
- "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
+ "severity": "High",
+ "subcategory": "Monitoring",
+ "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
"waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure API Management Review",
- "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
"services": [
- "APIM",
- "Monitor"
+ "Monitor",
+ "AzurePolicy",
+ "SAP"
],
- "severity": "High",
+ "severity": "Medium",
"subcategory": "Monitoring",
- "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+ "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure API Management Review",
- "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
"services": [
- "APIM",
- "Monitor"
+ "NetworkWatcher",
+ "Monitor",
+ "SAP"
],
"severity": "Medium",
"subcategory": "Monitoring",
- "text": "Enable Application Insights for more detailed telemetry",
+ "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
"waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure API Management Review",
- "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
"services": [
- "APIM",
- "Monitor"
+ "Monitor",
+ "VM",
+ "SAP"
],
- "severity": "High",
+ "severity": "Medium",
"subcategory": "Monitoring",
- "text": "Configure alerts on the most critical metrics",
+ "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
"waf": "Operations"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure API Management Review",
- "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"services": [
- "APIM",
- "AKV",
- "Entra"
+ "Monitor",
+ "Subscriptions",
+ "SAP"
],
"severity": "High",
- "subcategory": "Data protection",
- "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
- "waf": "Security"
+ "subcategory": "Monitoring",
+ "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "waf": "Performance"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure API Management Review",
- "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "Monitor",
+ "Storage",
+ "ASR",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Identity",
- "text": "Protect incoming requests to APIs (data plane) with Azure AD",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure API Management Review",
- "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "Sentinel",
+ "Monitor",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+ "subcategory": "Monitoring",
+ "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
"waf": "Security"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure API Management Review",
- "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "Monitor",
+ "Cost",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Privileged access",
- "text": "Create appropriate groups to control the visibility of the products",
- "waf": "Security"
+ "subcategory": "Monitoring",
+ "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "06862505-2d9a-4874-9491-2837b00a3475",
- "link": "https://learn.microsoft.com/azure/api-management/backends",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
"services": [
- "APIM"
+ "Monitor",
+ "VM",
+ "SAP"
+ ],
+ "severity": "Low",
+ "subcategory": "Performance",
+ "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
+ "waf": "Performance"
+ },
+ {
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
+ "services": [
+ "Monitor",
+ "ASR",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best practices",
- "text": "Use Backends feature to eliminate redundant API backend configurations",
- "waf": "Operations"
+ "subcategory": "Performance",
+ "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy"
+ "Monitor",
+ "Storage",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best practices",
- "text": "Use Named Values to store common values that can be used in policies",
- "waf": "Operations"
+ "subcategory": "Performance",
+ "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.",
+ "waf": "Performance"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
"services": [
- "APIM",
- "ACR",
- "ASR"
+ "Monitor",
+ "SAP"
+ ],
+ "severity": "Low",
+ "subcategory": "Performance",
+ "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
+ "waf": "Performance"
+ },
+ {
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
+ "services": [
+ "Monitor",
+ "Storage",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Business continuity and disaster recovery",
- "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
- "waf": "Reliability"
+ "subcategory": "Performance",
+ "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+ "waf": "Performance"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
- "link": "https://learn.microsoft.com/azure/api-management/high-availability",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
"services": [
- "APIM",
- "ASR"
+ "Monitor",
+ "SQL",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Business continuity and disaster recovery",
- "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
- "waf": "Reliability"
+ "subcategory": "Performance",
+ "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+ "waf": "Performance"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
- "service": "APIM",
+ "category": "Management and Monitoring",
+ "checklist": "SAP Checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"services": [
- "APIM",
- "Backup",
- "ASR"
+ "Monitor",
+ "ASR",
+ "SAP"
],
"severity": "High",
- "subcategory": "Business continuity and disaster recovery",
- "text": "Ensure there is an automated backup routine",
- "waf": "Reliability"
+ "subcategory": "Reliability",
+ "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
- "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy"
+ "AppGW",
+ "WAF",
+ "AzurePolicy",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Failover and Caching",
- "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
- "waf": "Reliability"
+ "subcategory": "App delivery",
+ "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "waf": "Security"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "f96ddac5-77ec-4fa9-8833-4327f052059e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy"
+ "DNS",
+ "VM",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Performance and scalability",
- "text": "Consider using a external cache policy for APIs that can benefit from caching",
- "training": "https://learn.microsoft.com/training/modules/improve-api-performance-with-apim-caching-policy/"
+ "subcategory": "DNS",
+ "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy",
- "EventHubs"
+ "DNS",
+ "VNet",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Performance and scalability",
- "text": "If you need to log at high performance levels, consider Event Hubs policy",
+ "severity": "Medium",
+ "subcategory": "DNS",
+ "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
"waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy"
+ "ACR",
+ "VNet",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Performance and scalability",
- "text": "Apply throttling policies to control the number of requests per second",
- "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
- "waf": "Performance"
+ "subcategory": "Hybrid",
+ "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
"services": [
- "APIM"
+ "NVA",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Performance and scalability",
- "text": "Configure autoscaling to scale out the number of instances when the load increases",
+ "severity": "High",
+ "subcategory": "Hybrid",
+ "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
+ "training": "https://me.sap.com/notes/2731110",
"waf": "Performance"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
"services": [
- "APIM"
+ "VWAN",
+ "ACR",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Performance and scalability",
- "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
- "waf": "Performance"
+ "subcategory": "Hybrid",
+ "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
- "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
"services": [
- "APIM"
+ "VNet",
+ "NVA",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Premium Tier",
- "text": "Use the premium tier for production workloads.",
- "waf": "Reliability"
+ "subcategory": "Hybrid",
+ "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
"services": [
- "APIM",
- "AzurePolicy"
+ "VWAN",
+ "VNet",
+ "NVA",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Request Routing",
- "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
- "waf": "Reliability"
+ "subcategory": "Hybrid",
+ "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "VNet",
+ "VM",
+ "SAP"
],
"severity": "High",
- "subcategory": "Resource Limits",
- "text": "Be aware of APIM's limits",
- "waf": "Reliability"
+ "subcategory": "IP plan",
+ "text": "Public IP assignment to VM running SAP Workload is not recommended.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "Management",
- "checklist": "Azure API Management Review",
- "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
- "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
"services": [
- "APIM"
+ "VNet",
+ "ASR",
+ "SAP"
],
"severity": "High",
- "subcategory": "Self-Hosted",
- "text": "Ensure that the self-hosted gateway deployments are resilient.",
- "waf": "Reliability"
+ "subcategory": "IP plan",
+ "text": "Consider reserving IP address on DR side when configuring ASR",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Operations"
},
{
"category": "Network Topology and Connectivity",
- "checklist": "Azure API Management Review",
- "guid": "7519e385-a88b-4d34-966b-6269d686e890",
- "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"services": [
- "APIM",
- "FrontDoor",
- "Entra"
+ "VNet",
+ "SAP"
+ ],
+ "severity": "High",
+ "subcategory": "IP plan",
+ "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Operations"
+ },
+ {
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
+ "services": [
+ "Storage",
+ "VNet",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Connectivity",
- "text": "Use Azure Front Door in front of APIM for multi-region deployment",
- "waf": "Performance"
+ "subcategory": "IP plan",
+ "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+ "waf": "Operations"
},
{
"category": "Network Topology and Connectivity",
- "checklist": "Azure API Management Review",
- "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+ "service": "SAP",
"services": [
- "APIM",
- "VNet"
+ "Firewall",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Deploy the service within a Virtual Network (VNet)",
+ "subcategory": "Internet",
+ "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
"waf": "Security"
},
{
"category": "Network Topology and Connectivity",
- "checklist": "Azure API Management Review",
- "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+ "service": "SAP",
"services": [
- "APIM",
- "Monitor",
- "VNet",
- "Entra"
+ "AppGW",
+ "WAF",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+ "subcategory": "Internet",
+ "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
"waf": "Security"
},
{
"category": "Network Topology and Connectivity",
- "checklist": "Azure API Management Review",
- "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra",
- "VNet",
- "PrivateLink"
+ "AzurePolicy",
+ "FrontDoor",
+ "ACR",
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+ "subcategory": "Internet",
+ "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
"waf": "Security"
},
{
"category": "Network Topology and Connectivity",
- "checklist": "Azure API Management Review",
- "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "SAP",
"services": [
- "APIM"
+ "AppGW",
+ "AzurePolicy",
+ "FrontDoor",
+ "SAP",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Security",
- "text": "Disable Public Network Access",
+ "severity": "Medium",
+ "subcategory": "Internet",
+ "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
"waf": "Security"
},
{
- "category": "Platform automation and DevOps",
- "checklist": "Azure API Management Review",
- "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
- "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"services": [
- "APIM"
+ "LoadBalancer",
+ "AppGW",
+ "WAF",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Automation",
- "text": "Simplify management with PowerShell automation scripts",
- "waf": "Operations"
+ "subcategory": "Internet",
+ "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "Platform automation and DevOps",
- "checklist": "Azure API Management Review",
- "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "VWAN",
+ "ACR",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Best practices",
- "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
- "waf": "Operations"
+ "subcategory": "Internet",
+ "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "waf": "Performance"
},
{
- "category": "Platform automation and DevOps",
- "checklist": "Azure API Management Review",
- "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
- "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "PrivateLink",
+ "Backup",
+ "Storage",
+ "ACR",
+ "SAP",
+ "VNet"
],
"severity": "Medium",
- "subcategory": "Best practices",
- "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
- "waf": "Operations"
+ "subcategory": "Internet",
+ "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "Platform automation and DevOps",
- "checklist": "Azure API Management Review",
- "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
- "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "service": "SAP",
"services": [
- "APIM"
+ "VM",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "DevOps",
- "text": "Implement DevOps and CI/CD in your workflow",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Segmentation",
+ "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure API Management Review",
- "guid": "b6439493-426a-45f3-9697-cf65baee208d",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+ "service": "SAP",
"services": [
- "APIM"
+ "LoadBalancer",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "APIs",
- "text": "Secure APIs using client certificate authentication",
+ "subcategory": "Segmentation",
+ "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure API Management Review",
- "guid": "2a67d143-1033-4c0a-8732-680896478f08",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "SAP",
+ "services": [
+ "VM",
+ "VNet",
+ "SAP"
+ ],
+ "severity": "Medium",
+ "subcategory": "Segmentation",
+ "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "waf": "Security"
+ },
+ {
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"services": [
- "APIM"
+ "VNet",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "APIs",
- "text": "Secure backend services using client certificate authentication",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Segmentation",
+ "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure API Management Review",
- "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
- "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"services": [
- "APIM"
+ "SAP"
],
"severity": "Medium",
- "subcategory": "APIs",
- "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
- "waf": "Security"
+ "subcategory": "Segmentation",
+ "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure API Management Review",
- "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
- "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"services": [
- "APIM"
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "APIs",
- "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Segmentation",
+ "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure API Management Review",
- "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"services": [
- "APIM"
+ "VNet",
+ "Cost",
+ "SAP"
],
"severity": "High",
- "subcategory": "Ciphers",
- "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
- "waf": "Security"
+ "subcategory": "Segmentation",
+ "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Cost"
},
{
- "category": "Security",
- "checklist": "Azure API Management Review",
- "guid": "f8af3d94-1d2b-4070-846f-849197524258",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+ "service": "SAP",
"services": [
- "APIM",
- "AKV"
+ "LoadBalancer",
+ "SAP"
],
"severity": "High",
- "subcategory": "Data protection",
- "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
- "waf": "Security"
+ "subcategory": "Segmentation",
+ "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure API Management Review",
- "guid": "791abd8b-7706-4e31-9569-afefde724be3",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
- "service": "APIM",
+ "category": "Network Topology and Connectivity",
+ "checklist": "SAP Checklist",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "VNet",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Identities",
- "text": "Use managed identities to authenticate to other Azure resources whenever possible",
+ "subcategory": "Segmentation",
+ "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure API Management Review",
- "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
- "service": "APIM",
+ "category": "Operational Excellence",
+ "checklist": "SAP Checklist",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"services": [
- "APIM",
- "AppGW",
- "WAF",
- "Entra"
+ "Backup",
+ "VM",
+ "SAP"
],
"severity": "High",
- "subcategory": "Network",
- "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
- "waf": "Security"
+ "subcategory": " ",
+ "text": "Review SAP HANA database backups for Azure VMs.",
+ "waf": "Cost"
},
{
- "category": "BC and DR",
- "checklist": "Azure App Service Review",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Services",
+ "category": "Operational Excellence",
+ "checklist": "SAP Checklist",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"services": [
- "AppSvc"
+ "Monitor",
+ "ASR",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "High Availability",
- "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": " ",
+ "text": "Review Site Recovery built-in monitoring, where used for SAP.",
+ "waf": "Cost"
},
{
- "category": "BC and DR",
- "checklist": "Azure App Service Review",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "category": "Operational Excellence",
+ "checklist": "SAP Checklist",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+ "service": "SAP",
"services": [
- "AppSvc",
- "Backup"
+ "Monitor",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "High Availability",
- "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": " ",
+ "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Azure App Service Review",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Services",
+ "category": "Operational Excellence",
+ "checklist": "SAP Checklist",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+ "service": "SAP",
"services": [
- "AppSvc"
+ "Backup",
+ "VM",
+ "SAP"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": " ",
+ "text": "Review Oracle Database in Azure Linux VM backup strategies.",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure App Service Review",
- "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "category": "Operational Excellence",
+ "checklist": "SAP Checklist",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+ "service": "SAP",
"services": [
- "Monitor",
- "AppSvc"
+ "Storage",
+ "SQL",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Implement health checks",
- "waf": "Reliability"
+ "subcategory": " ",
+ "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure App Service Review",
- "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
- "service": "App Services",
+ "category": "Operational Excellence",
+ "checklist": "SAP Checklist",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+ "service": "SAP",
"services": [
- "AppSvc",
- "Backup"
+ "Backup",
+ "VM",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Multi-tenant service",
- "text": "Refer to backup and restore best practices for Azure App Service",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": " ",
+ "text": "Review the use of Automated Backup v2 for Azure VMs.",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Azure App Service Review",
- "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
- "service": "App Services",
+ "category": "Operational Excellence",
+ "checklist": "SAP Checklist",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+ "service": "SAP",
"services": [
- "AppSvc"
+ "SAP"
],
"severity": "High",
- "subcategory": "High Availability",
- "text": "Implement Azure App Service reliability best practices",
- "waf": "Reliability"
+ "subcategory": " ",
+ "text": "Enabling Write accelerator for M series when using premium disks(V1)",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Azure App Service Review",
- "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
- "service": "App Services",
+ "category": "Performant",
+ "checklist": "SAP Checklist",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "service": "SAP",
"services": [
- "AppSvc"
+ "SAP"
],
- "severity": "Low",
- "subcategory": "High Availability",
- "text": "Familiarize with how to move an App Service app to another region During a disaster",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": " ",
+ "text": "Test availability zone latency.",
+ "waf": "Performance"
},
{
- "category": "BC and DR",
- "checklist": "Azure App Service Review",
- "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
- "service": "App Services",
+ "category": "Performant",
+ "checklist": "SAP Checklist",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "service": "SAP",
"services": [
- "AppSvc"
+ "SAP"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Familiarize with reliability support in Azure App Service",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": " ",
+ "text": "Activate SAP EarlyWatch Alert for all SAP components.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "Performance"
},
{
- "category": "BC and DR",
- "checklist": "Azure App Service Review",
- "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "App Services",
+ "category": "Performant",
+ "checklist": "SAP Checklist",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "service": "SAP",
"services": [
- "AppSvc"
+ "SAP"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
- "waf": "Reliability"
+ "subcategory": " ",
+ "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
+ "training": "https://me.sap.com/notes/0002879613",
+ "waf": "Performance"
},
{
- "category": "Operations",
- "checklist": "Azure App Service Review",
- "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "category": "Performant",
+ "checklist": "SAP Checklist",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+ "service": "SAP",
"services": [
"Monitor",
- "AppSvc"
+ "SQL",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Monitor App Service instances using Health checks",
- "waf": "Reliability"
+ "subcategory": " ",
+ "text": "Review SQL Server performance monitoring using CCMS.",
+ "waf": "Performance"
},
{
- "category": "Operations",
- "checklist": "Azure App Service Review",
- "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
- "service": "App Services",
+ "category": "Performant",
+ "checklist": "SAP Checklist",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
+ "service": "SAP",
"services": [
- "Monitor",
- "AppSvc"
+ "VM",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
- "waf": "Reliability"
+ "subcategory": " ",
+ "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
+ "training": "https://me.sap.com/notes/1100926/E",
+ "waf": "Performance"
},
{
- "category": "Operations",
- "checklist": "Azure App Service Review",
- "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
- "service": "App Services",
+ "category": "Performant",
+ "checklist": "SAP Checklist",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "service": "SAP",
"services": [
"Monitor",
- "AppSvc"
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Monitoring",
- "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": " ",
+ "text": "Review SAP HANA studio alerts.",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
- "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
+ "category": "Performant",
+ "checklist": "SAP Checklist",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
+ "service": "SAP",
"services": [
- "AKV",
- "AppSvc"
+ "SAP"
],
- "severity": "High",
- "subcategory": "Data Protection",
- "text": "Use Key Vault to store secrets",
+ "severity": "Medium",
+ "subcategory": " ",
+ "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
+ "waf": "Performance"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
+ "services": [
+ "VM",
+ "SAP"
+ ],
+ "severity": "Medium",
+ "subcategory": "Governance",
+ "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
- "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"services": [
- "AKV",
- "AppSvc",
- "Entra"
+ "SAP"
],
- "severity": "High",
- "subcategory": "Data Protection",
- "text": "Use Managed Identity to connect to Key Vault",
+ "severity": "Medium",
+ "subcategory": "Governance",
+ "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Store the App Service TLS certificate in Key Vault.",
- "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"services": [
- "AKV",
- "AppSvc"
+ "SQL",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Data Protection",
- "text": "Use Key Vault to store TLS certificate.",
+ "severity": "Low",
+ "subcategory": "Governance",
+ "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
- "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
- "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"services": [
- "AppSvc",
- "Subscriptions"
+ "SQL",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Data Protection",
- "text": "Isolate systems that process sensitive information",
+ "severity": "High",
+ "subcategory": "Governance",
+ "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
+ "training": "https://me.sap.com/notes/3019299/E",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
- "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"services": [
- "AppSvc",
- "TrafficManager"
+ "AKV",
+ "Backup",
+ "SQL",
+ "Storage",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Data Protection",
- "text": "Do not store sensitive data on local disk",
+ "severity": "High",
+ "subcategory": "Secrets",
+ "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
- "guid": "919ca0b2-c121-459e-814b-933df574eccc",
- "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "SAP",
"services": [
- "AppSvc",
- "Entra"
+ "AKV",
+ "Storage",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Identity and Access Control",
- "text": "Use an established Identity Provider for authentication",
+ "subcategory": "Secrets",
+ "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
- "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "SAP",
"services": [
- "AppSvc",
- "Entra"
+ "AKV",
+ "SAP"
],
"severity": "High",
- "subcategory": "Identity and Access Control",
- "text": "Deploy from a trusted environment",
+ "subcategory": "Secrets",
+ "text": "Use Azure Key Vault to store your secrets and credentials",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.",
- "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "SAP",
"services": [
- "AppSvc",
- "Entra"
+ "AKV",
+ "AzurePolicy",
+ "RBAC",
+ "Subscriptions",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Identity and Access Control",
- "text": "Disable basic authentication",
+ "severity": "Medium",
+ "subcategory": "Secrets",
+ "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
- "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
- "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "SAP",
"services": [
"AKV",
- "AppSvc",
- "Entra"
+ "AzurePolicy",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Identity and Access Control",
- "text": "Use Managed Identity to connect to resources",
+ "severity": "Medium",
+ "subcategory": "Secrets",
+ "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
- "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "service": "SAP",
"services": [
- "ACR",
- "AppSvc",
- "Entra"
+ "RBAC",
+ "AKV",
+ "AzurePolicy",
+ "SAP"
],
"severity": "High",
- "subcategory": "Identity and Access Control",
- "text": "Pull containers using a Managed Identity",
+ "subcategory": "Secrets",
+ "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
- "guid": "47768314-c115-4775-a2ea-55b46ad48408",
- "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"services": [
- "Monitor",
- "AppSvc",
- "Entra"
+ "AKV",
+ "Storage",
+ "Defender",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Logging and Monitoring",
- "text": "Send App Service runtime logs to Log Analytics",
+ "severity": "High",
+ "subcategory": "Secrets",
+ "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
- "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "service": "SAP",
"services": [
- "Monitor",
- "AppSvc",
- "Entra"
+ "RBAC",
+ "AKV",
+ "Defender",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Logging and Monitoring",
- "text": "Send App Service activity logs to Log Analytics",
+ "severity": "High",
+ "subcategory": "Secrets",
+ "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.",
- "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
- "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"services": [
- "Monitor",
- "NVA",
- "VNet",
- "AppSvc",
- "Firewall"
+ "AKV",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Network Security",
- "text": "Outbound network access should be controlled",
+ "severity": "Low",
+ "subcategory": "Secrets",
+ "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
- "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
- "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "service": "SAP",
"services": [
- "PrivateLink",
- "Storage",
- "NVA",
- "VNet",
- "AppSvc",
- "Firewall"
+ "AKV",
+ "SAP"
],
- "severity": "Low",
- "subcategory": "Network Security",
- "text": "Ensure a stable IP for outbound communications towards internet addresses",
+ "severity": "Medium",
+ "subcategory": "Secrets",
+ "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
- "guid": "0725769e-e669-41a4-a34a-c932223ece80",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "service": "SAP",
"services": [
- "AppSvc",
- "PrivateLink"
+ "AKV",
+ "SAP"
],
"severity": "High",
- "subcategory": "Network Security",
- "text": "Inbound network access should be controlled",
+ "subcategory": "Secrets",
+ "text": "Use an Azure Key Vault per application per environment per region.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.",
- "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
- "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "service": "SAP",
"services": [
- "Monitor",
- "FrontDoor",
- "AppGW",
- "WAF",
- "AppSvc"
+ "AKV",
+ "SAP"
],
"severity": "High",
- "subcategory": "Network Security",
- "text": "Use a WAF in front of App Service",
+ "subcategory": "Secrets",
+ "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
- "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "service": "SAP",
"services": [
- "WAF",
- "AppSvc",
- "PrivateLink"
+ "RBAC",
+ "Subscriptions",
+ "SAP"
],
"severity": "High",
- "subcategory": "Network Security",
- "text": "Avoid for WAF to be bypassed",
+ "subcategory": "Security",
+ "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
- "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "service": "SAP",
"services": [
- "AzurePolicy",
- "AppSvc"
+ "PrivateLink",
+ "NVA",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Network Security",
- "text": "Set minimum TLS policy to 1.2",
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
- "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
- "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "service": "SAP",
"services": [
- "WAF",
- "AppSvc"
+ "Storage",
+ "VM",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Network Security",
- "text": "Use HTTPS only",
+ "severity": "Low",
+ "subcategory": "Security",
+ "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
- "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "service": "SAP",
"services": [
- "Storage",
- "AppSvc"
+ "Defender",
+ "SAP"
],
- "severity": "High",
- "subcategory": "Network Security",
- "text": "Wildcards must not be used for CORS",
+ "severity": "Low",
+ "subcategory": "Security",
+ "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
- "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
- "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"services": [
- "AppSvc"
+ "VNet",
+ "SAP"
],
"severity": "High",
- "subcategory": "Network Security",
- "text": "Turn off remote debugging",
+ "subcategory": "Security",
+ "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
- "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"services": [
- "Defender",
- "AppSvc"
+ "WAF",
+ "SAP"
],
- "severity": "Medium",
- "subcategory": "Network Security",
- "text": "Enable Defender for Cloud - Defender for App Service",
+ "severity": "Low",
+ "subcategory": "Security",
+ "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
- "guid": "223ece80-b123-4071-a541-6415833ea3ad",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "App Services",
+ "category": "Security, Governance and Compliance",
+ "checklist": "SAP Checklist",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "service": "SAP",
"services": [
- "WAF",
- "AppGW",
- "NVA",
- "EventHubs",
- "VNet",
- "DDoS",
- "AppSvc"
+ "AKV",
+ "Monitor",
+ "SAP"
],
"severity": "Medium",
- "subcategory": "Network Security",
- "text": "Enable DDOS Protection Standard on the WAF VNet",
+ "subcategory": "Security",
+ "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
- "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
- "service": "App Services",
+ "category": "BC and DR",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+ "service": "Redis",
"services": [
- "PrivateLink",
- "ACR",
- "AppSvc",
- "VNet"
+ "ACR"
],
- "severity": "Medium",
- "subcategory": "Network Security",
- "text": "Pull containers over a Virtual Network",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
- "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
- "service": "App Services",
+ "category": "BC and DR",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+ "service": "Redis",
"services": [
- "AppSvc"
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Penetration Testing",
- "text": "Conduct a penetration test",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
- "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
- "service": "App Services",
+ "category": "BC and DR",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+ "service": "Redis",
"services": [
- "AppSvc"
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Vulnerability Management",
- "text": "Deploy validated code",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure App Service Review",
- "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
- "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
- "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
- "service": "App Services",
+ "category": "BC and DR",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+ "service": "Redis",
"services": [
- "AppSvc"
+ "ASR"
],
- "severity": "High",
- "subcategory": "Vulnerability Management",
- "text": "Use up-to-date platforms, languages, protocols and frameworks",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "High Availability",
+ "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
+ "waf": "Reliability"
},
{
"category": "Foundation",
@@ -22632,8 +20279,8 @@
"guid": "aa359271-8e6e-4205-8725-769e46691e88",
"link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits",
"services": [
- "Arc",
- "Entra"
+ "Entra",
+ "Arc"
],
"severity": "Medium",
"subcategory": "Capacity Planning",
@@ -22732,9 +20379,9 @@
"guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5",
"link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control",
"services": [
+ "Entra",
"RBAC",
- "Arc",
- "Entra"
+ "Arc"
],
"severity": "Medium",
"subcategory": "Access",
@@ -22747,9 +20394,9 @@
"guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e",
"link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad",
"services": [
- "Arc",
+ "Entra",
"AKV",
- "Entra"
+ "Arc"
],
"severity": "Low",
"subcategory": "Access",
@@ -22763,8 +20410,8 @@
"guid": "35ac9322-23e1-4380-8523-081a94174158",
"link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits",
"services": [
- "Arc",
"Entra",
+ "Arc",
"Subscriptions"
],
"severity": "High",
@@ -22779,9 +20426,9 @@
"guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60",
"link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions",
"services": [
+ "Entra",
"RBAC",
- "Arc",
- "Entra"
+ "Arc"
],
"severity": "Medium",
"subcategory": "Requirements",
@@ -22795,9 +20442,9 @@
"guid": "9d79f2e8-7778-4424-a516-775c6fa95b96",
"link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale",
"services": [
+ "Entra",
"RBAC",
- "Arc",
- "Entra"
+ "Arc"
],
"severity": "Medium",
"subcategory": "Security",
@@ -22811,9 +20458,9 @@
"guid": "ad88408e-3727-434b-a76b-a28f21459013",
"link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale",
"services": [
+ "Entra",
"RBAC",
- "Arc",
- "Entra"
+ "Arc"
],
"severity": "Medium",
"subcategory": "Security",
@@ -22827,9 +20474,9 @@
"guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1",
"link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions",
"services": [
+ "Entra",
"RBAC",
- "Arc",
- "Entra"
+ "Arc"
],
"severity": "Medium",
"subcategory": "Security",
@@ -22955,654 +20602,1104 @@
"waf": "Operations"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Arc Review",
- "guid": "89c93555-6d02-4bfe-9564-b0d834a34872",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights",
+ "category": "Management and Monitoring",
+ "checklist": "Azure Arc Review",
+ "guid": "89c93555-6d02-4bfe-9564-b0d834a34872",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights",
+ "services": [
+ "Arc",
+ "Monitor"
+ ],
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Use Azure Monitor for compliance and operational monitoring",
+ "waf": "Operations"
+ },
+ {
+ "category": "Management and Monitoring",
+ "checklist": "Azure Arc Review",
+ "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate",
+ "services": [
+ "Arc",
+ "Monitor"
+ ],
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Create an alert to identify Azure Arc-enabled servers that aren't using the latest version of the Azure connected machine agent",
+ "waf": "Operations"
+ },
+ {
+ "category": "Management and Monitoring",
+ "checklist": "Azure Arc Review",
+ "description": "Use Update Management in Azure Automation or the new Update Management Center (preview) functionality to ensure update management of servers",
+ "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management",
+ "services": [
+ "Arc",
+ "Monitor"
+ ],
+ "severity": "Low",
+ "subcategory": "Security",
+ "text": "Use Azure Arc-enabled servers to control software updates deployments to servers",
+ "waf": "Operations"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Arc Review",
+ "description": "The Connected Machine Agent will by default communicate with Azure services over public Internet connectivity using HTTPS (TCP port 443)",
+ "guid": "f6e043d2-aa35-4927-88e6-e2050725769e",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details",
+ "services": [
+ "Arc"
+ ],
+ "severity": "High",
+ "subcategory": "Networking",
+ "text": "Define a connectivity method from the server to Azure",
+ "waf": "Operations"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Arc Review",
+ "description": "The Connected Machine Agent can be configured to use a proxy server, it is recommended to define the proxy server address using 'azcmagent config set proxy.url' command on the local system.",
+ "guid": "46691e88-35ac-4932-823e-13800523081a",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings",
+ "services": [
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Is a proxy server a required for communication over the Public Internet",
+ "waf": "Operations"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Arc Review",
+ "description": "The Connected Machine Agent can use a Private Link for communication with Azure Services over an existing ExpressRoute or VPN connection",
+ "guid": "94174158-33ee-47ad-9c6d-3733165c7acb",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security",
+ "services": [
+ "VPN",
+ "Arc",
+ "PrivateLink",
+ "ExpressRoute"
+ ],
+ "severity": "Medium",
+ "subcategory": "Networking",
+ "text": "Is a private (not public Internet) connection required?",
+ "waf": "Operations"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Arc Review",
+ "description": "Firewall configuration might be required for the agent to communicate with Azure, use the link to see ServiceTags and/or URL's required",
+ "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags",
+ "services": [
+ "Arc"
+ ],
+ "severity": "High",
+ "subcategory": "Networking",
+ "text": "Will Firewall configurations be needed in order to ensure communication with Azure Services?",
+ "waf": "Security"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Arc Review",
+ "description": "Use available automation tool for the system in question to regularly update the Azure endpoints",
+ "guid": "6fa95b96-ad88-4408-b372-734b876ba28f",
+ "link": "https://www.microsoft.com/download/details.aspx?id=56519",
+ "services": [
+ "Arc"
+ ],
+ "severity": "Low",
+ "subcategory": "Networking",
+ "text": "Can the Firewall or Proxy rules be automated updated if Service Tags or IP addresses change",
+ "waf": "Security"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Arc Review",
+ "description": "Configure Servers to use Transport Layer Security (TLS) version 1.2",
+ "guid": "21459013-65d3-48e5-9f9c-cbd868266abc",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol",
+ "services": [
+ "Arc"
+ ],
+ "severity": "High",
+ "subcategory": "Networking",
+ "text": "Always use secure communication for Azure where possible",
+ "waf": "Security"
+ },
+ {
+ "category": "Networking",
+ "checklist": "Azure Arc Review",
+ "description": "All extensions (like log analytics etc.) have separate network requirements, be sure to include all in the network design.",
+ "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method",
+ "services": [
+ "PrivateLink",
+ "Arc",
+ "Monitor"
+ ],
+ "severity": "Low",
+ "subcategory": "Networking",
+ "text": "Include communication for Azure Arc-enabled Servers extensions in the design (firewall/proxy/private link)",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c",
+ "link": "https://learn.microsoft.com/azure/governance/policy/",
+ "services": [
+ "Arc",
+ "AzurePolicy"
+ ],
+ "severity": "Medium",
+ "subcategory": "Management",
+ "text": "Use Azure Policy to implement a governance model for hybrid connected servers",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76",
+ "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+ "services": [
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Management",
+ "text": "Consider using Machine configurations for in guest OS configurations",
+ "waf": "Operations"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "667357c4-4967-44c5-bd85-b859c7733be2",
+ "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create",
+ "services": [
+ "Arc",
+ "AzurePolicy"
+ ],
+ "severity": "Medium",
+ "subcategory": "Management",
+ "text": "Evaluate the need for custom Guest Configuration policies",
+ "waf": "Operations"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77",
+ "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview",
+ "services": [
+ "Arc",
+ "Monitor"
+ ],
+ "severity": "Medium",
+ "subcategory": "Monitoring",
+ "text": "Consider using change tracking for tracking changes made on the servers",
+ "waf": "Operations"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency",
+ "services": [
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Requirements",
+ "text": "Make sure to use an Azure region for storing the metadata approved by the organization",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts",
+ "services": [
+ "AKV",
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Secrets",
+ "text": "Use Azure Key Vault for certificate management on servers",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "description": "Consider using a short-lived Azure AD service principal client secrets.",
+ "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b",
+ "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret",
+ "services": [
+ "Entra",
+ "AKV",
+ "Arc",
+ "Storage"
+ ],
+ "severity": "High",
+ "subcategory": "Secrets",
+ "text": "What is the acceptable life time of the secret used by SP's",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "description": "A private key is saved to the disk, ensure this is protected using disk encryption",
+ "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption",
+ "services": [
+ "AKV",
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Secrets",
+ "text": "Secure the public key for Azure Arc-enabled Servers",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "description": "Local administrator is required to install the Connected Machine Agent on Windows and Linux systems",
+ "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually",
+ "services": [
+ "Arc"
+ ],
+ "severity": "High",
+ "subcategory": "Security",
+ "text": "Ensure there is local administrator access for executing the agent installation",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "description": "Members of the local administrator group on Windows and users with root privileges on Linux, have permissions to manage the agent via command line.",
+ "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions",
+ "services": [
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Limit the amount of users with local administrator rights to the servers",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication",
+ "services": [
+ "Entra",
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Consider using and restricting access to managed identities for applications.",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "description": "Use Defender for Endpoint or another AV and EDR solution to protect endpoints",
+ "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868",
+ "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
+ "services": [
+ "Arc",
+ "Defender"
+ ],
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Enable Defender for Servers for all servers to secure hybrid workloads from threats",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c",
+ "services": [
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Define controls to detect security misconfigurations and track compliance",
+ "waf": "Security"
+ },
+ {
+ "category": "Security, Governance and Compliance",
+ "checklist": "Azure Arc Review",
+ "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c",
+ "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists",
+ "services": [
+ "Arc"
+ ],
+ "severity": "Medium",
+ "subcategory": "Security",
+ "text": "Use allow- or block-lists to control what extensions can be installed on the Azure Arc-enabled servers",
+ "waf": "Security"
+ },
+ {
+ "category": "BCDR",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can also choose to encrypt the backup using a customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.",
+ "guid": "676f6951-0368-49e9-808d-c33a692c9a64",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data",
+ "services": [
+ "AKV",
+ "Backup",
+ "SQL"
+ ],
+ "severity": "Medium",
+ "subcategory": "Azure Key Vault",
+ "text": "Protect your backup data with encryption and store keys safely in Azure Key Vault",
+ "waf": "Security"
+ },
+ {
+ "category": "BCDR",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.",
+ "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups",
+ "services": [
+ "Backup",
+ "SQL",
+ "Storage"
+ ],
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "Configure Azure SQL Database automated backups",
+ "waf": "Security"
+ },
+ {
+ "category": "BCDR",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region. For SQL Database, the backup storage redundancy can be configured at the time of database creation or can be updated for an existing database; the changes made to an existing database apply to future backups only.",
+ "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy",
+ "services": [
+ "Backup",
+ "Storage",
+ "SQL"
+ ],
+ "severity": "Low",
+ "subcategory": "Backup",
+ "text": "Enable geo-redundant backup storage to protect against single region failure and data loss",
+ "waf": "Security"
+ },
+ {
+ "category": "Code",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Malicious code can potentially circumvent security controls. Before deploying custom code to production, it is essential to review what's being deployed. Use a database tool like Azure Data Studio that supports source control. Implement tools and logic for code analysis, vulnerability and credential scanning.",
+ "guid": "7ca9f006-d2a9-4652-951c-de8e4ac5e76e",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
+ "services": [
+ "SQL"
+ ],
+ "severity": "Medium",
+ "subcategory": "Source Control and Code Review",
+ "text": "Use Source Control systems to store, maintain and review application code deployed inside Azure SQLDB Database",
+ "waf": "Security"
+ },
+ {
+ "category": "Data Discovery and Classification",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "In case of classification requirements Purview is the preferred option. Only use SQL Data Discovery & Classification in case Purview is not an option. Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.",
+ "guid": "d401509b-2629-4484-9a7f-af0d29a7778f",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql#faq---advanced-classification-capabilities",
+ "services": [
+ "SQL"
+ ],
+ "severity": "Low",
+ "subcategory": "Data Discovery and Classification",
+ "text": "Plan and configure Data Discovery & Classification to protect the sensitive data",
+ "waf": "Security"
+ },
+ {
+ "category": "Data Masking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Usage of this feature is recommended only if column encryption is not an option and there is a specific requirement to preserve data types and formats. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer.",
+ "guid": "9391fd50-135e-453e-90a7-c1a23f88cc13",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview",
+ "services": [
+ "SQL"
+ ],
+ "severity": "Low",
+ "subcategory": "Data Masking",
+ "text": "Use Data Masking to prevent unauthorized non-admin users data access if no encryption is possible",
+ "waf": "Security"
+ },
+ {
+ "category": "Defender",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "SQL Advanced Threat Detection (ATP) provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat.",
+ "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
+ "services": [
+ "EventHubs",
+ "SQL",
+ "Defender"
+ ],
+ "severity": "High",
+ "subcategory": "Advanced Threat Protection",
+ "text": "Review and complete Advanced Threat Protection (ATP) configuration",
+ "waf": "Security"
+ },
+ {
+ "category": "Defender",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.",
+ "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql ",
+ "services": [
+ "Subscriptions",
+ "SQL",
+ "Defender"
+ ],
+ "severity": "High",
+ "subcategory": "Defender for Azure SQL",
+ "text": "Enable Microsoft Defender for Azure SQL",
+ "waf": "Security"
+ },
+ {
+ "category": "Defender",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Microsoft Defender for Azure SQL ATP detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Alerts can be configured and generated and will be reported in the Defender for console.",
+ "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
+ "services": [
+ "SQL",
+ "Defender",
+ "Monitor"
+ ],
+ "severity": "High",
+ "subcategory": "Defender for Azure SQL",
+ "text": "Prepare a security response plan to promptly react to Microsoft Defender for Azure SQL alerts",
+ "waf": "Security"
+ },
+ {
+ "category": "Defender",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.",
+ "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview",
+ "services": [
+ "SQL",
+ "Defender",
+ "Monitor"
+ ],
+ "severity": "High",
+ "subcategory": "Vulnerability Assessment",
+ "text": "Configure Vulnerability Assessment (VA) findings and review recommendations",
+ "waf": "Security"
+ },
+ {
+ "category": "Defender",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL Databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.",
+ "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql",
"services": [
- "Arc",
- "Monitor"
+ "SQL",
+ "Defender"
],
- "severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Use Azure Monitor for compliance and operational monitoring",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Vulnerability Assessment",
+ "text": "Regularly review of Vulnerability Assessment (VA) findings and recommendations and prepare a plan to fix",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Arc Review",
- "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate",
+ "category": "Encryption",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Always Encrypted with Secure Enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with Secure Enclaves addresses these limitations by allowing some computations on plaintext data inside a secure enclave on the server side. Usage of this feature is recommended for the cases where you need to limit administrator access and need your queries to support more than equality matching of encrypted columns.",
+ "guid": "65d7e54a-10a6-4094-b673-9ff3809c9277",
+ "link": "https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves",
"services": [
- "Arc",
- "Monitor"
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Create an alert to identify Azure Arc-enabled servers that aren't using the latest version of the Azure connected machine agent",
- "waf": "Operations"
+ "subcategory": "Always Encrypted",
+ "text": "If protecting sensitive PII data from admin users is a key requirement, but Column Encryption limitations cannot be tolerated, consider the adoption of Always Encrypted with Secure Enclaves",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Arc Review",
- "description": "Use Update Management in Azure Automation or the new Update Management Center (preview) functionality to ensure update management of servers",
- "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management",
+ "category": "Encryption",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This approach is called column encryption, because you can use it to encrypt specific columns with different encryption keys. Doing so gives you more granular encryption capability than TDE, which encrypts data in pages. Using Always Encrypted to ensure sensitive data isn't exposed in plaintext in Azure SQL Database or SQL Managed Instance, even in memory/in use. Always Encrypted protects the data from Database Administrators (DBAs) and cloud admins (or bad actors who can impersonate high-privileged but unauthorized users) and gives you more control over who can access your data.",
+ "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption",
"services": [
- "Arc",
- "Monitor"
+ "AKV",
+ "Storage",
+ "SQL"
],
"severity": "Low",
- "subcategory": "Security",
- "text": "Use Azure Arc-enabled servers to control software updates deployments to servers",
- "waf": "Operations"
+ "subcategory": "Column Encryption",
+ "text": "To protect sensitive PII data from non-admin users in specific table columns, consider using Column Encryption",
+ "waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Arc Review",
- "description": "The Connected Machine Agent will by default communicate with Azure services over public Internet connectivity using HTTPS (TCP port 443)",
- "guid": "f6e043d2-aa35-4927-88e6-e2050725769e",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details",
+ "category": "Encryption",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Enabled by default, Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application.",
+ "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
"services": [
- "Arc"
+ "Backup",
+ "Storage",
+ "SQL"
],
"severity": "High",
- "subcategory": "Networking",
- "text": "Define a connectivity method from the server to Azure",
- "waf": "Operations"
+ "subcategory": "Transparent Data Encryption",
+ "text": "Ensure Transparent Data Encryption (TDE) is kept enabled",
+ "waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Arc Review",
- "description": "The Connected Machine Agent can be configured to use a proxy server, it is recommended to define the proxy server address using 'azcmagent config set proxy.url' command on the local system.",
- "guid": "46691e88-35ac-4932-823e-13800523081a",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings",
+ "category": "Encryption",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "If separation of duties in the management of keys and data within the organization is required, leverage Customer Managed Keys (CMK) for Transparent Data Encryption (TDE) for your Azure SQLDB and use Azure Key Vault to store (refer to its checklist). Leverage this feature when you have strict security requirements which cannot be met by the managed service keys.",
+ "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview",
"services": [
- "Arc"
+ "AKV",
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Is a proxy server a required for communication over the Public Internet",
- "waf": "Operations"
+ "subcategory": "Transparent Data Encryption",
+ "text": "Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increased transparency and granular control over the TDE protection",
+ "waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Arc Review",
- "description": "The Connected Machine Agent can use a Private Link for communication with Azure Services over an existing ExpressRoute or VPN connection",
- "guid": "94174158-33ee-47ad-9c6d-3733165c7acb",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security",
+ "category": "Encryption",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.",
+ "guid": "7754b605-57fd-4bcb-8213-52c39d8e8225",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?source=recommendations&view=azuresql&tabs=azure-portal#minimal-tls-version",
"services": [
- "VPN",
- "Arc",
- "ExpressRoute",
- "PrivateLink"
+ "SQL"
],
- "severity": "Medium",
- "subcategory": "Networking",
- "text": "Is a private (not public Internet) connection required?",
- "waf": "Operations"
+ "severity": "High",
+ "subcategory": "Transport Layer Security",
+ "text": "Enforce minimum TLS version to the latest available",
+ "waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Arc Review",
- "description": "Firewall configuration might be required for the agent to communicate with Azure, use the link to see ServiceTags and/or URL's required",
- "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags",
+ "category": "Identity",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Use Azure Active Directory (Azure AD) authentication for centralized identity management. Use SQL Authentication only if really necessary and document as exceptions.",
+ "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview",
"services": [
- "Arc"
+ "Entra",
+ "SQL"
],
- "severity": "High",
- "subcategory": "Networking",
- "text": "Will Firewall configurations be needed in order to ensure communication with Azure Services?",
+ "severity": "Medium",
+ "subcategory": "Azure Active Directory",
+ "text": "Leverage Azure AD authentication for connections to Azure SQL Databases",
"waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Arc Review",
- "description": "Use available automation tool for the system in question to regularly update the Azure endpoints",
- "guid": "6fa95b96-ad88-4408-b372-734b876ba28f",
- "link": "https://www.microsoft.com/download/details.aspx?id=56519",
+ "category": "Identity",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.",
+ "guid": "29820254-1d14-4778-ae90-ff4aeba504a3",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities",
"services": [
- "Arc"
+ "Entra",
+ "SQL",
+ "Monitor"
],
- "severity": "Low",
- "subcategory": "Networking",
- "text": "Can the Firewall or Proxy rules be automated updated if Service Tags or IP addresses change",
+ "severity": "Medium",
+ "subcategory": "Azure Active Directory",
+ "text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server",
"waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Arc Review",
- "description": "Configure Servers to use Transport Layer Security (TLS) version 1.2",
- "guid": "21459013-65d3-48e5-9f9c-cbd868266abc",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol",
+ "category": "Identity",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Ensure that distinct system and user assigned managed identities, that are dedicated to the function, with least permissions assigned, are used for communication from Azure services and applications to the Azure SQLDB databases.",
+ "guid": "df3a09ee-03bb-4198-8637-d141acf5f289",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications",
"services": [
- "Arc"
+ "Entra",
+ "SQL"
],
- "severity": "High",
- "subcategory": "Networking",
- "text": "Always use secure communication for Azure where possible",
+ "severity": "Medium",
+ "subcategory": "Azure Active Directory",
+ "text": "Minimize the use of password-based authentication for applications",
"waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Arc Review",
- "description": "All extensions (like log analytics etc.) have separate network requirements, be sure to include all in the network design.",
- "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method",
+ "category": "Identity",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "System or User assigned managed identities enable Azure SQLDB to authenticate to other cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control to the specific Azure SQLDB instance. Do not share user assigned managed identities across multiple services if not strictly required.",
+ "guid": "69891194-5074-4e30-8f69-4efc3c580900",
+ "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
"services": [
- "Arc",
- "Monitor",
- "PrivateLink"
+ "Entra",
+ "AKV",
+ "SQL",
+ "RBAC",
+ "ACR"
],
"severity": "Low",
- "subcategory": "Networking",
- "text": "Include communication for Azure Arc-enabled Servers extensions in the design (firewall/proxy/private link)",
+ "subcategory": "Managed Identities",
+ "text": "Assign Azure SQL Database a managed identity for outbound resource access",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c",
- "link": "https://learn.microsoft.com/azure/governance/policy/",
+ "category": "Identity",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Use an Azure AD integrated authentication that eliminates the use of passwords. Password-based authentication methods are a weaker form of authentication. Credentials can be compromised or mistakenly given away. Use single sign-on authentication using Windows credentials. Federate the on-premises AD domain with Azure AD and use integrated Windows authentication (for domain-joined machines with Azure AD).",
+ "guid": "88287d4a-8bb8-4640-ad78-03f51354d003",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication",
"services": [
- "Arc",
- "AzurePolicy"
+ "Entra",
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Use Azure Policy to implement a governance model for hybrid connected servers",
+ "subcategory": "Passwords",
+ "text": "Minimize the use of password-based authentication for users",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76",
- "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+ "category": "Ledger",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Confidential Ledger is one of the supported store, it can be used and supports automatic generation and storage of database digests. Azure Ledger provides advanced security features like Blockchain Ledger Proof and Confidential Hardware Enclaves. Use it only if advanced security features are required, otherwise revert to Azure storage.",
+ "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage",
"services": [
- "Arc"
+ "Storage",
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Consider using Machine configurations for in guest OS configurations",
- "waf": "Operations"
+ "subcategory": "Database Digest",
+ "text": "Use Azure Confidential Ledger to store database digests only if advanced security features are required",
+ "waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "667357c4-4967-44c5-bd85-b859c7733be2",
- "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create",
+ "category": "Ledger",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Blob Storage with Immutable Storage feature can be used and supports automatic generation and storage of database digests. To prevent tampering of your digest files, configure and lock a retention policy for your container.",
+ "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a",
+ "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management",
"services": [
- "Arc",
+ "Storage",
+ "SQL",
"AzurePolicy"
],
"severity": "Medium",
- "subcategory": "Management",
- "text": "Evaluate the need for custom Guest Configuration policies",
- "waf": "Operations"
+ "subcategory": "Database Digest",
+ "text": "If Azure storage account is used to store database digests, ensure security is properly configured",
+ "waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77",
- "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview",
+ "category": "Ledger",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Ledger provides a form of data integrity called forward integrity, which provides evidence of data tampering on data in your ledger tables. The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.",
+ "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420",
+ "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification",
"services": [
- "Arc",
- "Monitor"
+ "Storage",
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Consider using change tracking for tracking changes made on the servers",
- "waf": "Operations"
+ "subcategory": "Integrity",
+ "text": "Schedule the Ledger verification process regularly to verify data integrity",
+ "waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency",
+ "category": "Ledger",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "The Ledger feature provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with. Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators.",
+ "guid": "2563f498-e2d3-42ea-9e7b-5517881a06a2",
+ "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview",
"services": [
- "Arc"
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Requirements",
- "text": "Make sure to use an Azure region for storing the metadata approved by the organization",
+ "subcategory": "Ledger",
+ "text": "If cryptographic proof of data integrity is a critical requirement, Ledger feature should be considered",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780",
- "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts",
+ "category": "Ledger",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Depending on the type of tampering, there are cases where you can repair the ledger without losing data. In the article contained in the --More Info-- column, different scenarios and recovery techniques are described.",
+ "guid": "804fc554-6554-4842-91c1-713b32f99902",
+ "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-how-to-recover-after-tampering",
"services": [
- "Arc",
- "AKV"
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Secrets",
- "text": "Use Azure Key Vault for certificate management on servers",
+ "subcategory": "Recovery",
+ "text": "Prepare a response plan to investigate and repair a database after a tampering event",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "description": "Consider using a short-lived Azure AD service principal client secrets.",
- "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b",
- "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret",
+ "category": "Logging",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. By default auditing policy includes all actions (queries, stored procedures and successful and failed logins) against the databases, which may result in high volume of audit logs. It's recommended for customers to configure auditing for different types of actions and action groups using PowerShell.",
+ "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
"services": [
- "Arc",
"Storage",
- "AKV",
- "Entra"
+ "SQL",
+ "AzurePolicy"
],
- "severity": "High",
- "subcategory": "Secrets",
- "text": "What is the acceptable life time of the secret used by SP's",
+ "severity": "Medium",
+ "subcategory": "Auditing",
+ "text": "Ensure that Azure SQL Database Auditing is enabled at the server level",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "description": "A private key is saved to the disk, ensure this is protected using disk encryption",
- "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption",
+ "category": "Logging",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Azure SQL Database Auditing logs can be written to external storage accounts, Log Analytics workspace or Event Hub. Be sure to protect the target repository using backups and secured configuration. Use Azure SQL Database Managed Identity to access the storage and set an explicit retention period. Do not grant permissions to administrators to the audit log repository. Use a different target storage for --Enabling Auditing of Microsoft support operations--. ",
+ "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
"services": [
- "Arc",
- "AKV"
+ "Entra",
+ "Backup",
+ "Storage",
+ "SQL",
+ "Monitor",
+ "EventHubs"
],
- "severity": "Medium",
- "subcategory": "Secrets",
- "text": "Secure the public key for Azure Arc-enabled Servers",
+ "severity": "Low",
+ "subcategory": "Auditing",
+ "text": "Ensure that Azure SQL Database Auditing logs are backed up and secured in the selected repository type",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "description": "Local administrator is required to install the Connected Machine Agent on Windows and Linux systems",
- "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually",
+ "category": "Logging",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).",
+ "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
"services": [
- "Arc"
+ "Storage",
+ "SQL",
+ "Subscriptions",
+ "Monitor",
+ "EventHubs"
],
- "severity": "High",
- "subcategory": "Security",
- "text": "Ensure there is local administrator access for executing the agent installation",
+ "severity": "Medium",
+ "subcategory": "Auditing",
+ "text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "description": "Members of the local administrator group on Windows and users with root privileges on Linux, have permissions to manage the agent via command line.",
- "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions",
+ "category": "Logging",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
+ "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
"services": [
- "Arc"
+ "SQL",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Limit the amount of users with local administrator rights to the servers",
+ "subcategory": "SIEM/SOAR",
+ "text": "Ensure that Azure SQL Database Auditing logs are being presented in to your organizations SIEM/SOAR",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication",
+ "category": "Logging",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
+ "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
"services": [
- "Arc",
- "Entra"
+ "SQL",
+ "Monitor"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Consider using and restricting access to managed identities for applications.",
+ "subcategory": "SIEM/SOAR",
+ "text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "description": "Use Defender for Endpoint or another AV and EDR solution to protect endpoints",
- "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868",
- "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started",
+ "category": "Logging",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.",
+ "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
"services": [
- "Arc",
- "Defender"
+ "EventHubs",
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Enable Defender for Servers for all servers to secure hybrid workloads from threats",
+ "subcategory": "SIEM/SOAR",
+ "text": "Ensure that you have response plans for malicious or aberrant audit logging events",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.",
+ "guid": "2c6d356a-1784-475b-a42c-ec187dc8c925",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
"services": [
- "Arc"
+ "PrivateLink",
+ "SQL"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Define controls to detect security misconfigurations and track compliance",
+ "severity": "High",
+ "subcategory": "Connectivity",
+ "text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload",
"waf": "Security"
},
{
- "category": "Security, Governance and Compliance",
- "checklist": "Azure Arc Review",
- "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c",
- "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "IMPORTANT: Connections to private endpoint only support Proxy as the connection policy. When using private endpoints connections are proxied via the Azure SQL Database gateway to the database nodes. Clients will not have a direct connection.",
+ "guid": "557b3ce5-bada-4296-8d52-a2d447bc1718",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture",
"services": [
- "Arc"
+ "PrivateLink",
+ "SQL",
+ "AzurePolicy"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Use allow- or block-lists to control what extensions can be installed on the Azure Arc-enabled servers",
+ "severity": "Low",
+ "subcategory": "Connectivity",
+ "text": "Keep default Azure SQL Database Connection Policy if not differently required and justified",
"waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "MySQL Review Checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.",
+ "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
"services": [
- "SQL"
+ "SQL",
+ "Subscriptions"
],
- "severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Leverage Flexible Server",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Connectivity",
+ "text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "MySQL Review Checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.",
+ "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e",
+ "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql",
"services": [
- "SQL"
+ "EventHubs",
+ "SQL",
+ "APIM"
],
- "severity": "High",
- "subcategory": "Best Practices",
- "text": "Leverage Availability Zones where regionally applicable",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Outbound Control",
+ "text": "Block or restrict outbound REST API calls to external endpoints",
+ "waf": "Security"
},
- {
- "category": "Operations Management",
- "checklist": "MySQL Review Checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
+ {
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Outbound firewall rules limit network traffic from the Azure SQL Database logical server to a customer defined list of Azure Storage accounts and Azure SQL Database logical servers. Any attempt to access storage accounts or databases not in this list is denied.",
+ "guid": "a566dd3d-314e-4a94-9378-102c42d82b38",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview",
"services": [
+ "Storage",
"SQL"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Leverage Data-in replication for cross-region DR scenarios",
- "waf": "Reliability"
+ "subcategory": "Outbound Control",
+ "text": "If outbound network access is required, it is recommended to configure outbound networking restrictions using built-in Azure SQL Database control feature",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
- "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
- "service": "Azure Data Explorer",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Private Endpoint is created inside a subnet in an Azure Virtual Network. Proper security configuration must be applied also to the containing network environment, including NSG/ASG, UDR, firewall, monitoring and auditing.",
+ "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
"services": [
- "Cost",
- "Storage"
+ "PrivateLink",
+ "SQL",
+ "Monitor",
+ "VNet",
+ "Firewall"
],
- "subcategory": "Replication",
- "text": "Leverage External Tables and Continuous data export overview to reduce costs",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Private Access",
+ "text": "If Private Access connectivity is used, ensure that you are using the Private Endpoint, Azure Virtual Network, Azure Firewall, and Azure Network Security Group checklists",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
- "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
- "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
- "service": "Azure Data Explorer",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "When adding a Private Endpoint connection, public routing to your logical server isn't blocked by default. In the --Firewall and virtual networks-- pane, the setting --Deny public network access-- is not selected by default. To disable public network access, ensure that you select --Deny public network access--.",
+ "guid": "3a0808ee-ea7a-47ab-bdce-920a6a2b3881",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
"services": [
- "Storage"
+ "PrivateLink",
+ "SQL",
+ "VNet"
],
- "subcategory": "Replication",
- "text": "To share data, explore Leader-follower cluster configuration",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Private Access",
+ "text": "If Private Endpoint (Private Access) is used, consider disabling Public Access connectivity",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
- "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
- "service": "Azure Data Explorer",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Network Security Group (NSG) and Application Security Group (ASG) can be now applied to subnet containing Private Endpoints to restrict connections to Azure SQLDB based on internal source IP ranges.",
+ "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2",
+ "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints",
"services": [
- "ASR"
+ "PrivateLink",
+ "SQL",
+ "VNet"
],
- "subcategory": "Replication",
- "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Private Access",
+ "text": "If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to limit incoming source IP address ranges",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
- "service": "Azure Data Explorer",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. Applications and tools that are in the same or peered virtual network in the same region could access it directly. Applications and tools that are in different region could use virtual-network-to-virtual-network connection or ExpressRoute circuit peering to establish connection. Customer should use Network Security Groups (NSG), and eventually internal firewalls, to restrict access over port 1433 only to resources that require access to a managed instance.",
+ "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview",
"services": [
- "RBAC",
- "Storage"
+ "VNet",
+ "SQL",
+ "ExpressRoute"
],
- "subcategory": "Replication",
- "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
- "service": "Azure Data Explorer",
- "services": [],
- "subcategory": "Replication",
- "text": "Ingest data into each cluster in parallel",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Private Access",
+ "text": "Apply Network Security Groups (NSG) and firewall rules to restrict access to Azure SQL Managed Instance internal subnet",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
- "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
- "service": "Azure Data Explorer",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Azure Virtual Network Service Endpoint is preferred solution if you want to establish a direct connection to the Azure SQL Database backend nodes using Redirect policy. This will allow access in high performance mode and is the recommended approach from a performance perspective.",
+ "guid": "55187443-6852-4fbd-99c6-ce303597ca7f",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules",
"services": [
- "ACR"
+ "VNet",
+ "SQL",
+ "AzurePolicy"
],
- "subcategory": "DR Configuration",
- "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Public Access",
+ "text": "If Public Access connectivity is used, leverage Service Endpoint to restrict access from selected Azure Virtual Networks",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
- "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
- "service": "Azure Data Explorer",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted. This approach is fine for stable IP addresses that are outside the Azure private network.",
+ "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
"services": [
- "ACR"
+ "Storage",
+ "SQL"
],
- "subcategory": "DR Configuration",
- "text": "For critical applications, create Active-Active configuration in two paired regions",
- "waf": "Reliability"
- },
- {
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
- "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
- "service": "Azure Data Explorer",
- "services": [],
- "subcategory": "DR Configuration",
- "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
- "waf": "Reliability"
+ "severity": "Medium",
+ "subcategory": "Public Access",
+ "text": "If Public Access connectivity is used, ensure that only specific known IPs are added to the firewall",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
- "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
- "service": "Azure Data Explorer",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.",
+ "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure",
"services": [
- "Cost",
"Storage",
- "AzurePolicy",
- "ASR"
+ "SQL"
],
- "subcategory": "DR Configuration",
- "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Public Access",
+ "text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
- "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. The Managed Instance public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. If company policy disallows the use of public endpoints, use Azure Policy to prevent enabling public endpoints in the first place.",
+ "guid": "b8435656-143e-41a8-9922-61d34edb751a",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
"services": [
+ "VNet",
+ "SQL",
"AzurePolicy"
],
- "subcategory": "IaC",
- "text": "Wrap DevOps and source control around all your code",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
- "services": [],
- "subcategory": "IaC",
- "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
- "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
- "services": [],
- "subcategory": "IaC",
- "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "Reliability"
+ "severity": "High",
+ "subcategory": "Public Access",
+ "text": "Do not enable Azure SQL Managed Instance public endpoint",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Redis Resiliency checklist",
- "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
- "service": "Redis",
+ "category": "Networking",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "A Managed Instance (SQL MI) public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. In this case, it is recommended to apply a Network Security Groups (NSG) to restrict access to port 3342 only to trusted source IP addresses.",
+ "guid": "057dd298-8726-4aa6-b590-1f81d2e30421",
+ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
"services": [
- "ACR"
+ "VNet",
+ "SQL"
],
"severity": "High",
- "subcategory": "High Availability",
- "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
- "waf": "Reliability"
+ "subcategory": "Public Access",
+ "text": "Restrict access if Azure SQL Managed Instance public endpoint is required",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Redis Resiliency checklist",
- "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
- "service": "Redis",
+ "category": "Privileged Access",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. In support scenarios where Microsoft needs to access customer data, Azure SQL Database supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.",
+ "guid": "37b6eb0f-553d-488f-8a8a-cb9bf97388ff",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
"services": [
- "Storage"
+ "SQL"
],
- "severity": "Medium",
- "subcategory": "High Availability",
- "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Lockbox",
+ "text": "Review and enable Customer Lockbox for Azure SQL Database access by Microsoft personnel",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Redis Resiliency checklist",
- "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
- "service": "Redis",
+ "category": "Privileged Access",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "The principle of least privilege states that users shouldn't have more privileges than needed to complete their tasks. High-privileged database and server users can perform many configuration and maintenance activities on the database and can also drop databases in Azure SQL instance. Tracking database owners and privileged accounts is important to avoid having excessive permission.",
+ "guid": "5fe5281f-f0f9-4842-a682-8baf18bd8316",
+ "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege",
"services": [
- "Storage"
+ "SQL"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
- "waf": "Reliability"
+ "subcategory": "Permissions",
+ "text": "Ensure that users are assigned the minimum level of access necessarily to complete their job functions",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Redis Resiliency checklist",
- "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
- "service": "Redis",
+ "category": "Privileged Access",
+ "checklist": "Azure SQLDB Security Checklist (Preview)",
+ "description": "Identities (both Users and SPNs) should be scoped to the least amount of access needed to perform the function. A higher number of tightly scoped SPNs should be used, instead of having one SPN with multiple sets of unrelated permissions. For example, if there are three external web applications hosted on-prem that make queries to the Azure SQL Database, they should not all use the same SPN for these activities. Instead, they should each have their own tightly scoped SPN.",
+ "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access",
"services": [
- "ASR"
+ "Entra",
+ "SQL"
],
- "severity": "Medium",
- "subcategory": "High Availability",
- "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Stream Analytics Review Checklist",
- "guid": "32e52e36-11c8-418b-8a0b-c511e43a18a9",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-stream_analytics_v1.docx",
- "services": [],
- "severity": "High",
- "subcategory": "High Availablity ",
- "text": "Leverage FTA Resiliency Handbook for Stream Analytics",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Stream Analytics Review Checklist",
- "description": "Azure Stream Analytics provides high availability (99.9% SLA) for jobs and clusters within a region, the details of which are transparent to the end customer. If failures occur within the service, per the documentation �Azure Stream Analytics guarantees exactly once event processing and at-least-once delivery of events, so events are never lost.�",
- "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
- "link": "https://azure.microsoft.com/en-in/products/stream-analytics",
- "services": [],
- "severity": "Medium",
- "subcategory": "High Availablity ",
- "text": "Understand High Availability 99% SLA and use it to plan your DR strategy",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Stream Analytics Review Checklist",
- "description": "Azure Stream Analytics resources (jobs, clusters, etc.) are regional and do not provide automatic geo-failover. However, you can achieve geo-redundancy by deploying identical Stream Analytics jobs in multiple Azure regions. Each job connects to local input and output sources. It is the responsibility of your application to both send input data into the two regional inputs and reconcile between the two regional outputs.",
- "guid": "fc833934-8b26-42d6-ac5f-512925498e6d",
- "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy",
- "services": [],
- "severity": "Medium",
- "subcategory": "Geo Redundancy",
- "text": "Plan for Geo Redudancy of the service",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Stream Analytics Review Checklist",
- "guid": "b9d37dac-43bc-46cd-8d7a-a9b24604489a",
- "link": "https://learn.microsoft.com/azure/stream-analytics/geo-redundancy",
- "services": [],
- "severity": "Medium",
- "subcategory": "Geo Redundancy",
- "text": "Depending on your availablity requirement, configure Active/Active configuration or Active/Passive configuration ",
- "waf": "Reliability"
+ "severity": "Low",
+ "subcategory": "Permissions",
+ "text": "Ensure that distinct applications will be assigned different credentials with minimal permissions to access Azure SQL Database",
+ "waf": "Security"
},
{
"category": "Operations Management",
@@ -23669,12233 +21766,11834 @@
"services": [],
"severity": "Low",
"subcategory": "DevOps",
- "text": "When working with Spark Notebooks, make sure to integrate with Git or Azure DevOps",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure Synapse Review Checklist",
- "guid": "775c6ee9-5b86-4ad8-a44c-e3b2b38b875b",
- "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore",
- "services": [],
- "severity": "Medium",
- "subcategory": "High Availablity",
- "text": "Use Dedicated pools",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure Synapse Review Checklist",
- "guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/analytics/azure-synapse",
- "services": [],
- "severity": "Medium",
- "subcategory": "DR",
- "text": "Use Database restore points for Azure Synapse",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure Synapse Review Checklist",
- "guid": "6abca2a4-fda1-4dae-8dc9-5d48c6c791dc",
- "link": "https://learn.microsoft.com/azure/synapse-analytics/sql/on-demand-workspace-overview",
- "services": [],
- "severity": "Medium",
- "subcategory": "High Availablity",
- "text": "Use Serverless Pools when required",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure Synapse Review Checklist",
- "guid": "a0f6c565-89e5-458b-a37d-4974e1112dbd",
- "link": "https://learn.microsoft.com/azure/synapse-analytics/quickstart-deployment-template-workspaces",
- "services": [
- "Storage"
- ],
- "severity": "Medium",
- "subcategory": "DevOps",
- "text": "Use Infrastructure as a Code template to do repeatable deployments",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure Synapse Review Checklist",
- "guid": "7baf12e7-b94e-4f6e-847d-2da2982b1cd6",
- "link": "https://learn.microsoft.com/azure/cosmos-db/synapse-link",
- "services": [],
- "severity": "Medium",
- "subcategory": "High Availablity",
- "text": "Make sure to re-eshtablish any Synapse Links",
- "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
- "waf": "Reliability"
- },
- {
- "category": "Business",
- "checklist": "Multitenant architecture",
- "guid": "41177955-fe8f-430b-ae72-20dc5b6880da",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/overview",
- "services": [
- "Entra"
- ],
- "severity": "High",
- "subcategory": "Business",
- "text": "Understand what kind of solution you're creating, such as business-to-business (B2B), business-to-consumer (B2C), or your enterprise software, and how tenants are different from users.",
- "waf": "Operations"
- },
- {
- "category": "Business",
- "checklist": "Multitenant architecture",
- "guid": "2d33d1b7-697c-49f9-b944-afbeac0b2c8f",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "services": [],
- "severity": "High",
- "subcategory": "Business",
- "text": "Define your tenants. Understand how many tenants you will support initially, and your growth plans.",
- "waf": "Operations"
- },
- {
- "category": "Business",
- "checklist": "Multitenant architecture",
- "guid": "a2111b8b-cc66-4aa2-9da6-c09fa23851b6",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models",
- "services": [],
- "severity": "High",
- "subcategory": "Business",
- "text": "Define your pricing model and ensure it aligns with your tenants' consumption of Azure resources.",
- "waf": "Cost"
- },
- {
- "category": "Business",
- "checklist": "Multitenant architecture",
- "guid": "331e84a6-2d65-4359-92ff-a1870b062995",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/pricing-models",
- "services": [],
- "severity": "Medium",
- "subcategory": "Business",
- "text": "Understand whether you need to separate your tenants into different tiers. Tiers might have different pricing, features, performance promises, geographic locations, and so forth.",
- "waf": "Operations"
- },
- {
- "category": "Business",
- "checklist": "Multitenant architecture",
- "guid": "90516b37-aab1-46ca-95bb-cc14a6a1608b",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "services": [],
- "severity": "Medium",
- "subcategory": "Business",
- "text": "Based on your customers' requirements, decide on the tenancy models that are appropriate for various parts of your solution.",
- "waf": "Operations"
- },
- {
- "category": "Business",
- "checklist": "Multitenant architecture",
- "guid": "f5d76ae1-7048-4ff5-abba-f1ca799578b9",
- "link": "https://learn.microsoft.com/azure/marketplace/plan-saas-offer",
- "services": [
- "Entra"
- ],
- "severity": "Medium",
- "subcategory": "Business",
- "text": "When you're ready, sell your B2B multitenant solution using the Microsoft Commercial Marketplace.",
- "waf": "Operations"
- },
- {
- "category": "Reliability",
- "checklist": "Multitenant architecture",
- "guid": "9e7cedd9-1e05-4aeb-a7b3-01fe695a394c",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/design-checklist",
- "services": [],
- "severity": "High",
- "subcategory": "Reliability",
- "text": "Review the Azure Well-Architected Reliability checklist, which is applicable to all workloads.",
- "waf": "Reliability"
- },
- {
- "category": "Reliability",
- "checklist": "Multitenant architecture",
- "guid": "e9521a55-2a7c-425c-8f3e-c38fd0c4df75",
- "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor",
- "services": [],
- "severity": "High",
- "subcategory": "Reliability",
- "text": "Understand the Noisy Neighbor antipattern. Prevent individual tenants from impacting the system's availability for other tenants.",
+ "text": "When working with Spark Notebooks, make sure to integrate with Git or Azure DevOps",
"waf": "Reliability"
},
{
- "category": "Reliability",
- "checklist": "Multitenant architecture",
- "guid": "2b99cb00-9abb-49b6-b11c-f2af9692f09e",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/overview",
+ "category": "Operations Management",
+ "checklist": "Azure Synapse Review Checklist",
+ "guid": "775c6ee9-5b86-4ad8-a44c-e3b2b38b875b",
+ "link": "https://learn.microsoft.com/azure/synapse-analytics/sql-data-warehouse/backup-and-restore",
"services": [],
"severity": "Medium",
- "subcategory": "Reliability",
- "text": "Design your multitenant solution for the level of growth that you expect. But don't overengineer for unrealistic growth.",
+ "subcategory": "High Availablity",
+ "text": "Use Dedicated pools",
"waf": "Reliability"
},
{
- "category": "Reliability",
- "checklist": "Multitenant architecture",
- "guid": "7a634a0e-1c9d-42b1-aac2-5a5378f103f1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/business-metrics",
+ "category": "Operations Management",
+ "checklist": "Azure Synapse Review Checklist",
+ "guid": "a1cf2049-9013-4a5d-9ce4-74dbcbd8682a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/analytics/azure-synapse",
"services": [],
"severity": "Medium",
- "subcategory": "Reliability",
- "text": "Define service-level objectives (SLOs) and optionally service-level agreements (SLAs) for your solution. SLAs and SLOs should be based on the requirements of your tenants, as well as the composite SLA of the Azure resources in your architecture.",
+ "subcategory": "DR",
+ "text": "Use Database restore points for Azure Synapse",
"waf": "Reliability"
},
{
- "category": "Reliability",
- "checklist": "Multitenant architecture",
- "guid": "45beeeaf-fc59-4079-8fca-65d5724abaa7",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
+ "category": "Operations Management",
+ "checklist": "Azure Synapse Review Checklist",
+ "guid": "6abca2a4-fda1-4dae-8dc9-5d48c6c791dc",
+ "link": "https://learn.microsoft.com/azure/synapse-analytics/sql/on-demand-workspace-overview",
"services": [],
- "severity": "High",
- "subcategory": "Reliability",
- "text": "Test the scale of your solution. Ensure that it performs well under all levels of load, and that it scales correctly as the number of tenants increases.",
+ "severity": "Medium",
+ "subcategory": "High Availablity",
+ "text": "Use Serverless Pools when required",
"waf": "Reliability"
},
{
- "category": "Reliability",
- "checklist": "Multitenant architecture",
- "guid": "2ff55551-984b-4606-95eb-bfb9c8b36761",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
- "services": [],
+ "category": "Operations Management",
+ "checklist": "Azure Synapse Review Checklist",
+ "guid": "a0f6c565-89e5-458b-a37d-4974e1112dbd",
+ "link": "https://learn.microsoft.com/azure/synapse-analytics/quickstart-deployment-template-workspaces",
+ "services": [
+ "Storage"
+ ],
"severity": "Medium",
- "subcategory": "Reliability",
- "text": "Apply chaos engineering principles to test the reliability of your solution.",
+ "subcategory": "DevOps",
+ "text": "Use Infrastructure as a Code template to do repeatable deployments",
"waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Multitenant architecture",
- "guid": "8238c038-8eb2-4a02-8bd5-4908c9442c1c",
- "link": "https://learn.microsoft.com/security/zero-trust",
+ "category": "Operations Management",
+ "checklist": "Azure Synapse Review Checklist",
+ "guid": "7baf12e7-b94e-4f6e-847d-2da2982b1cd6",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/synapse-link",
"services": [],
- "severity": "High",
- "subcategory": "Security",
- "text": "Apply the Zero Trust and least privilege principles in all layers of your solution.",
- "waf": "Security"
- },
- {
- "category": "Security",
- "checklist": "Multitenant architecture",
- "guid": "92160e00-6894-4102-97e0-615d4ed93c01",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/map-requests",
- "services": [
- "Entra"
- ],
- "severity": "High",
- "subcategory": "Security",
- "text": "Ensure that you can correctly map user requests to tenants. Consider including the tenant context as part of the identity system, or by using another means, like application-level tenant authorization.",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "High Availablity",
+ "text": "Make sure to re-eshtablish any Synapse Links",
+ "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Multitenant architecture",
- "guid": "3c1538b4-5676-4b85-b451-432befb37b4f",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "category": "Operations Management",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+ "service": "Azure Data Factory",
"services": [],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Perform ongoing penetration testing and security code reviews.",
- "waf": "Security"
+ "subcategory": "Best Practices",
+ "text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Multitenant architecture",
- "guid": "5fca45ce-cf2d-42c0-a62c-aac92ba31498",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/governance-compliance",
+ "category": "Operations Management",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"services": [],
"severity": "High",
- "subcategory": "Security",
- "text": "Understand your tenants' compliance requirements, including data residency and any compliance or regulatory standards that they require you to meet.",
- "waf": "Security"
+ "subcategory": "Availablity Zone",
+ "text": "Use zone redundant pipelines in regions that support Availability Zones",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Multitenant architecture",
- "guid": "30adb90d-83d4-4a2e-986e-327ffe04e7a5",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/domain-names",
+ "category": "Operations Management",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+ "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+ "service": "Azure Data Factory",
"services": [
- "DNS"
+ "Backup"
],
- "severity": "High",
- "subcategory": "Security",
- "text": "Correctly manage domain names and avoid vulnerabilities like dangling DNS and subdomain takeover attacks.",
- "waf": "Security"
- },
- {
- "category": "Security",
- "checklist": "Multitenant architecture",
- "guid": "72ded36d-c633-4e0d-bd41-799a29da3481",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/service/overview",
- "services": [],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Follow service-specific guidance for multitenancy.",
- "waf": "Security"
+ "subcategory": "DevOps Integration",
+ "text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
+ "waf": "Reliability"
},
{
- "category": "Cost Optimization",
- "checklist": "Multitenant architecture",
- "guid": "db30a9fc-9b1d-40f3-ab90-01f6a3e87fc8",
- "link": "https://learn.microsoft.com/azure/architecture/framework/cost/design-checklist",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"services": [
- "Cost"
+ "VM"
],
"severity": "Medium",
- "subcategory": "Cost Optimization",
- "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
- "waf": "Cost"
+ "subcategory": "Network",
+ "text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
+ "waf": "Reliability"
},
{
- "category": "Cost Optimization",
- "checklist": "Multitenant architecture",
- "guid": "8533af39-52f6-45b6-a9c3-81b2a54a31e0",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/measure-consumption",
+ "category": "Network Topology and Connectivity",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"services": [
- "Cost"
+ "VNet"
],
- "severity": "High",
- "subcategory": "Cost Optimization",
- "text": "Ensure you can adequately measure per-tenant consumption and correlate it with your infrastructure costs.",
- "waf": "Cost"
+ "severity": "Medium",
+ "subcategory": "Network",
+ "text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
+ "waf": "Reliability"
},
{
- "category": "Cost Optimization",
- "checklist": "Multitenant architecture",
- "guid": "c851fd44-7cf1-459c-95a4-f6455d75a981",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation",
+ "category": "Governance and Security",
+ "checklist": "Azure Data Factory Review Checklist",
+ "description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
+ "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Azure Data Factory",
"services": [
- "Cost",
- "Monitor"
+ "AKV"
],
- "severity": "Medium",
- "subcategory": "Cost Optimization",
- "text": "Avoid antipatterns. Antipatterns include failing to track costs, tracking costs with unnecessary precision, real-time measurement, and using monitoring tools for billing.",
- "waf": "Cost"
- },
- {
- "category": "Operational Excellence",
- "checklist": "Multitenant architecture",
- "guid": "0d475a5a-2c0f-47ab-b1e1-701da68d3407",
- "link": "https://learn.microsoft.com/azure/architecture/checklist/data-ops",
- "services": [],
- "severity": "High",
- "subcategory": "Operational Excellence",
- "text": "Review the Azure Well-Architected Operational Excellence checklist, which is applicable to all workloads.",
- "waf": "Operations"
- },
- {
- "category": "Operational Excellence",
- "checklist": "Multitenant architecture",
- "guid": "9f7fa7a9-47fc-4f04-81f6-9f9e87571ed3",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenant-lifecycle",
- "services": [],
- "severity": "Medium",
- "subcategory": "Operational Excellence",
- "text": "Use automation to manage the tenant lifecycle, such as onboarding, deployment, provisioning, and configuration.",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Integration",
+ "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "Multitenant architecture",
- "guid": "e0bfceed-4f4e-492d-b9f5-898815faa363",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/updates",
- "services": [],
+ "category": "Operations Management",
+ "checklist": "MySQL Review Checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
+ "services": [
+ "SQL"
+ ],
"severity": "Medium",
- "subcategory": "Operational Excellence",
- "text": "Find the right balance for deploying service updates. Consider both your tenants' requirements and your own operational requirements.",
- "waf": "Operations"
+ "subcategory": "Best Practices",
+ "text": "Leverage Flexible Server",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "Multitenant architecture",
- "guid": "a3f80518-d428-4c02-b2cc-dfaef47db7e2",
+ "category": "Operations Management",
+ "checklist": "MySQL Review Checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
"services": [
- "Monitor"
+ "SQL"
],
"severity": "High",
- "subcategory": "Operational Excellence",
- "text": "Monitor the health of the overall system, as well as each tenant.",
- "waf": "Operations"
+ "subcategory": "Best Practices",
+ "text": "Leverage Availability Zones where regionally applicable",
+ "waf": "Reliability"
},
{
- "category": "Operational Excellence",
- "checklist": "Multitenant architecture",
- "guid": "dfb42da5-f871-4953-9e5c-da6fda3f1411",
+ "category": "Operations Management",
+ "checklist": "MySQL Review Checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
"services": [
- "Monitor"
+ "SQL"
],
"severity": "Medium",
- "subcategory": "Operational Excellence",
- "text": "Configure and test alerts to notify you when specific tenants are experiencing issues or are exceeding their consumption limits.",
- "waf": "Operations"
- },
- {
- "category": "Operational Excellence",
- "checklist": "Multitenant architecture",
- "guid": "c0c72a1b-e34d-4b3d-b808-2e49f51ce47e",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization",
- "services": [],
- "severity": "High",
- "subcategory": "Operational Excellence",
- "text": "Organize your Azure resources for isolation and scale.",
- "waf": "Operations"
- },
- {
- "category": "Operational Excellence",
- "checklist": "Multitenant architecture",
- "guid": "c5c5e22d-4b51-4cac-a980-f7aac1a4b427",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/deployment-configuration",
- "services": [],
- "severity": "Medium",
- "subcategory": "Operational Excellence",
- "text": "Avoid deployment and configuration antipatterns. Antipatterns include running separate versions of the solution for each tenant, hardcoding tenant-specific configurations or logic, and manual deployments.",
- "waf": "Operations"
- },
- {
- "category": "Performance Efficiency",
- "checklist": "Multitenant architecture",
- "guid": "f0b1fbd8-689c-4ab3-be1d-ad7607d2fbfd",
- "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/performance-efficiency",
- "services": [],
- "severity": "High",
- "subcategory": "Performance Efficiency",
- "text": "Review the Azure Well-Architected Performance Efficiency checklist, which is applicable to all workloads.",
- "waf": "Performance"
- },
- {
- "category": "Performance Efficiency",
- "checklist": "Multitenant architecture",
- "guid": "18911c4c-934c-49a8-839a-60c092afce30",
- "link": "https://learn.microsoft.com/azure/architecture/antipatterns/noisy-neighbor/noisy-neighbor",
- "services": [],
- "severity": "High",
- "subcategory": "Performance Efficiency",
- "text": "If you use shared infrastructure, plan for how you'll mitigate Noisy Neighbor concerns. Ensure that one tenant can't reduce the performance of the system for other tenants.",
- "waf": "Performance"
+ "subcategory": "Best Practices",
+ "text": "Leverage Data-in replication for cross-region DR scenarios",
+ "waf": "Reliability"
},
{
- "category": "Performance Efficiency",
- "checklist": "Multitenant architecture",
- "guid": "6acf7eb5-24a3-47c7-ae87-1196cd96048e",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/compute",
+ "category": "Governance",
+ "checklist": "Azure Key Vault",
+ "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"services": [
- "Storage"
+ "AKV",
+ "Backup"
],
- "severity": "Medium",
- "subcategory": "Performance Efficiency",
- "text": "Determine how you'll scale your compute, storage, networking, and other Azure resources to match the demands of your tenants.",
- "waf": "Performance"
- },
- {
- "category": "Performance Efficiency",
- "checklist": "Multitenant architecture",
- "guid": "ea55400d-f97d-45aa-b71b-34224bf91ed4",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/resource-organization",
- "services": [],
"severity": "High",
- "subcategory": "Performance Efficiency",
- "text": "Consider each Azure resource's scale limits. Organize your resources appropriately, in order to avoid resource organization antipatterns. For example, don't over-architect your solution to work within unrealistic scale requirements.",
- "waf": "Performance"
+ "subcategory": "Deployment best practices",
+ "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
- "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
- "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
- "service": "Event Hubs",
+ "category": "BC and DR",
+ "checklist": "Azure Key Vault",
+ "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Key Vault",
"services": [
- "EventHubs"
+ "AKV",
+ "ACR"
],
- "severity": "Low",
- "subcategory": "Data Protection",
- "text": "Use customer-managed key option in data at rest encryption when required",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "High Availability",
+ "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
- "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
- "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
- "service": "Event Hubs",
+ "category": "BC and DR",
+ "checklist": "Azure Key Vault",
+ "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
+ "service": "Key Vault",
"services": [
- "EventHubs"
+ "AKV"
],
"severity": "Medium",
- "subcategory": "Data Protection",
- "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Event Hub Review",
- "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
- "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
- "service": "Event Hubs",
+ "category": "BC and DR",
+ "checklist": "Azure Key Vault",
+ "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
+ "service": "Key Vault",
"services": [
- "AzurePolicy",
- "Entra",
- "RBAC",
- "EventHubs",
- "TrafficManager"
+ "AKV",
+ "AzurePolicy"
],
"severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "Avoid using root account when it is not necessary",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
- "waf": "Security"
+ "subcategory": "High Availability",
+ "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Event Hub Review",
- "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
- "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
- "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
- "service": "Event Hubs",
+ "category": "Management",
+ "checklist": "Azure Key Vault",
+ "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
+ "service": "Key Vault",
"services": [
"AKV",
"Storage",
- "VM",
- "EventHubs",
- "Entra"
+ "Backup",
+ "ASR",
+ "Subscriptions"
],
"severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Security"
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Event Hub Review",
- "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
- "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
- "service": "Event Hubs",
+ "category": "Management",
+ "checklist": "Azure Key Vault",
+ "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "Key Vault",
"services": [
- "RBAC",
- "Entra",
- "EventHubs"
+ "AKV",
+ "ASR"
],
"severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "Use least privilege data plane RBAC",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Security"
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
- "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
- "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
- "service": "Event Hubs",
+ "category": "Management",
+ "checklist": "Azure Key Vault",
+ "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "Key Vault",
"services": [
- "Monitor",
- "VNet",
- "EventHubs"
+ "AKV",
+ "ASR"
],
- "severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
- "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
- "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
- "service": "Event Hubs",
+ "category": "Management",
+ "checklist": "Azure Key Vault",
+ "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+ "service": "Key Vault",
+ "services": [
+ "AKV",
+ "Backup",
+ "ASR"
+ ],
+ "severity": "Low",
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Management",
+ "checklist": "Azure Key Vault",
+ "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+ "service": "Key Vault",
"services": [
- "PrivateLink",
- "VNet",
- "EventHubs"
+ "AKV",
+ "Backup",
+ "ASR"
],
- "severity": "Medium",
- "subcategory": "Networking",
- "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Event Hub Review",
- "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
- "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
- "service": "Event Hubs",
+ "category": "Management",
+ "checklist": "Azure Key Vault",
+ "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
+ "service": "Key Vault",
"services": [
+ "AKV",
+ "ASR",
"EventHubs"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Security"
+ "subcategory": "Business continuity and disaster recovery",
+ "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
+ "waf": "Reliability"
},
{
"category": "Operations Management",
- "checklist": "Azure Event Hub Review",
- "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
- "service": "Event Hubs",
- "services": [
- "EventHubs"
- ],
- "severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Leverage FTA Resillency HandBook",
+ "checklist": "Recovery Services Vault Checklist",
+ "guid": "cb7da8cf-aa62-4a15-a495-6da97dc3a242",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-plan-capacity-vmware",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Replication",
+ "text": "Capacity planning is required to make sure you have sufficient bandwidth for replication and an estimated number of CPU cores & disk types that will be needed in Azure for failover",
"waf": "Reliability"
},
{
"category": "Operations Management",
- "checklist": "Azure Event Hub Review",
- "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
- "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
- "service": "Event Hubs",
+ "checklist": "Recovery Services Vault Checklist",
+ "guid": "67b23587-05a1-4652-aded-fa8a488cdec4",
+ "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-policy",
"services": [
- "ACR",
- "EventHubs"
+ "VM",
+ "ASR",
+ "AzurePolicy"
],
"severity": "High",
- "subcategory": "Zone Redudancy",
- "text": "Leverage Availability Zones if regionally applicable",
+ "subcategory": "Replication",
+ "text": "Use Azure Policy to ensure that all critical Azure VMs are protected with ASR",
"waf": "Reliability"
},
{
"category": "Operations Management",
- "checklist": "Azure Event Hub Review",
- "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
- "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
- "service": "Event Hubs",
+ "checklist": "Recovery Services Vault Checklist",
+ "guid": "862bc3bc-14be-4b7f-96e8-d9b3bec228e7",
+ "link": "https://learn.microsoft.com/azure/site-recovery/recovery-plan-overview",
"services": [
- "EventHubs"
+ "VM"
],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Use the Premium or Dedicated SKUs for predicable performance",
+ "subcategory": "Replication",
+ "text": "Define recovery plans to automate the failover sequence for VMs. You can also include automation scripts to reduce manual steps and improve recovery time",
"waf": "Reliability"
},
{
"category": "Operations Management",
- "checklist": "Azure Event Hub Review",
- "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
- "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
- "service": "Event Hubs",
- "services": [
- "ASR",
- "EventHubs"
- ],
- "severity": "High",
- "subcategory": "Geo Redudancy",
- "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
+ "checklist": "Recovery Services Vault Checklist",
+ "guid": "437b1736-db55-4f67-a613-334bd09dc234",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=recovery-services-vault",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data Protection",
+ "text": "Enable and LOCK immutability for vaults. This ensures recovery points cannot be deleted before their intended expiry",
"waf": "Reliability"
},
{
"category": "Operations Management",
- "checklist": "Azure Event Hub Review",
- "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
- "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
- "service": "Event Hubs",
- "services": [
- "ASR",
- "EventHubs"
- ],
+ "checklist": "Recovery Services Vault Checklist",
+ "guid": "19db6128-1265-404b-a47a-493a08042729",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
+ "services": [],
"severity": "Medium",
- "subcategory": "Geo Redudancy",
- "text": "For Business Critical Applications, use Active Active configuration",
+ "subcategory": "Data Protection",
+ "text": "Enable 'Always-on soft delete' for vaults protecting critical workloads",
"waf": "Reliability"
},
{
"category": "Operations Management",
- "checklist": "Azure Event Hub Review",
- "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
- "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
- "service": "Event Hubs",
+ "checklist": "Recovery Services Vault Checklist",
+ "guid": "4798b158-8b31-4aa5-9ceb-54445135a227",
+ "link": "https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-storage-redundancy",
"services": [
- "EventHubs"
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Reliability",
- "text": "Design Resilient Event Hubs",
+ "subcategory": "Redudancy",
+ "text": "When creating Recovery Service Vaults choose the best storage redundancy option for your requirements. Vaults support local, geo and zone redundancy but this setting cannot be changed once the vault is protecting one or more resources",
"waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
+ "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
+ "service": "VMSS",
"services": [
- "AVS",
- "Entra",
- "Subscriptions"
+ "VM"
],
- "severity": "High",
- "subcategory": "Identity",
- "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "VM Scale Sets",
+ "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "75089c20-990d-4927-b105-885576f76fc2",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
+ "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
+ "service": "VM",
"services": [
- "AVS",
- "Entra"
+ "Backup",
+ "VM"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Virtual Machines",
+ "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
+ "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "VM",
"services": [
- "AVS",
- "Entra"
+ "VM"
],
"severity": "High",
- "subcategory": "Identity",
- "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
- "waf": "Security"
+ "subcategory": "Virtual Machines",
+ "text": "Use Premium or Ultra disks for production VMs",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
+ "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
+ "service": "VM",
"services": [
- "AVS",
- "Entra"
+ "VM"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Virtual Machines",
+ "text": "Ensure Managed Disks are used for all VMs",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
+ "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
+ "service": "VM",
"services": [
- "AVS",
- "Entra"
+ "SQL",
+ "Storage",
+ "VM"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
- "waf": "Security"
+ "subcategory": "Virtual Machines",
+ "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
+ "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "VM",
"services": [
- "AVS",
- "Entra"
+ "Storage",
+ "VM",
+ "ACR"
],
- "severity": "High",
- "subcategory": "Identity",
- "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Virtual Machines",
+ "text": "Leverage Availability Zones for your VMs in regions where they are supported",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
+ "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "VM",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "VM"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Has an RBAC model been created for use within VMware vSphere",
- "waf": "Security"
+ "subcategory": "Virtual Machines",
+ "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
+ "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "VM",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "ASR",
+ "VM"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Virtual Machines",
+ "text": "Avoid running a production workload on a single VM",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
+ "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "VM",
"services": [
- "RBAC",
"AVS",
- "Entra"
+ "VM",
+ "ASR"
],
"severity": "High",
- "subcategory": "Identity",
- "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
- "waf": "Security"
+ "subcategory": "Virtual Machines",
+ "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
+ "waf": "Reliability"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
+ "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
+ "service": "VM",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "VM"
],
- "severity": "High",
- "subcategory": "Identity",
- "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Virtual Machines",
+ "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
- "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
+ "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
+ "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
+ "service": "VM",
"services": [
- "AVS"
+ "VM",
+ "ASR"
],
- "severity": "High",
- "subcategory": "Architecture",
- "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
- "waf": "Performance"
+ "severity": "Medium",
+ "subcategory": "Virtual Machines",
+ "text": "Increase quotas in DR region before testing failover with ASR",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
- "service": "AVS",
+ "category": "Compute",
+ "checklist": "Resiliency Review",
+ "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
+ "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
+ "service": "VM",
"services": [
- "ExpressRoute",
- "VPN",
- "Monitor",
- "NetworkWatcher",
- "AVS"
+ "VM"
],
- "severity": "High",
- "subcategory": "Monitoring",
- "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Virtual Machines",
+ "text": "Utilize Scheduled Events to prepare for VM maintenance",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
- "service": "AVS",
+ "category": "Data",
+ "checklist": "Resiliency Review",
+ "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
+ "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Azure Storage",
"services": [
- "ExpressRoute",
- "Monitor",
- "VM",
- "NetworkWatcher",
- "AVS"
+ "Storage"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
- "waf": "Operations"
+ "subcategory": "Storage Accounts",
+ "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
- "service": "AVS",
+ "category": "Data",
+ "checklist": "Resiliency Review",
+ "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
+ "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
"services": [
- "NetworkWatcher",
- "AVS",
- "Monitor",
- "VM"
+ "Storage"
],
- "severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Storage Accounts",
+ "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
- "service": "AVS",
+ "category": "Data",
+ "checklist": "Resiliency Review",
+ "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
+ "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
"services": [
- "AVS",
- "ARS"
+ "Storage"
],
- "severity": "High",
- "subcategory": "Routing",
- "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
- "waf": "Operations"
+ "severity": "Low",
+ "subcategory": "Storage Accounts",
+ "text": "Enable soft delete for Storage Account Containers",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
- "service": "AVS",
+ "category": "Data",
+ "checklist": "Resiliency Review",
+ "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
+ "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "Storage"
],
- "severity": "High",
- "subcategory": "Security (identity)",
- "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Storage Accounts",
+ "text": "Enable soft delete for blobs",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
- "service": "AVS",
+ "category": "General",
+ "checklist": "Resiliency Review",
+ "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
+ "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
+ "service": "Azure Backup",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "Backup"
],
- "severity": "High",
- "subcategory": "Security (identity)",
- "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Backup",
+ "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
+ "waf": "Reliability"
+ },
+ {
+ "category": "General",
+ "checklist": "Resiliency Review",
+ "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
+ "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
+ "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
+ "service": "Azure Backup",
+ "services": [
+ "Backup"
+ ],
+ "severity": "Low",
+ "subcategory": "Backup",
+ "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
- "service": "AVS",
+ "category": "General",
+ "checklist": "Resiliency Review",
+ "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
+ "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
+ "service": "Azure Backup",
"services": [
- "AVS",
- "Entra"
+ "Storage",
+ "Backup"
],
- "severity": "Medium",
- "subcategory": "Security (identity)",
- "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Backup",
+ "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
- "service": "AVS",
+ "category": "General",
+ "checklist": "Resiliency Review",
+ "description": "Clearly define your organization's business continuity and disaster recovery requirements for your Azure environment. This includes identifying the critical applications, data, and services that need to be protected, as well as specifying the desired recovery objectives and strategies.",
+ "guid": "72e52e36-11dd-458c-9a4b-1521e43a58a9",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery",
"services": [
- "AVS",
- "Entra"
+ "ASR"
],
"severity": "High",
- "subcategory": "Security (identity)",
- "text": "Limit use of CloudAdmin account to emergency access only",
- "waf": "Security"
+ "subcategory": "Design",
+ "text": "Define business continuity and disaster recovery requirements",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
- "service": "AVS",
+ "category": "General",
+ "checklist": "Resiliency Review",
+ "description": "Ensure that your Azure architectures are designed with a focus on reliability. Consider implementing fault-tolerant mechanisms, redundancy, and resiliency patterns to minimize the impact of failures and maximize the availability of your applications and services.",
+ "guid": "c2399c4d-7b67-4d0c-9555-62f2b3e4563a",
+ "link": "https://learn.microsoft.com/azure/architecture/reliability/architect",
+ "services": [],
+ "severity": "High",
+ "subcategory": "Design",
+ "text": "Implement reliability best practices in Azure architectures",
+ "waf": "Reliability"
+ },
+ {
+ "category": "General",
+ "checklist": "Resiliency Review",
+ "description": "IaC configurations can play a role in your disaster recovery plan, particularly in situations where recovery time is not time-sensitive. In the event of infrastructure recreation in a second region, IaC can be used to reproduce the necessary infrastructure.",
+ "guid": "fe237de2-43b1-46c3-8d7a-a9b7570449aa",
+ "link": "https://learn.microsoft.com/azure/well-architected/devops/automation-infrastructure",
"services": [
"RBAC",
- "AVS",
- "Entra"
+ "ASR"
],
"severity": "Medium",
- "subcategory": "Security (identity)",
- "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
- "waf": "Security"
+ "subcategory": "DevOps",
+ "text": "Implement Infrastructure as Code (IaC) for Rapid Infrastructure Recovery",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
- "service": "AVS",
+ "category": "General",
+ "checklist": "Resiliency Review",
+ "description": "Azure offers region pairs that are geographically separated and can be used for cross-region replication and disaster recovery. These region pairs provide redundancy and protection against regional or large-scale disasters.",
+ "guid": "dcb1f7d5-769a-4e56-aba3-8d4a85e2213d",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
"services": [
- "AVS",
- "Entra"
+ "ASR"
],
"severity": "Medium",
- "subcategory": "Security (identity)",
- "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
- "waf": "Security"
+ "subcategory": "Multi-region",
+ "text": "Plan for cross-region recovery by leveraging region pairs",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "By deploying an Application Gateway with a minimum instance count of two, you will have at least two instances available under normal circumstances. In the event that one of the instances encounters a problem, the other instance will handle the traffic while a new instance is being created. This approach significantly reduces the risk of service disruption and ensures a seamless experience for your users.",
+ "guid": "93c76286-37a5-451c-9b04-e4f1854387e5",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#autoscaling-and-high-availability",
"services": [
- "AVS",
- "VM",
- "Entra"
+ "AppGW"
],
- "severity": "High",
- "subcategory": "Security (identity)",
- "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Application Gateways",
+ "text": "Deploy Application Gateways with a minimum instance count of 2 to avoid instance provisioning downtime",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "The v2 SKU offers several advantages and critical new features that enhance the availability and resilience of your application infrastructure. One notable feature supported by the v2 SKU is zone redundancy, which allows an Application Gateway deployment to span multiple Availability Zones.",
+ "guid": "ced126cd-032a-4f5b-8fc6-998a535e3378",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
"services": [
- "AVS"
+ "Storage",
+ "AppGW"
],
- "severity": "Medium",
- "subcategory": "Security (network)",
- "text": "Is East-West traffic filtering implemented within NSX-T",
- "waf": "Security"
+ "severity": "High",
+ "subcategory": "Application Gateways",
+ "text": "Deploy Azure Application Gateway v2 for zone redundancy support",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "Azure Front Door provides automatic failover capabilities, ensuring continuity in the event of a primary region becoming unavailable. However, during the failover process, there may be a brief period (typically 20-60 seconds) when clients cannot reach the application. It is essential to review the Azure Front Door service level agreement (SLA) to determine whether relying solely on Front Door meets your business requirements for high availability. ",
+ "guid": "97e31c67-d68c-4f6a-92a1-194956d697dc",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/multi-region#azure-front-door",
"services": [
- "AVS",
- "AppGW",
- "Firewall"
+ "FrontDoor"
],
- "severity": "High",
- "subcategory": "Security (network)",
- "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Azure Front Door",
+ "text": "Consider a redundant traffic management solution in conjunction with Azure Front Door",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "By implementing Traffic Manager, you can configure it to continuously monitor the health of your application endpoints and automatically redirect traffic to an alternate endpoint when necessary. This automation minimizes downtime and provides a more seamless experience for your users during disaster recovery scenarios.",
+ "guid": "8df03a82-2cd4-463c-abbc-8ac299ebc92a",
+ "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager",
"services": [
- "AVS"
+ "DNS",
+ "TrafficManager",
+ "ASR",
+ "Monitor"
],
- "severity": "High",
- "subcategory": "Security (network)",
- "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "DNS",
+ "text": "Plan for automated failover using Traffic Manager for DNS Traffic",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
+ "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
+ "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
+ "service": "DNS",
"services": [
- "Monitor",
- "AVS"
+ "DNS",
+ "ASR",
+ "ACR"
],
- "severity": "Medium",
- "subcategory": "Security (network)",
- "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "DNS",
+ "text": "Implement DNS Failover using Azure DNS Private Resolvers",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "334fdf91-c234-4182-a652-75269440b4be",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
+ "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
+ "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
+ "service": "Data Gateways",
"services": [
- "ExpressRoute",
- "VPN",
- "VNet",
- "AVS",
- "DDoS"
+ "ACR"
],
"severity": "Medium",
- "subcategory": "Security (network)",
- "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
- "waf": "Security"
+ "subcategory": "Data Gateways",
+ "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "When using ExpressRoute, it's important to design for high availability by incorporating redundancy in both the partner and customer networks. This can include multiple ExpressRoute circuits, redundant connections from your network to Microsoft, and ensuring your on-premises network equipment has redundant connections.",
+ "guid": "c0e7c28d-c936-4657-802b-ff4564b0d934",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
"services": [
- "AVS"
+ "ExpressRoute"
],
"severity": "Medium",
- "subcategory": "Security (network)",
- "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
- "waf": "Security"
+ "subcategory": "ExpressRoute",
+ "text": "Ensure redundancy within both the partner network and customer network when utilizing ExpressRoute for high availability",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "The primary circuit should handle regular traffic while the backup circuit stays ready to take over if the primary circuit fails. Utilize BGP attributes to influence routing and designate your primary and backup circuits effectively.",
+ "guid": "a359c373-e7dd-4616-83a3-64a907ebae48",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
"services": [
- "AVS",
- "Defender"
+ "Backup",
+ "ExpressRoute"
],
"severity": "Medium",
- "subcategory": "Security (guest/VM)",
- "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
- "waf": "Security"
+ "subcategory": "ExpressRoute",
+ "text": "When using multiple ExpressRoute circuits ensure that routing allows for a primary and backup",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "S2S VPN connection can provide a cost-effective, resilient backup solution in the event of an ExpressRoute circuit failure. By using S2S VPN as a failover, you can maintain connectivity to your Azure resources without relying solely on ExpressRoute.",
+ "guid": "ead53cc7-de2e-48aa-ab35-71549ab9153d",
+ "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
"services": [
- "Arc",
- "AVS"
+ "VPN",
+ "Backup",
+ "Cost",
+ "ExpressRoute"
],
- "severity": "Medium",
- "subcategory": "Security (guest/VM)",
- "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "ExpressRoute",
+ "text": "Consider deploying site-to-site VPN as a backup for your ExpressRoute private peering",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "Standard Load Balancer SKU offers an SLA of 99.99% and a higher level of service availability compared to the Basic Load Balancer SKU.",
+ "guid": "778468d5-5a78-45d6-be96-c96ad8844cf3",
+ "link": "https://learn.microsoft.com/azure/load-balancer/skus",
"services": [
- "SQL",
- "AVS"
+ "LoadBalancer"
],
- "severity": "Low",
- "subcategory": "Security (guest/VM)",
- "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
- "waf": "Security"
+ "severity": "Medium",
+ "subcategory": "Load Balancers",
+ "text": "Leverage the Standard SKU for Load Balancers that handle traffic to production applications",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "By configuring the load balancer with a zone-redundant frontend, it can serve zonal resources in any zone with a single IP address. As long as at least one zone remains healthy within the region, the IP address associated with the frontend can survive one or more zone failures. It is recommended to have multiple zonal resources, such as virtual machines from different zones, in the backend pool of the load balancer. ",
+ "guid": "b2b38c88-6ba2-4c02-8499-114a5d3ce574",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
"services": [
- "AVS",
- "AKV"
+ "LoadBalancer",
+ "VM"
],
"severity": "Low",
- "subcategory": "Security (guest/VM)",
- "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
- "waf": "Security"
+ "subcategory": "Load Balancers",
+ "text": "For load balancers, consider using a zone-redundant frontend with multiple zonal resources in the backend",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5ac94222-3e13-4810-9230-81a941741583",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "When designing health probes for your Azure Load Balancer, it is important to follow best practices to ensure reliable and accurate monitoring of your backend instances.",
+ "guid": "dccbd979-2a6b-4cca-8b5f-ea1ebf3dd95d",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance",
"services": [
- "AVS"
+ "LoadBalancer",
+ "Monitor"
],
- "severity": "Medium",
- "subcategory": "Security (guest/VM)",
- "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
- "waf": "Security"
+ "severity": "Low",
+ "subcategory": "Load Balancers",
+ "text": "Select the right protocol, appropriate intervals and timeouts, representative paths and probe responses when defining Load Balancer Health Probes",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
+ "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
"services": [
- "AVS"
+ "NVA"
],
"severity": "High",
- "subcategory": "Governance (platform)",
- "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
+ "subcategory": "NVAs",
+ "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
"waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d88408f3-7273-44c8-96ba-280214590146",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "By deploying VPN Gateways in an active-active mode, you can distribute VPN traffic across multiple gateways, improving reliability and ensuring continuous connectivity in case of failures or maintenance.",
+ "guid": "927139b8-2110-42db-b6ea-f11e6f843e53",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
"services": [
- "Storage",
- "AVS",
- "AzurePolicy"
+ "VPN",
+ "ACR"
],
- "severity": "High",
- "subcategory": "Governance (platform)",
- "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+ "severity": "Medium",
+ "subcategory": "VPN Gateways",
+ "text": "Deploy Azure VPN Gateways in an active-active mode to ensure high availability and redundancy for your VPN connections.",
"waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
- "service": "AVS",
+ "category": "Network",
+ "checklist": "Resiliency Review",
+ "description": "Zone-redundant SKUs ensure that your VPN gateways are physically and logically separated within a region, providing resiliency and scalability. This deployment configuration safeguards your on-premises network connectivity to Azure from zone-level failures.",
+ "guid": "f4722d92-8c1b-41cd-921f-54b29b9de39a",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways",
"services": [
- "AVS",
- "ASR"
+ "VPN"
],
- "severity": "High",
- "subcategory": "Governance (platform)",
- "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
+ "severity": "Medium",
+ "subcategory": "VPN Gateways",
+ "text": "Use zone-redundant SKUs when deploying VPN Gateways to enhance resilience and protect against zone-level failures",
"waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
- "service": "AVS",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "WAF checklist",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Governance (platform)",
- "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
- "service": "AVS",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "WAF checklist",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
"services": [
- "AzurePolicy",
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Governance (platform)",
- "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
- "service": "AVS",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "WAF checklist",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
"services": [
- "Cost",
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Governance (platform)",
- "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
- "waf": "Cost"
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
- "service": "AVS",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "WAF checklist",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
"services": [
- "Cost",
- "AVS"
+ "AppSvc",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Governance (platform)",
- "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
- "waf": "Cost"
+ "severity": "High",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
- "service": "AVS",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "WAF checklist",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
"services": [
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Governance (platform)",
- "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
- "waf": "Security"
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
- "service": "AVS",
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "WAF checklist",
+ "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
+ "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+ "service": "Device Update for IoT Hub",
"services": [
- "AVS"
+ "WAF"
],
"severity": "High",
- "subcategory": "Governance (platform)",
- "text": "Ensure all required resource reside within the same Azure availability zone(s)",
- "waf": "Performance"
+ "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
- "service": "AVS",
- "services": [
- "AVS",
- "Defender",
- "VM"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "WAF checklist",
+ "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
+ "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+ "service": "Device Update for IoT Hub",
+ "services": [
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Governance (guest/VM)",
- "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
- "waf": "Security"
+ "severity": "High",
+ "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
- "service": "AVS",
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "WAF checklist",
+ "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Device Update for IoT Hub",
"services": [
- "Arc",
- "AVS",
- "VM"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Governance (guest/VM)",
- "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
- "waf": "Security"
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
- "service": "AVS",
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "WAF checklist",
+ "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Device Update for IoT Hub",
"services": [
- "AVS"
+ "AppSvc",
+ "WAF"
],
"severity": "High",
- "subcategory": "Governance (guest/VM)",
- "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
- "waf": "Operations"
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+ "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+ "service": "Logic Apps",
"services": [
- "Monitor",
- "AVS",
- "VM"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Governance (guest/VM)",
- "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+ "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "Logic Apps",
"services": [
- "AzurePolicy",
- "AVS",
- "Backup",
- "VM"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Governance (guest/VM)",
- "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+ "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Logic Apps",
"services": [
- "Monitor",
- "AVS",
- "Defender"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Compliance",
- "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
- "waf": "Security"
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+ "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+ "service": "Logic Apps",
"services": [
- "AVS",
- "Defender"
+ "AppSvc",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Compliance",
- "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
- "waf": "Security"
+ "severity": "High",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+ "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+ "service": "Logic Apps",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Compliance",
- "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "waf": "Operations"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
- "service": "AVS",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "WAF checklist",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Compliance",
- "text": "Are data processing implications (service provider / service consumer model) clear and documented",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Follow reliability support recommendations in Azure Bot Service",
+ "waf": "Reliability"
},
{
- "category": "Governance",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "547c1747-dc56-4068-a714-435cd19dd244",
- "service": "AVS",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "WAF checklist",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
"services": [
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Compliance",
- "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
- "waf": "Security"
+ "text": "Deploying bots with local data residency and regional compliance",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
- "service": "AVS",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "WAF checklist",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
"services": [
- "Monitor",
- "AVS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Monitoring",
- "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
+ "service": "CosmosDB",
"services": [
- "Monitor",
- "AVS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Monitoring",
- "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "FTA Resiliency Playbook",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+ "service": "CosmosDB",
"services": [
- "Monitor",
- "AVS"
+ "WAF"
],
"severity": "High",
- "subcategory": "Monitoring",
- "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
- "waf": "Operations"
+ "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
+ "service": "CosmosDB",
"services": [
- "Monitor",
- "AVS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Monitoring",
- "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Run multiple replicas of the database (>1 ) in Prod",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
+ "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
+ "service": "CosmosDB",
"services": [
- "Storage",
- "AVS",
- "Monitor"
+ "ACR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
- "waf": "Operations"
+ "text": "Leverage Multi-Region Writes",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "description": "Span Cosmos account across two or more regions with multi-region writes",
+ "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+ "service": "CosmosDB",
"services": [
- "Monitor",
- "AVS"
+ "ACR",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Monitoring",
- "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Distribute your data globally",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
+ "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
+ "service": "CosmosDB",
"services": [
- "Storage",
- "AVS",
- "AzurePolicy",
- "VM"
+ "WAF"
],
"severity": "High",
- "subcategory": "Operations",
- "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
- "waf": "Operations"
+ "text": "Choose from several well-defined consistency models",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
+ "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
+ "service": "CosmosDB",
"services": [
- "AVS"
+ "CosmosDB",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
- "waf": "Operations"
+ "text": "Enable Service managed failover",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
+ "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
+ "service": "CosmosDB",
"services": [
+ "Backup",
"Storage",
- "AVS",
- "Backup"
+ "CosmosDB",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
- "waf": "Operations"
+ "text": "Enable Automatic Backups",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
+ "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
+ "service": "CosmosDB",
"services": [
- "Arc",
- "AVS"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
- "waf": "Operations"
+ "text": "Perform Periodic Backups",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
- "service": "AVS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "WAF checklist",
+ "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
+ "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
+ "service": "CosmosDB",
"services": [
- "Monitor",
- "AVS"
+ "Backup",
+ "CosmosDB",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
- "waf": "Operations"
+ "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
+ "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "WAF checklist",
+ "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Operations",
- "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Enable 2 replicas to have 99.9% availability for read operations",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "WAF checklist",
+ "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
"services": [
- "Monitor",
- "AVS",
- "AzurePolicy"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
- "waf": "Operations"
+ "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
+ "waf": "Reliability"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "WAF checklist",
+ "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+ "service": "Cognitive Search",
"services": [
- "AVS",
- "Defender"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
- "waf": "Security"
+ "severity": "High",
+ "text": "Leverage Availability Zones by enabling read and/or write replicas",
+ "waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "WAF checklist",
+ "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+ "service": "Cognitive Search",
"services": [
- "AVS",
- "Backup"
+ "ACR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Backup",
- "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+ "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "WAF checklist",
+ "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+ "service": "Cognitive Search",
"services": [
- "AVS",
- "ASR"
+ "ACR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
+ "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "WAF checklist",
+ "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+ "service": "Cognitive Search",
"services": [
- "AVS",
- "ASR"
+ "TrafficManager",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+ "text": "Use Azure Traffic Manager to coordinate requests",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "WAF checklist",
+ "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+ "service": "Cognitive Search",
+ "services": [
+ "Storage",
+ "Backup",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
+ "service": "Cognitive Services",
"services": [
- "AVS",
- "ASR"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Disaster Recovery",
- "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
+ "severity": "Medium",
+ "text": "Leverage FTA HandBook for Cognitive Services",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8255461e-2aee-4345-9aec-8339248b262d",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Cognitive Services",
"services": [
- "AVS",
- "ASR"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
+ "text": "Backup Your Prompts",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Cognitive Services",
"services": [
- "AVS",
- "ASR"
+ "ASR",
+ "WAF"
],
"severity": "High",
- "subcategory": "Disaster Recovery",
- "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+ "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
+ "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
+ "service": "Cognitive Services",
"services": [
- "ExpressRoute",
- "AVS",
- "NVA",
- "ASR"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
+ "text": "Backup Your ChatGPT conversations",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
+ "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
+ "service": "Cognitive Services",
"services": [
- "AVS",
- "Backup"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Business Continuity",
- "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+ "text": "CI/CD for custom speech",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "3687a046-7a1f-4893-9bda-43324f248116",
+ "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
+ "service": "Cognitive Services",
"services": [
- "AVS",
- "Backup"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Business Continuity",
- "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+ "severity": "Low",
+ "text": "Move a knowledge base using export-import",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
- "service": "AVS",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "WAF checklist",
+ "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
+ "service": "Container Apps",
"services": [
- "AVS",
- "Backup"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Business Continuity",
- "text": "Deploy your backup solution outside of vSan, on Azure native components",
+ "severity": "High",
+ "text": "Leverage Availability Zones if regionally applicable",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
- "service": "AVS",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "WAF checklist",
+ "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
+ "service": "Container Apps",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Business Continuity",
- "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+ "severity": "High",
+ "text": "Use more than one replica and enable Zone Redundancy.",
"waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
- "service": "AVS",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "WAF checklist",
+ "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Container Apps",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Deployment strategy",
- "text": "For manual deployments, all configuration and deployments must be documented",
- "waf": "Operations"
+ "severity": "High",
+ "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
- "service": "AVS",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "WAF checklist",
+ "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Container Apps",
"services": [
- "AVS"
+ "TrafficManager",
+ "FrontDoor",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Deployment strategy",
- "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Automated Deployment",
- "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Select the right Function hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Automated Deployment",
- "text": "For automated deployments, request or reserve quota prior to starting the deployment",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Azure Functions",
"services": [
- "AzurePolicy",
- "AVS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Automated Deployment",
- "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Azure Functions",
"services": [
- "AVS",
- "AKV"
+ "AppSvc",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Automated Connectivity",
- "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
- "waf": "Operations"
+ "severity": "High",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "255461e2-aee3-4553-afc8-339248b262d6",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Azure Functions",
"services": [
- "ExpressRoute",
- "AVS",
- "AKV"
+ "AppSvc",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Automated Connectivity",
- "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Azure Functions",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Automated Connectivity",
- "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "Azure Functions",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Automated Connectivity",
- "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+ "severity": "Medium",
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
"waf": "Operations"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "service": "SAP",
"services": [
- "AVS",
- "Subscriptions"
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
- "waf": "Performance"
+ "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "service": "SAP",
"services": [
- "Storage",
- "AVS",
- "AzurePolicy"
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
- "waf": "Performance"
+ "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
+ "training": "https://github.com/Azure/sap-automation",
+ "waf": "Operations"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "service": "SAP",
"services": [
- "AVS"
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
- "waf": "Performance"
+ "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "service": "SAP",
"services": [
- "AVS"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
- "waf": "Performance"
+ "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "SAP",
"services": [
- "AVS"
+ "Backup",
+ "SQL",
+ "Storage",
+ "ASR",
+ "SAP",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
- "waf": "Performance"
+ "severity": "High",
+ "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"services": [
- "Monitor",
- "AVS"
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
- "waf": "Operations"
+ "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Migration",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "SAP",
"services": [
- "AVS",
- "VM"
+ "VPN",
+ "ASR",
+ "ExpressRoute",
+ "WAF"
],
"severity": "High",
- "subcategory": "Architecture",
- "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
"waf": "Reliability"
},
{
- "category": "Migration",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "SAP",
"services": [
- "AVS"
+ "AKV",
+ "ACR",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Architecture",
- "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "severity": "Low",
+ "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
"waf": "Reliability"
},
{
- "category": "Migration",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "service": "SAP",
"services": [
- "AVS",
- "VPN"
+ "VNet",
+ "SAP",
+ "ASR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
- "waf": "Performance"
+ "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
+ "waf": "Reliability"
},
{
- "category": "Migration",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e614658d-d457-4e92-9139-b821102cad6e",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "service": "SAP",
"services": [
- "AVS"
+ "SAP",
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Networking",
- "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
- "waf": "Performance"
+ "severity": "Low",
+ "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "waf": "Reliability"
},
{
- "category": "Migration",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Process",
- "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
+ "severity": "High",
+ "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
+ },
+ {
+ "checklist": "WAF checklist",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "service": "SAP",
+ "services": [
+ "VNet",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Data Storage",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "service": "SAP",
"services": [
- "Storage",
- "AVS",
- "VM"
+ "Entra",
+ "ASR",
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Architecture",
- "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
+ "severity": "High",
+ "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
"waf": "Reliability"
},
{
- "category": "Data Storage",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"services": [
- "ExpressRoute",
- "AVS",
- "Storage"
+ "SAP",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Architecture",
- "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
+ "severity": "High",
+ "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Data Storage",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "service": "SAP",
"services": [
- "ExpressRoute",
- "AVS",
- "Storage"
+ "SAP",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Architecture",
- "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
+ "severity": "High",
+ "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Stretched Cluster",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"services": [
- "AVS",
- "ASR"
+ "Storage",
+ "VM",
+ "WAF"
],
"severity": "High",
- "subcategory": "Architecture",
- "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
+ "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
"waf": "Reliability"
},
{
- "category": "Stretched Cluster",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "service": "SAP",
"services": [
- "AVS"
+ "SAP",
+ "Storage",
+ "WAF"
],
"severity": "High",
- "subcategory": "Architecture",
- "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
+ "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
"waf": "Reliability"
},
{
- "category": "Stretched Cluster",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "service": "SAP",
"services": [
- "ExpressRoute",
- "AVS"
+ "SAP",
+ "WAF"
],
"severity": "High",
- "subcategory": "Architecture",
- "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
+ "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Stretched Cluster",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "service": "SAP",
"services": [
- "ExpressRoute",
- "AVS"
+ "LoadBalancer",
+ "SAP",
+ "WAF"
],
"severity": "High",
- "subcategory": "Architecture",
- "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
+ "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Stretched Cluster",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
+ "checklist": "WAF checklist",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "service": "SAP",
"services": [
- "AVS"
+ "LoadBalancer",
+ "WAF"
],
"severity": "High",
- "subcategory": "Architecture",
- "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
+ "text": "Make sure the Floating IP is enabled on the Load balancer",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Recovery Services Vault Checklist",
- "guid": "cb7da8cf-aa62-4a15-a495-6da97dc3a242",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-plan-capacity-vmware",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "SAP",
+ "services": [
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Replication",
- "text": "Capacity planning is required to make sure you have sufficient bandwidth for replication and an estimated number of CPU cores & disk types that will be needed in Azure for failover",
+ "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Recovery Services Vault Checklist",
- "guid": "67b23587-05a1-4652-aded-fa8a488cdec4",
- "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-policy",
+ "checklist": "WAF checklist",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "SAP",
"services": [
- "AzurePolicy",
+ "Entra",
+ "SAP",
"VM",
- "ASR"
+ "WAF"
],
"severity": "High",
- "subcategory": "Replication",
- "text": "Use Azure Policy to ensure that all critical Azure VMs are protected with ASR",
+ "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Recovery Services Vault Checklist",
- "guid": "862bc3bc-14be-4b7f-96e8-d9b3bec228e7",
- "link": "https://learn.microsoft.com/azure/site-recovery/recovery-plan-overview",
+ "checklist": "WAF checklist",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
"services": [
- "VM"
+ "Entra",
+ "RBAC",
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Replication",
- "text": "Define recovery plans to automate the failover sequence for VMs. You can also include automation scripts to reduce manual steps and improve recovery time",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Recovery Services Vault Checklist",
- "guid": "437b1736-db55-4f67-a613-334bd09dc234",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-how-to-manage?tabs=recovery-services-vault",
- "services": [],
- "severity": "Medium",
- "subcategory": "Data Protection",
- "text": "Enable and LOCK immutability for vaults. This ensures recovery points cannot be deleted before their intended expiry",
+ "severity": "High",
+ "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Recovery Services Vault Checklist",
- "guid": "19db6128-1265-404b-a47a-493a08042729",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "service": "SAP",
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data Protection",
- "text": "Enable 'Always-on soft delete' for vaults protecting critical workloads",
+ "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Recovery Services Vault Checklist",
- "guid": "4798b158-8b31-4aa5-9ceb-54445135a227",
- "link": "https://learn.microsoft.com/azure/backup/backup-create-recovery-services-vault#set-storage-redundancy",
+ "checklist": "WAF checklist",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
"services": [
- "Storage"
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Redudancy",
- "text": "When creating Recovery Service Vaults choose the best storage redundancy option for your requirements. Vaults support local, geo and zone redundancy but this setting cannot be changed once the vault is protecting one or more resources",
+ "severity": "High",
+ "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "IoT Hub Review",
- "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
- "service": "IoT",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "services": [
+ "Entra",
+ "SAP",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "High Availability",
- "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)",
+ "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "IoT Hub Review",
- "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
- "services": [],
- "severity": "Medium",
- "subcategory": "High Availability",
- "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
+ "checklist": "WAF checklist",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "ACR",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "IoT Hub Review",
- "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
- "service": "IoT",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "services": [
+ "Entra",
+ "SAP",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "High Availability",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "IoT Hub Review",
- "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Learn how to trigger a manual failover.",
+ "checklist": "WAF checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
+ "services": [
+ "Entra",
+ "VM",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "IoT Hub Review",
- "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
- "service": "IoT",
- "services": [],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Learn how to fail back after a failover.",
+ "checklist": "WAF checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "services": [
+ "Storage",
+ "VM",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
"waf": "Reliability"
},
{
- "category": "Responsible AI",
- "checklist": "Azure OpenAI Review",
- "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Metaprompting",
- "text": "Follow Metaprompting guardrails for resonsible AI",
- "waf": "Operational Excellence"
+ "checklist": "WAF checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
- "link": "https://github.com/Azure-Samples/AI-Gateway",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "Storage",
+ "WAF"
],
"severity": "High",
- "subcategory": "Load Balancing",
- "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
- "waf": "Operational Excellence"
+ "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
"services": [
- "Monitor"
+ "SAP",
+ "Storage",
+ "WAF"
],
"severity": "High",
- "subcategory": "Monitoring",
- "text": "Enable monitoring for your AOAI instances",
- "waf": "Operational Excellence"
+ "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
"services": [
- "Monitor",
- "AKV",
- "Subscriptions"
+ "SAP",
+ "Storage",
+ "ASR",
+ "WAF"
],
"severity": "High",
- "subcategory": "Alerts",
- "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
- "waf": "Operational Excellence"
+ "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"services": [
- "Monitor"
+ "SAP",
+ "Storage",
+ "WAF"
],
"severity": "High",
- "subcategory": "Monitoring",
- "text": "Monitor token usage to prevent service disruptions due to capacity",
- "waf": "Operational Excellence"
+ "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+ "waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
"services": [
- "Monitor"
+ "SAP",
+ "Cost",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Observability",
- "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
- "waf": "Operational Excellence"
+ "text": "Automate SAP System Start-Stop to manage costs.",
+ "waf": "Cost"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
- "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
"services": [
- "APIM"
+ "Storage",
+ "VM",
+ "SAP",
+ "Cost",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Observability",
- "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
- "waf": "Operational Excellence"
+ "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
+ "waf": "Cost"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
- "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Infrastructure Deployment",
- "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
- "waf": "Operational Excellence"
+ "checklist": "WAF checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "services": [
+ "Storage",
+ "VM",
+ "SAP",
+ "Cost",
+ "WAF"
+ ],
+ "severity": "Low",
+ "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
+ "waf": "Cost"
},
- {
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "4350d092-d234-4292-a752-8537a551c5bf",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
+ {
+ "checklist": "WAF checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
"services": [
- "Entra"
+ "RBAC",
+ "Subscriptions",
+ "WAF"
],
"severity": "High",
- "subcategory": "Authentication",
- "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
+ "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
"waf": "Security"
},
{
- "category": "Responsible AI",
- "checklist": "Azure OpenAI Review",
- "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Evaluation",
- "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
- "waf": "Operational Excellence"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "68889535-e327-4897-b31b-67d67be5962a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Hosting model",
- "text": "Evaluate usage of Provisioned throughput model ",
- "waf": "Performance"
+ "checklist": "WAF checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "services": [
+ "Entra",
+ "SAP",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "waf": "Security"
},
{
- "category": "Responsible AI",
- "checklist": "Azure OpenAI Review",
- "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Content Safety",
- "text": "Review and implement Azure AI content safety",
- "waf": "Operational Excellence"
+ "checklist": "WAF checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "services": [
+ "Entra",
+ "SAP",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Throughput definition",
- "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
- "waf": "Performance"
+ "checklist": "WAF checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Latency improvement",
- "text": "Improve latency of the system by limiting token sizes, streaming options",
- "waf": "Performance"
+ "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"services": [
- "ServiceBus",
- "Storage"
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Elasticity segregation",
- "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
- "waf": "Performance"
+ "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "5bda4332-4f24-4811-9331-82ba51752694",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Benchmarking",
- "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
- "waf": "Performance"
+ "checklist": "WAF checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "AKV",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "AKV",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Elasticity ",
- "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
- "waf": "Performance"
+ "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Model choice",
- "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
- "waf": "Performance"
+ "checklist": "WAF checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Fine tuning",
- "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
- "waf": "Performance"
+ "text": "Implement SSO to SAP HANA",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure OpenAI Review",
- "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
"services": [
- "ACR"
+ "Entra",
+ "SAP",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Multi-region architecture",
- "text": "Deploy multiple OAI instances across regions",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure OpenAI Review",
- "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
"services": [
- "APIM",
- "Entra"
+ "SAP",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Load balancing",
- "text": "Implement retry & healthchecks with Gateway pattern like APIM",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure OpenAI Review",
- "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
+ "services": [
+ "Entra",
+ "SAP",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Quotas",
- "text": "Ensure having adequate quotas of TPM & RPM for the workload",
- "waf": "Reliability"
+ "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
+ "waf": "Security"
},
{
- "category": "Responsible AI",
- "checklist": "Azure OpenAI Review",
- "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
- "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "UX best practice",
- "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
- "waf": "Operational Excellence"
+ "text": "Implement SSO to SAP BTP",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure OpenAI Review",
- "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
"services": [
- "ACR"
+ "Entra",
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Load balancing",
- "text": "Deploy separate fine tuned models across regions if finetuning is employed",
- "waf": "Reliability"
+ "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure OpenAI Review",
- "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
- "link": "https://learn.microsoft.com/azure/backup/backup-overview",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
"services": [
- "Backup",
- "ASR"
+ "SAP",
+ "Subscriptions",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Data Backup and Disaster Recovery",
- "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
- "waf": "Reliability"
+ "text": "enforce existing Management Group policies to SAP Subscriptions",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Azure OpenAI Review",
- "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "Subscriptions",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "SLA considerations",
- "text": "Azure AI search service tiers should be choosen to have a SLA ",
- "waf": "Reliability"
+ "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
- "link": "https://learn.microsoft.com/purview/purview",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "Low",
- "subcategory": "Data Sensitivity",
- "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
- "waf": "Security"
+ "checklist": "WAF checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "services": [
+ "Subscriptions",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
+ "services": [
+ "VM",
+ "Subscriptions",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Encryption at Rest",
- "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
- "waf": "Security"
+ "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
- "link": "https://learn.microsoft.com/azure/search/search-security-overview",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
"services": [
- "ACR"
+ "WAF"
+ ],
+ "severity": "Low",
+ "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
+ "waf": "Operations"
+ },
+ {
+ "checklist": "WAF checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
+ "services": [
+ "VM",
+ "Subscriptions",
+ "WAF"
],
"severity": "High",
- "subcategory": "Transit Encryption",
- "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
- "waf": "Security"
+ "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"services": [
- "RBAC"
+ "WAF"
],
"severity": "High",
- "subcategory": "Access Control",
- "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
- "waf": "Security"
+ "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
+ "services": [
+ "TrafficManager",
+ "Cost",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data Masking and Redaction",
- "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
- "waf": "Security"
+ "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"services": [
- "Sentinel",
- "Defender",
- "Monitor"
+ "Backup",
+ "WAF"
],
"severity": "High",
- "subcategory": "Threat Detection and Monitoring",
- "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
- "waf": "Security"
+ "text": "Help protect your HANA database by using the Azure Backup service.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
- "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
"services": [
- "AzurePolicy"
+ "Entra",
+ "Storage",
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Data Retention and Disposal",
- "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
- "waf": "Security"
- },
- {
- "category": "Responsible AI",
- "checklist": "Azure OpenAI Review",
- "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Jail break Safety",
- "text": "Implement Prompt shields and groundedness detection using Content Safety ",
- "waf": "Operational Excellence"
+ "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
- "link": "https://learn.microsoft.com/azure/compliance/",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Data Privacy and Compliance",
- "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
- "waf": "Security"
+ "text": "Ensure time-zone matches between the operating system and the SAP system.",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
+ "services": [
+ "Entra",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Employee Awareness and Training",
- "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
- "waf": "Security"
+ "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Environment segregation",
- "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
- "waf": "Security"
+ "checklist": "WAF checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
+ "services": [
+ "Cost",
+ "WAF"
+ ],
+ "severity": "Low",
+ "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
+ "waf": "Cost"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
+ "services": [
+ "Entra",
+ "SAP",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Index Segregation",
- "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
- "waf": "Security"
+ "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
"services": [
- "RBAC",
- "AzurePolicy"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Sensitive Data in Separate Instances",
- "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
- "waf": "Security"
+ "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Embedding and Vector handling",
- "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
- "waf": "Security"
+ "checklist": "WAF checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "WAF"
+ ],
+ "severity": "Low",
+ "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
"services": [
- "RBAC"
+ "SAP",
+ "Monitor",
+ "SQL",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Access control",
- "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
"services": [
- "PrivateLink"
+ "Entra",
+ "VM",
+ "Monitor",
+ "SAP",
+ "WAF"
],
"severity": "High",
- "subcategory": "Network security",
- "text": "Configure private endpoint for AI services to restrict service access within your network",
- "waf": "Security"
+ "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
"services": [
- "VNet",
- "Firewall"
+ "AzurePolicy",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Network security",
- "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Control Network Access",
- "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
- "waf": "Security"
+ "checklist": "WAF checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
+ "services": [
+ "NetworkWatcher",
+ "SAP",
+ "Monitor",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "waf": "Operations"
},
{
- "category": "Cost Optimization",
- "checklist": "Azure OpenAI Review",
- "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
- "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
"services": [
- "Cost"
+ "SAP",
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Token Optimization",
- "text": "Use prompt compression tools like LLMLingua or gprtrim",
- "waf": "Cost Optimization"
+ "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"services": [
- "AKV",
- "Entra"
+ "SAP",
+ "Subscriptions",
+ "WAF"
],
"severity": "High",
- "subcategory": "Secure APIs and Endpoints",
- "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
- "waf": "Security"
+ "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "waf": "Performance"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
+ "services": [
+ "Storage",
+ "ASR",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Implement Strong Authentication",
- "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
- "waf": "Security"
+ "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
"services": [
- "Monitor"
+ "SAP",
+ "Sentinel",
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Use Network Monitoring",
- "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+ "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
"waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
+ "services": [
+ "Cost",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Security Audits and Penetration Testing",
- "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
- "waf": "Security"
+ "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
+ "services": [
+ "Monitor",
+ "VM",
+ "WAF"
+ ],
"severity": "Low",
- "subcategory": "Infrastructure Deployment",
- "text": "Azure AI Services are properly tagged for better management",
- "waf": "Operational Excellence"
+ "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
+ "waf": "Performance"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "Low",
- "subcategory": "Infrastructure Deployment",
- "text": "Azure AI Service accounts follows organizational naming conventions",
- "waf": "Operational Excellence"
+ "checklist": "WAF checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "Monitor",
+ "ASR",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Diagnostics Logging",
- "text": "Diagnostic logs in Azure AI services resources should be enabled",
- "waf": "Operational Excellence"
+ "checklist": "WAF checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "Storage",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.",
+ "waf": "Performance"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure OpenAI Review",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/ai-services/authentication",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
"services": [
- "Entra"
+ "SAP",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Entra ID based access",
- "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
+ "waf": "Performance"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
"services": [
- "AKV",
- "Entra"
+ "SAP",
+ "Storage",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Secure Key Management",
- "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+ "waf": "Performance"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
"services": [
- "AKV"
+ "SAP",
+ "SQL",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Key Rotation and Expiration",
- "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+ "waf": "Performance"
},
{
- "category": "Cost Optimization",
- "checklist": "Azure OpenAI Review",
- "guid": "adfe27be-e297-401a-a352-baaab79b088d",
- "link": "https://github.com/openai/tiktoken",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"services": [
- "Cost"
+ "SAP",
+ "Monitor",
+ "ASR",
+ "WAF"
],
"severity": "High",
- "subcategory": "Token Optimization",
- "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
- "waf": "Cost Optimization"
+ "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
- "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Secure coding practice",
- "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+ "checklist": "WAF checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
+ "services": [
+ "AppGW",
+ "AzurePolicy",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
"waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
- "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "High",
- "subcategory": "Patching and updates",
- "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
- "waf": "Security"
+ "checklist": "WAF checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
+ "services": [
+ "DNS",
+ "SAP",
+ "VM",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operations"
},
{
- "category": "Responsible AI",
- "checklist": "Azure OpenAI Review",
- "guid": "e29711b1-352b-4eee-879b-588defc4972c",
- "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"services": [
- "AzurePolicy"
+ "DNS",
+ "SAP",
+ "VNet",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Governance",
- "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
- "waf": "Operational Excellence"
+ "severity": "Medium",
+ "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operations"
},
{
- "category": "Cost Optimization",
- "checklist": "Azure OpenAI Review",
- "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
"services": [
- "Cost"
+ "SAP",
+ "ACR",
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Cost familiarization",
- "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
- "waf": "Cost Optimization"
+ "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+ "waf": "Reliability"
},
{
- "category": "Cost Optimization",
- "checklist": "Azure OpenAI Review",
- "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
"services": [
- "Cost"
+ "SAP",
+ "NVA",
+ "WAF"
],
"severity": "High",
- "subcategory": "Batch processing",
- "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
- "waf": "Cost Optimization"
+ "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
+ "training": "https://me.sap.com/notes/2731110",
+ "waf": "Performance"
},
{
- "category": "Cost Optimization",
- "checklist": "Azure OpenAI Review",
- "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
"services": [
- "Cost",
- "Monitor"
+ "VWAN",
+ "ACR",
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Cost monitoring",
- "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
- "waf": "Cost Optimization"
+ "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "waf": "Operations"
},
{
- "category": "Cost Optimization",
- "checklist": "Azure OpenAI Review",
- "guid": "166cd072-af9b-4141-a898-a535e737897e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
"services": [
- "Cost"
+ "VNet",
+ "NVA",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Token limit",
- "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
- "waf": "Cost Optimization"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
- "link": "https://learn.microsoft.com/azure/search/search-reliability",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "Medium",
- "subcategory": "AI Search Reliability",
- "text": "Review the guidance provided on setting up AI search for Reliability",
- "waf": "Operational Excellence"
+ "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
- "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
"services": [
- "Storage"
+ "NVA",
+ "SAP",
+ "VNet",
+ "WAF",
+ "VWAN"
],
"severity": "Medium",
- "subcategory": "AI Search Vector Limits",
- "text": "Plan and manage AI Search Vector storage",
- "waf": "Operational Excellence"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "Medium",
- "subcategory": "DevOps",
- "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
- "waf": "Operational Excellence"
+ "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Cost Optimization",
- "checklist": "Azure OpenAI Review",
- "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"services": [
- "Cost"
+ "SAP",
+ "VM",
+ "WAF"
],
"severity": "High",
- "subcategory": "Costing Model",
- "text": "Evaluate usage of billing models - PAYG vs PTU",
- "waf": "Cost Optimization"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
- "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "Medium",
- "subcategory": "DevOps",
- "text": "Evaluate the quality of prompts and applications when switching between model versions",
- "waf": "Operational Excellence"
+ "text": "Public IP assignment to VM running SAP Workload is not recommended.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "3418db61-2712-4650-9bb4-7a393a080327",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
"services": [
- "Monitor"
+ "ASR",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Development",
- "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
- "waf": "Operational Excellence"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "294798b1-578b-4219-a46c-eb5443513592",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "Medium",
- "subcategory": "Development",
- "text": "Evaluate your Azure AI Search results based on different search parameters",
- "waf": "Operational Excellence"
+ "severity": "High",
+ "text": "Consider reserving IP address on DR side when configuring ASR",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "2744293b-b628-4537-a551-19b08e8f5854",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
- "service": "Azure OpenAI",
- "services": [],
- "severity": "Medium",
- "subcategory": "Development",
- "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
- "waf": "Operational Excellence"
+ "checklist": "WAF checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
+ "services": [
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
+ "services": [
+ "Storage",
+ "VNet",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Development",
- "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
- "waf": "Operational Excellence"
+ "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+ "waf": "Operations"
},
{
- "category": "Governance and Security",
- "checklist": "Azure OpenAI Review",
- "guid": "e737897e-71ca-47da-acfa-962a1594946d",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+ "service": "SAP",
+ "services": [
+ "Firewall",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Security Audits and Penetration Testing",
- "text": "Red team your GenAI applications",
+ "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
"waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
- "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
- "service": "Azure OpenAI",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+ "service": "SAP",
+ "services": [
+ "SAP",
+ "AppGW",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "End user feedback",
- "text": "Provide end users with scoring options for LLM responses and track these scores. ",
- "waf": "Operational Excellence"
+ "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+ "waf": "Security"
},
{
- "category": "Cost Optimization",
- "checklist": "Azure OpenAI Review",
- "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"services": [
- "Cost"
+ "FrontDoor",
+ "ACR",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Quota Management",
- "text": "Consider Quota management practices",
- "waf": "Cost Optimization"
+ "severity": "Medium",
+ "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure OpenAI Review",
- "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
- "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
- "service": "Azure OpenAI",
+ "checklist": "WAF checklist",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "SAP",
"services": [
- "APIM",
- "LoadBalancer",
- "ACR",
- "Entra"
+ "FrontDoor",
+ "AppGW",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Load Balancing",
- "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
- "waf": "Operational Excellence"
+ "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "When you are creating a SQL Server on Azure VM, carefully consider the type of workload necessary. If you are migrating an existing environment, collect a performance baseline to determine your SQL Server on Azure VM requirements. If this is a new VM, then create your new SQL Server VM based on your vendor requirements.",
- "guid": "1fc3fc14-eea6-4e69-b8d9-a3eec218e687",
- "link": "https://learn.microsoft.com/sql/dma/dma-sku-recommend-sql-db?view=sql-server-ver16",
+ "checklist": "WAF checklist",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "LoadBalancer",
+ "AppGW",
+ "WAF"
],
- "severity": "High",
- "subcategory": "VM Size",
- "text": "Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "The memory optimized virtual machine sizes are a primary target for SQL Server VMs and the recommended choice by Microsoft. The memory optimized virtual machines offer stronger memory-to-CPU ratios and medium-to-large cache options.Consider Ebdsv5-series series first for most SQL Server workloads.",
- "guid": "e04abe1f-8d39-4fda-9776-8424c116775c",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size?view=azuresql#memory-optimized",
+ "checklist": "WAF checklist",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "VWAN",
+ "ACR",
+ "SAP",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VM Size",
- "text": "Use memory optimized virtual machine sizes for the best performance of SQL Server workloads.",
+ "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "To find the most effective configuration for SQL Server workloads on an Azure VM, start by measuring the storage performance of your business application. Once storage requirements are known, select a virtual machine that supports the necessary IOPS and throughput with the appropriate memory-to-vCore ratio.",
- "guid": "2ea55b56-ad48-4408-be72-734b476ba18f",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance#counters-to-measure-application-performance-requirements",
+ "checklist": "WAF checklist",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "SAP",
"services": [
- "SQL",
+ "PrivateLink",
+ "Backup",
"Storage",
- "VM"
+ "ACR",
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "Determine storage bandwidth and latency requirements for SQL Server data, log, and tempdb files before choosing the disk type.",
- "waf": "Performance"
+ "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "This provides more dedicated disk IOPS and throughput on the disk level and also allows you to configure the Azure disk host caching setting for each disk to the optimal setting for that data type.",
- "guid": "dbf590ce-65de-48e0-9f9c-cbd468266abc",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+ "checklist": "WAF checklist",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage"
+ "SAP",
+ "VM",
+ "WAF"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "Place data, log, and tempdb files on separate drives",
+ "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Premium SSD is always recommend as a minimum for SQL Server in order to obtain better performance and lower latency. P30 and P40 are recommended because disk caching is not supported for disks 4 TiB and larger ( P50 and above) and they provide the optimal price to performance ratio",
- "guid": "e6a84de5-df43-4d19-a248-1718d5d1e5f6",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+ "checklist": "WAF checklist",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage"
+ "LoadBalancer",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Storage",
- "text": "For the data drive, use premium P30 and P40 or smaller disks to ensure the availability of cache support",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Log files have primarily write-heavy operations. Therefore, they do not benefit from the ReadOnly cache. Hence evaluate your price vs performance vs capacity and chose the right storage disk.",
- "guid": "25659d35-58fd-4772-99c9-31112d027fe4",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+ "checklist": "WAF checklist",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "SAP",
"services": [
- "Cost",
- "SQL",
- "Storage"
+ "VM",
+ "SAP",
+ "VNet",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Storage",
- "text": "For the log drive plan for capacity and test performance versus cost while evaluating the premium P30 - P80 disks",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Placing TempDB on the D drive can help performance. Consider the size required and always test performance.",
- "guid": "12f70983-f630-4472-8ee6-9d6b5c2622f5",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+ "checklist": "WAF checklist",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage",
- "VM"
+ "SAP",
+ "VNet",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "Place tempdb on the local ephemeral SSD (default D:\\) drive for most SQL Server workloads that are not part of Failover Cluster Instance (FCI) after choosing the optimal VM size.",
+ "severity": "High",
+ "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Striping Data and Log disk can increase bandwidth. Ensure that VM size also matches expected output",
- "guid": "4b69bad3-4aad-45e8-a78e-1d76667313c4",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+ "checklist": "WAF checklist",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage",
- "VM"
+ "SAP",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Storage",
- "text": "Stripe multiple Azure data disks using Storage Spaces to increase I/O bandwidth",
+ "severity": "Medium",
+ "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Your storage caching policy varies depending on the type of SQL Server data files that are hosted on the drive.Enable Read-only caching for the disks hosting SQL Server data files.Reads from cache will be faster than the uncached reads from the data disk.Set the caching policy to None for disks hosting the transaction log. There is no performance benefit to enabling caching for the Transaction log disk.",
- "guid": "05674b5e-985b-4859-a773-e7e261623b77",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+ "checklist": "WAF checklist",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage",
- "AzurePolicy"
+ "SAP",
+ "WAF"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "Set host caching to read-only for data file disks and none for log file disks.",
+ "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Check that you storage is in the same region as your VM. For exaplme if your VM is in EAST US 2 ensure your storage is in East US 2.",
- "guid": "5a917e1f-348e-4f35-9c27-d42e8bbac868",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+ "checklist": "WAF checklist",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage",
- "VM"
+ "SAP",
+ "VNet",
+ "Cost",
+ "WAF"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "Provision the storage account in the same region as the SQL Server VM",
- "waf": "Performance"
+ "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Cost"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "SQL Server uses extents to store data. These are 64KB in size. Therefore, on a SQL Server machine, the NTFS allocation unit size for hosting SQL database files should be 64 KB.",
- "guid": "155abb91-63e9-4908-ae28-c84c33b6b780",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage",
+ "checklist": "WAF checklist",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage"
+ "LoadBalancer",
+ "WAF"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "Format your data disk to use 64 KB block size (allocation unit size) for all data files placed on a drive other than the temporary D:\\ drive",
+ "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "It is recommended that you determine BCDR needs and requirements ensuring that you are able to meet you SLAs of the environment.",
- "guid": "8b9fe5c4-2049-4d41-9a92-3c3474d11028",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#azure-only-disaster-recovery-solutions",
+ "checklist": "WAF checklist",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "SAP",
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "HADR",
- "text": "Determine HA/DR requirements for each VM to be migrated.",
- "waf": "Reliability"
+ "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "When depoying High Availability you need to use availability sets or availability zones to avoid unexpected outages.",
- "guid": "ac6aae01-e6a8-44de-9df4-3d1992481718",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#high-availability-nodes-in-an-availability-set",
+ "checklist": "WAF checklist",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "SAP",
+ "Backup",
+ "VM",
+ "WAF"
],
"severity": "High",
- "subcategory": "HADR",
- "text": "Place your VMs in an availability set or different availability zones.",
- "waf": "Reliability"
+ "text": "Review SAP HANA database backups for Azure VMs.",
+ "waf": "Cost"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Prefered option when deploying an Availability Group. The recommended solution is to use multi-subnets when deploying Always on Availability Groups.",
- "guid": "d5d1e5f6-2565-49d3-958f-d77249c93111",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure?view=azuresql&tabs=azure-cli",
+ "checklist": "WAF checklist",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"services": [
- "SQL",
- "VNet",
- "VM",
- "LoadBalancer"
+ "SAP",
+ "Monitor",
+ "ASR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "HADR",
- "text": "Deploy your SQL Server VMs to multiple subnets whenever possible to avoid the dependency on an Azure Load Balancer or a distributed network name (DNN) to route traffic to your HADR solution. ( If one is implementing FCI or AG)",
- "waf": "Reliability"
+ "text": "Review Site Recovery built-in monitoring, where used for SAP.",
+ "waf": "Cost"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "High availability and disaster recovery (HADR) features, such as the Always On availability group and the failover cluster instance rely on underlying Windows Server Failover Cluster technology. Review the best practices for modifying your HADR settings to better support the cloud environment.",
- "guid": "2d027fe4-12f7-4098-9f63-04722ee69d6b",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#hadr-configuration",
+ "checklist": "WAF checklist",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+ "service": "SAP",
"services": [
- "SQL",
- "ASR"
+ "SAP",
+ "Monitor",
+ "WAF"
],
"severity": "High",
- "subcategory": "HADR",
- "text": "Change the cluster to less aggressive parameters to avoid unexpected outages from transient network failures or Azure platform maintenance. ( If one is implementing FCI or AG)",
- "waf": "Reliability"
+ "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+ "waf": "Operations"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Ensure that quorum is set correct for the number of instances deployed.",
- "guid": "5c2622f5-4b69-4bad-94aa-d5e8c78e1d76",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/hadr-cluster-best-practices?view=azuresql-vm&tabs=windows2012#quorum-voting",
+ "checklist": "WAF checklist",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+ "service": "SAP",
"services": [
- "SQL"
+ "Backup",
+ "VM",
+ "WAF"
],
- "severity": "High",
- "subcategory": "HADR",
- "text": "Configure cluster quorum voting to use 3 or more odd number of votes. Don't assign votes to DR regions. ( If one is implementing FCI or AG)",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Review Oracle Database in Azure Linux VM backup strategies.",
+ "waf": "Operations"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "On Azure virtual machines, clusters use a load balancer to hold an IP address that needs to be on one cluster node at a time. In this solution, the load balancer holds the IP address for the virtual network name (VNN) listener for the Always On availability group when the SQL Server VMs are in a single subnet.",
- "guid": "667313c4-0567-44b5-b985-b859c773e7e2",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure?view=azuresql-vm&tabs=ilb",
+ "checklist": "WAF checklist",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+ "service": "SAP",
"services": [
- "VM",
+ "Storage",
"SQL",
- "VNet",
- "LoadBalancer"
+ "WAF"
],
- "severity": "High",
- "subcategory": "HADR",
- "text": "When using the virtual network name (VNN) and Azure Load Balancer to connect to your HADR solution, specify MultiSubnetFailover = true in the connection string, even if your cluster only spans one subnet. ( If one is implementing FCI or AG)",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+ "waf": "Operations"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "SQL Server, Azure SQL Database, and Azure SQL Managed Instance support row and page compression for rowstore tables and indexes, and support columnstore and columnstore archival compression for columnstore tables and indexes.",
- "guid": "61623b77-5a91-47e1-b348-ef354c27d42e",
- "link": "https://learn.microsoft.com/sql/relational-databases/data-compression/data-compression?view=sql-server-ver16",
+ "checklist": "WAF checklist",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage"
+ "Backup",
+ "VM",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "SQL Server",
- "text": "Enable database page compression where appropriate.",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "Review the use of Automated Backup v2 for Azure VMs.",
+ "waf": "Operations"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "By default, data and log files are initialized to overwrite any existing data left on the disk from previously deleted files. Data and log files are first initialized by zeroing the files (filling with zeros).In SQL Server, for data files only, instant file initialization (IFI) allows for faster execution of the previously mentioned file operations, since it reclaims used disk space without filling that space with zeros. Instead, disk content is overwritten as new data is written to the files.",
- "guid": "8bbac868-155a-4bb9-863e-9908ae28c84c",
- "link": "https://learn.microsoft.com/sql/relational-databases/databases/database-instant-file-initialization?view=sql-server-ver16",
+ "checklist": "WAF checklist",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage"
+ "WAF"
],
"severity": "High",
- "subcategory": "SQL Server",
- "text": "Enable instant file initialization for data files.",
+ "text": "Enabling Write accelerator for M series when using premium disks(V1)",
"waf": "Operations"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Recommended for best performance and availability migrate all databases to data and log disks",
- "guid": "33b6b780-8b9f-4e5c-9204-9d413a923c34",
- "link": "https://learn.microsoft.com/sql/relational-databases/databases/move-database-files?view=sql-server-ver16",
+ "checklist": "WAF checklist",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "service": "SAP",
"services": [
- "SQL"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "SQL Server",
- "text": "Move all databases to data disks, including system databases.",
- "waf": "Operations"
+ "text": "Test availability zone latency.",
+ "waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
- "guid": "b824546c-e1ae-4e34-93ae-c8239248725d",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#sql-server-features",
+ "checklist": "WAF checklist",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "service": "SAP",
"services": [
- "SQL",
- "Storage",
- "VM"
+ "SAP",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "SQL Server",
- "text": "Move SQL Server error log and trace file directories to data disks.",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Activate SAP EarlyWatch Alert for all SAP components.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
- "guid": "d68c5b5c-2925-4394-a69a-9d2799c42bb6",
- "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/server-memory-server-configuration-options#use-",
+ "checklist": "WAF checklist",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "SAP",
+ "WAF"
],
- "severity": "High",
- "subcategory": "SQL Server",
- "text": "Set max SQL Server memory limit to leave enough memory for the Operating System.",
+ "severity": "Medium",
+ "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
+ "training": "https://me.sap.com/notes/0002879613",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
- "guid": "8d1d7555-6246-4b43-a563-b4dc74a748b6",
- "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows",
+ "checklist": "WAF checklist",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+ "service": "SAP",
"services": [
+ "Monitor",
"SQL",
- "VM"
+ "WAF"
],
- "severity": "High",
- "subcategory": "SQL Server",
- "text": "Enable lock pages in memory.",
+ "severity": "Medium",
+ "text": "Review SQL Server performance monitoring using CCMS.",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
- "guid": "633ad2a0-916a-4664-a8fa-d0e278ee293c",
- "link": "https://learn.microsoft.com/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store",
+ "checklist": "WAF checklist",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "SAP",
+ "VM",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "SQL Server",
- "text": "Enable Query Store on all production SQL Server databases following best practices.",
+ "severity": "Medium",
+ "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
+ "training": "https://me.sap.com/notes/1100926/E",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
- "guid": "1bc352ba-aab7-4571-a49a-b8093dc9ec9d",
- "link": "https://learn.microsoft.com/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server",
+ "checklist": "WAF checklist",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "SAP",
+ "Monitor",
+ "WAF"
],
- "severity": "High",
- "subcategory": "SQL Server",
- "text": "Ensure that all tempdb best practices are followed.",
+ "severity": "Medium",
+ "text": "Review SAP HANA studio alerts.",
"waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
- "guid": "1bb73b36-a5a6-47fb-a9ed-5b35478c3479",
- "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
+ "checklist": "WAF checklist",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "SAP",
+ "WAF"
],
- "severity": "High",
- "subcategory": "SQL Server",
- "text": "Schedule SQL Server Agent jobs to run DBCC CHECKDB, index reorganize, index rebuild, and update statistics jobs.",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
+ "waf": "Performance"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Part of the SQL Server Feature checklist in the link that is recommended when SQL Server Instance is in an Azure VM.",
- "guid": "816b2863-cffe-41ca-a599-ef0d5a73dd4c",
- "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization",
+ "checklist": "WAF checklist",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "SQL Server",
- "text": "Limit autogrowth of the database and Disable autoshrink",
- "waf": "Operations"
+ "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Constrained vCPU virtual machines (VMs) are a type of VM where the vCPU count can be constrained to a half or a quarter of the original VM size. This allows customers to reduce the cost of software licensing while maintaining the same memory, storage, and I/O bandwidth",
- "guid": "e36c1c81-770a-4fbc-9c0d-43918648d285",
- "link": "https://learn.microsoft.com/azure/virtual-machines/constrained-vcpu",
+ "checklist": "WAF checklist",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"services": [
- "Cost",
- "SQL",
- "Storage",
- "VM"
+ "SAP",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Cost Optimization",
- "text": "Optimize SQL Server License cost with Constrained vCPU VM's",
- "training": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
- "waf": "Cost"
+ "severity": "Medium",
+ "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Azure Hybrid Benefit allows you to exchange your existing licenses for discounted rates on Azure SQL Database and Azure SQL Managed Instance. Y",
- "guid": "7ed67178-b824-4546-ae1a-ee3453aec823",
- "link": "https://azure.microsoft.com/en-ca/pricing/hybrid-benefit/",
+ "checklist": "WAF checklist",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"services": [
- "Cost",
- "SQL"
+ "SAP",
+ "SQL",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Cost Optimization",
- "text": "Leverage Azure Hybrid benefit to maximize the value of your on premises licenses in the cloud",
- "waf": "Cost"
+ "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "The SQL Server IaaS Agent extension (SqlIaasExtension) runs on SQL Server on Azure Windows Virtual Machines (VMs) to automate management and administration tasks.",
- "guid": "9248725d-d68c-45b5-a292-5394a69a9d27",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms?view=azuresql-vm&tabs=azure-cli",
+ "checklist": "WAF checklist",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"services": [
"SQL",
- "VM"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Azure",
- "text": "Register with the SQL IaaS Agent Extension to unlock a number of feature benefits.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
+ "training": "https://me.sap.com/notes/3019299/E",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Accelerated Networking provides consistent ultra-low network latency via Azure's in-house programmable hardware and technologies",
- "guid": "99c42bb6-8d1d-4755-9624-6b438563b4dc",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "checklist": "WAF checklist",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"services": [
+ "Backup",
"SQL",
- "VM"
+ "Storage",
+ "SAP",
+ "WAF"
],
"severity": "High",
- "subcategory": "Azure",
- "text": "Ensure Accelerated Networking is enabled on the virtual machine.",
- "waf": "Operations"
+ "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "waf": "Security"
},
{
- "category": "SQL Server on Azure VM",
- "checklist": "SQL Migration Review",
- "description": "Microsoft Defender detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases on the SQL server.",
- "guid": "74a748b6-633a-4d2a-8916-a66498fad0e2",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls",
+ "checklist": "WAF checklist",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "SAP",
"services": [
- "SQL",
- "Defender",
- "VM"
+ "Storage",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Azure",
- "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture of your virtual machine deployment.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "severity": "Medium",
+ "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
"waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "There are some PaaS limitations that are introduced in SQL Managed Instance and some behavior changes compared to SQL Server. It is important to review and understand these differences.",
- "guid": "78ee293c-1bc3-452b-aaab-7571849ab809",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server?view=azuresql",
+ "checklist": "WAF checklist",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "SAP",
"services": [
- "SQL",
- "EventHubs"
+ "AKV",
+ "WAF"
],
"severity": "High",
- "subcategory": "Pre Migration",
- "text": "Review the major differences between SQL Server and Managed Instance",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "Operations"
+ "text": "Use Azure Key Vault to store your secrets and credentials",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. It is important to review these limits.",
- "guid": "3dc9ec9d-1bb7-43b3-9a5a-67fba9ed5b35",
- "link": "https://docs.microsoft.com/azure/azure-sql/managed-instance/resource-limits",
+ "checklist": "WAF checklist",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "SAP",
"services": [
- "SQL"
+ "RBAC",
+ "Subscriptions",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Pre Migration",
- "text": "Review capacity limits for SQL MI",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "The instance settings between managed instance and your source SQL Server can be different . It is important to review those differences that can impact performance.",
- "guid": "8bc178bd-c5a0-46ca-9144-351e19dd3442",
- "link": "https://medium.com/azure-sqldb-managed-instance/compare-environment-settings-on-sql-server-and-azure-sql-that-may-impact-performance-e90c21fa9b08",
+ "checklist": "WAF checklist",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "SAP",
"services": [
- "SQL"
+ "AKV",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Pre Migration",
- "text": "Compare instance settings on SQL Server and Azure SQL MI that may impact performance",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "Assess on-premises SQL Server instance(s) migrating to Azure SQL Managed Instance. The assessment workflow helps you to detect issues that block the migration itself and also partially supported and unsupported features",
- "guid": "9eb72281-37a1-451c-9bb4-e4f1814287d5",
- "link": "https://docs.microsoft.com/azure/dms/ads-sku-recommend",
+ "checklist": "WAF checklist",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "service": "SAP",
"services": [
- "SQL"
+ "RBAC",
+ "AzurePolicy",
+ "WAF"
],
"severity": "High",
- "subcategory": "Pre Migration",
- "text": "Run Data Migration assistant or Azure Data Studio Migration Extension to detect compatibility issues that can impact database functionality on Managed Instance",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Operations"
+ "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "The SKU recommendation feature can evaluate the source SQL Server performance and utilization characteristics to recommend a right-sized Azure SQL Managed Instance to assist with your migration journey.",
- "guid": "ca8c26c9-b32a-4b5b-afc6-898a135e3378",
- "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend",
+ "checklist": "WAF checklist",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"services": [
- "SQL"
+ "SAP",
+ "Storage",
+ "Defender",
+ "WAF"
],
"severity": "High",
- "subcategory": "Pre Migration",
- "text": "Select the right compute resources for your workload by leveraging the SKU recommendation tools.",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Performance"
+ "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "Review Unsupported Features, Migration Blockers and Breaking Changes for each database from the Assessment",
- "guid": "97e31c67-d68c-4b69-82ac-19f906d697c8",
- "link": "https://learn.microsoft.com/azure/dms/ads-sku-recommend",
+ "checklist": "WAF checklist",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "service": "SAP",
"services": [
- "SQL"
+ "SAP",
+ "RBAC",
+ "Defender",
+ "WAF"
],
"severity": "High",
- "subcategory": "Pre Migration",
- "text": "Review and address the issues highlighted in DMA/Azure Data Studio",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Operations"
+ "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "The SQL Managed Instance default DNS zone .database.windows.net can be changed with your own. However, the managed instance hostname part of its FQDN should remain the same.",
- "guid": "eaded26b-dd18-46f0-ac25-1b999a68af87",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/frequently-asked-questions-faq?view=azuresql-mi#can-a-managed-instance-have-the-same-name-as-a-sql-server-on-premises-instance",
+ "checklist": "WAF checklist",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"services": [
- "DNS",
- "SQL"
+ "SAP",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Pre Migration",
- "text": "Plan for connection string changes as changing a managed instance name is not supported",
- "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "There are addional requirements in configuring a vnet and subnet hosting the managed instance.",
- "guid": "c9a7f821-b8eb-48c0-aa77-e25e4d5aeaa8",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-existing-add-subnet?view=azuresql-mi",
+ "checklist": "WAF checklist",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "service": "SAP",
"services": [
- "SQL",
- "VNet"
+ "AKV",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre Migration",
- "text": "Review managed instance VNet requirements",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
- "waf": "Operations"
+ "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "Though it's possible to deploy managed instances to a subnet with a number of IP addresses that's less than the output of the subnet formula, always consider using bigger subnets instead. Using a bigger subnet can help avoid future issues stemming from a lack of IP addresses, such as the inability to create additional instances within the subnet or scale existing instances.",
- "guid": "dc4e2436-bb33-46d7-85f1-7960eee0b9b5",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/vnet-subnet-determine-size?view=azuresql-mi",
+ "checklist": "WAF checklist",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "service": "SAP",
"services": [
- "SQL",
- "VNet"
+ "AKV",
+ "WAF"
],
"severity": "High",
- "subcategory": "Deployment",
- "text": "Ensure managed instance subnet has sufficient IP addresses available",
- "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
- "waf": "Operations"
+ "text": "Use an Azure Key Vault per application per environment per region.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "SQL Managed Instance has characteristics and resource limits that depend on the underlying infrastructure and architecture. SQL Managed Instance can be deployed on multiple hardware configurations.",
- "guid": "c8defc4d-721d-431d-850f-b707ae9eab40",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/resource-limits?view=azuresql-mi#service-tier-characteristics",
+ "checklist": "WAF checklist",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "service": "SAP",
"services": [
- "SQL"
+ "SAP",
+ "AKV",
+ "WAF"
],
"severity": "High",
- "subcategory": "Pre Migration",
- "text": "Plan between General Purpose and Business Critical tiers of MI",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "Performance"
+ "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "The auto-failover groups feature allows you to manage the replication and failover of user databases in a managed instance to a managed instance in another Azure region. Auto-failover groups are designed to simplify deployment and management of geo-replicated databases at scale.",
- "guid": "ed329079-8bc1-478b-bc5a-06ca7144351e",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-sql-mi?view=azuresql-mi&tabs=azure-powershell",
+ "checklist": "WAF checklist",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "service": "SAP",
"services": [
- "SQL"
+ "SAP",
+ "RBAC",
+ "Subscriptions",
+ "WAF"
],
"severity": "High",
- "subcategory": "Pre Migration",
- "text": "Based on your RPO/RTO's , determine if Auto failover Group needs to be implemented. If so, plan for the deployment attributes of the second instance.",
- "training": "https://learn.microsoft.com/learn/paths/implement-windows-server-iaas-virtual-machine-identity/",
- "waf": "Reliability"
+ "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "There are multiple ways to connect your application to the managed instance. Review and understand the pros and cons and decide on the best approach for your application.",
- "guid": "5d226886-d30b-466c-97be-595190f83845",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi",
+ "checklist": "WAF checklist",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "service": "SAP",
"services": [
- "SQL"
+ "PrivateLink",
+ "SAP",
+ "NVA",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Pre Migration",
- "text": "Review the Connectivity Design between Database and Application, test & validate it",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "Compare migration options to choose the path that's appropriate to your business needs.",
- "guid": "c586cb29-1ec1-46a1-b076-ef9f141acdce",
- "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview?view=azuresql-mi#migration-tools",
+ "checklist": "WAF checklist",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "service": "SAP",
"services": [
- "SQL"
+ "Storage",
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre Migration",
- "text": "Plan for the Migration Method. Depending on the DB Size and Application downtime window, select the preferred Migration Method.",
- "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "After you verify that data is the same on both source and target, you can cut over from the source to the target environment. It's important to plan the cutover process with business / application teams to ensure minimal interruption during cutover doesn't affect business continuity.",
- "guid": "579377bc-db37-451a-a2ac-1fad66e15d4d",
- "link": "https://learn.microsoft.com/azure/dms/tutorial-sql-server-managed-instance-online#performing-migration-cutover",
+ "checklist": "WAF checklist",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "service": "SAP",
"services": [
- "SQL"
+ "Defender",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre Migration",
- "text": "Plan the cutover process with business / application teams to ensure minimal interruption during cutover and it does not affect business continuity.",
- "training": "https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "A time zone of a managed instance can be set during instance creation only. The default time zone is UTC",
- "guid": "4a2adb1c-3d23-426a-b225-ca44e1695fdd",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/timezones-overview?view=azuresql#set-a-time-zone",
+ "checklist": "WAF checklist",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"services": [
- "SQL"
+ "SAP",
+ "VNet",
+ "WAF"
],
"severity": "High",
- "subcategory": "Deployment",
- "text": "Ensure you customize your time zone setting at the instance creation time. One cannot change it later.",
- "training": "https://learn.microsoft.com/azure/role-based-access-control/overview",
- "waf": "Operations"
+ "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "Server-level collation in Azure SQL Managed Instance can be specified when the instance is created and cannot be changed later.Default server-level collation is SQL_Latin1_General_CP1_CI_AS.",
- "guid": "deace4cb-1deb-44c6-90c3-fc14eebb3693",
- "link": "https://learn.microsoft.com/sql/relational-databases/collations/set-or-change-the-server-collation?view=sql-server-ver16",
+ "checklist": "WAF checklist",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"services": [
- "SQL"
+ "SAP",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Deployment",
- "text": "Ensure you select the right collation setting at the instance creation time. One cannot change it later",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "When you're migrating a database protected by Transparent Data Encryption (TDE) to Azure SQL Managed Instance using the native restore option, the corresponding certificate from the SQL Server instance needs to be migrated before database restore.",
- "guid": "829e3eec-2183-4687-a007-7a2b5945bda4",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/tde-certificate-migrate?view=azuresql-mi&tabs=azure-powershell",
+ "checklist": "WAF checklist",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "service": "SAP",
"services": [
- "SQL",
- "VM"
+ "SAP",
+ "AKV",
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Deployment",
- "text": "For TDE Enabled Database, corresponding certificate from the on-premises or Azure VM SQL Server needs to be migrated before database restore",
- "waf": "Operations"
+ "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Security"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "System databases can be restored only from backups that are created on the version of SQL Server that the server instance is currently running. This is not the case when you are migrating to SQL Managed Instance.Azure PowerShell and DBATools PowerShell libraries enable you to easily script and automate and customize all parts of the migration process.",
- "guid": "3334fdf9-1c23-4418-8b65-275269440b4b",
- "link": "https://learn.microsoft.com/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-guide?view=azuresql-mi#backup-and-restore",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "WAF checklist",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
"services": [
- "SQL",
- "Backup"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Migration",
- "text": "Restore of system databases is not supported. To migrate instance-level objects (stored in master or msdb databases), we recommend to script them out and run T-SQL scripts on the destination instance.",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
+ "waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "When using migration options that continuously replicate / sync data changes from source to the target, the source data and schema can change and drift from the target. During data sync, ensure that all changes on the source are captured and applied to the target during the migration process.",
- "guid": "e3d3e084-3276-4d4b-bc01-5bcf219e4a1e",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "WAF checklist",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
"services": [
- "SQL"
+ "TrafficManager",
+ "FrontDoor",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Migration",
- "text": "Ensure that all changes on the source are captured and applied to the target during the migration process.",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
+ "waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "Ensure that the application is able to succesffuly connect to the managed instance post migration of the databases.",
- "guid": "b5887952-5d22-4688-9d30-b66c57be5951",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connect-application-instance?view=azuresql-mi",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "WAF checklist",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
"services": [
- "SQL"
+ "ACR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Migration",
- "text": "Test Application Connectivity to MI and Databases",
- "waf": "Operations"
+ "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
+ "waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "High availability is a fundamental part of SQL Managed Instance platform that works transparently for your database applications. Failovers from primary to secondary nodes in case of node degradation or fault detection, or during regular monthly software updates are an expected occurrence for all applications using SQL Managed Instance in Azure.",
- "guid": "90f83845-c586-4cb2-a1ec-16a1d076ef9f",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/user-initiated-failover?view=azuresql",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "WAF checklist",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
"services": [
- "SQL"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Post Migration",
- "text": "Consider executing a manual failover on SQL Managed Instance to test for fault and failover resiliency.",
- "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "severity": "Medium",
+ "text": "Use more than 1 app instance for your apps",
"waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "Ensuring that your applications are failover resilient prior to deploying to production will help mitigate the risk of application faults in production and will contribute to application availability for your customers.",
- "guid": "141acdce-5793-477b-adb3-751ab2ac1fad",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-configure-sql-mi?view=azuresql&tabs=azure-portal#test-failover",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "WAF checklist",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
"services": [
- "SQL",
- "LoadBalancer",
- "EventHubs"
+ "Monitor",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Post Migration",
- "text": "If failover groups have been implemented, Test Manual Failover and Failback and test application connectivity behavior during failover/failback",
+ "severity": "Medium",
+ "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
"waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "This provides more dedicated disk IOPS and throughput",
- "guid": "aa359272-8e6e-4205-8726-76ae46691e88",
- "link": "https://techcommunity.microsoft.com/t5/azure-sql-blog/storage-performance-best-practices-and-considerations-for-azure/ba-p/305525",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "WAF checklist",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
"services": [
- "SQL",
- "Storage"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Post Migration",
- "text": "Optimize Storage Performance for General Purpose Managed Instance",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "Set up autoscaling in Spring Cloud Gateway",
+ "waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "Many organizations have policies that require that certificates or encryption keys be created and managed internally. If your organization has a similar policy, this architecture might apply to you. If your customers require internal management of these items, the architecture also might apply to you.",
- "guid": "35ad9422-23e1-4381-8523-081a94174158",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/data/sql-managed-instance-cmk",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "WAF checklist",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
"services": [
- "SQL",
- "AzurePolicy",
- "AKV",
- "Backup"
+ "WAF"
],
"severity": "Low",
- "subcategory": "Post Migration",
- "text": "Enable Customer managed TDE for taking your own copy only full backups",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "Security"
+ "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
+ "waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "The maintenance window feature provides you with the ability to onboard Azure SQL resource to prescheduled time blocks outside of business hours.",
- "guid": "33ef7ad7-c6d3-4733-865c-7acbe44bbe60",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/planned-maintenance?view=azuresql",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "WAF checklist",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
"services": [
- "SQL"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Post Migration",
- "text": "Plan for Azure maintenance events",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Operations"
+ "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
+ "waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "By using the long-term retention (LTR) feature, you can store specified SQL Database and SQL Managed Instance full backups in Azure Blob storage with configured redundancy for up to 10 years.",
- "guid": "9d89f2e8-7778-4424-b516-785c6fa96b96",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/long-term-retention-overview?view=azuresql-mi",
+ "checklist": "WAF checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
"services": [
- "ARS",
- "SQL",
- "Storage",
- "Backup"
+ "Entra",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Post Migration",
- "text": "Configure Long Term backup retention, view backups and restore from backups",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "severity": "Medium",
+ "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
"waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "By using Azure Hybrid Benefit, you can achieve cost savings, modernise and maintain a flexible hybrid environment while optimising business applications.",
- "guid": "ad88408f-3727-434c-a76b-a28021459014",
- "link": "https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/#overview",
+ "checklist": "WAF checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
"services": [
- "Cost",
- "SQL"
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
+ "waf": "Reliability"
+ },
+ {
+ "checklist": "WAF checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
+ "services": [
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Custom brand assets should be hosted on a CDN",
+ "waf": "Performance"
+ },
+ {
+ "checklist": "WAF checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
+ "services": [
+ "WAF"
],
"severity": "Low",
- "subcategory": "Post Migration",
- "text": "Take advantage of Azure Hybrid Benefit and Azure Reservations where applicable.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "Cost"
+ "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
+ "waf": "Reliability"
},
{
- "category": "SQL Managed Instance",
- "checklist": "SQL Migration Review",
- "description": "If you don't have threat protection Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities.",
- "guid": "65d38e53-f9cc-4bd8-9926-6acca274faa1",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-overview?view=azuresql",
+ "checklist": "WAF checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"services": [
- "SQL",
- "Defender"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Post Migration",
- "text": "Leverage Microsoft Defender for Cloud to improve the overall security posture",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Security"
+ "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
+ "waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
- "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
- "service": "Purview",
- "services": [],
+ "checklist": "WAF checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Best Practices",
- "text": "Leverage FTA Resillency Handbook",
+ "text": "Don't replicate! Replication can create issues with directory synchronization",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "checklist": "WAF checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"services": [
- "ASR"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Disaster Recovery",
- "text": "Plan for Data Center level outage",
+ "severity": "Medium",
+ "text": "Have active-active for multi-regions",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
- "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "checklist": "WAF checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"services": [
- "ASR"
+ "Entra",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Practice Failover for BCDR",
+ "text": "Add Azure AD Domain service stamps to additional regions and locations",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "checklist": "WAF checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"services": [
- "Backup"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Backup and Restore ",
- "text": "Plan a backup strategy and take regular backups",
+ "severity": "Medium",
+ "text": "Use Replica Sets for DR",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
- "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
- "service": "Purview",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+ "guid": "87af4a79-1f89-439b-ba47-768e14c11567",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
+ "service": "Service Bus",
"services": [
- "EventHubs"
+ "ServiceBus",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Purview Accounts Replications",
- "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
- "waf": "Reliability"
+ "text": "Use customer-managed key option in data at rest encryption when required",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
- "link": "https://learn.microsoft.com/purview/deployment-best-practices",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Communication between a client application and an Azure Service Bus namespace is encrypted using Transport Layer Security (TLS). Azure Service Bus namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Service Bus namespace to require that clients send and receive data with a newer version of TLS.",
+ "guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
+ "service": "Service Bus",
+ "services": [
+ "ServiceBus",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data catalog",
- "text": "Follow Purview accounts architectures and deployment best practices",
- "waf": "Reliability"
+ "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "WAF checklist",
+ "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+ "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
+ "service": "Service Bus",
+ "services": [
+ "Entra",
+ "AzurePolicy",
+ "TrafficManager",
+ "RBAC",
+ "ServiceBus",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data catalog",
- "text": "Follow Collection Architectures and best practices",
- "waf": "Reliability"
+ "text": "Avoid using root account when it is not necessary",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "WAF checklist",
+ "description": "A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. The client app only needs the endpoint address of the Service Bus Messaging namespace. ",
+ "guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
+ "service": "Service Bus",
+ "services": [
+ "Entra",
+ "AKV",
+ "Storage",
+ "VM",
+ "AppSvc",
+ "ServiceBus",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data catalog",
- "text": "Follow Assest lifecycle best practices",
- "waf": "Reliability"
+ "text": "When possible, your application should be using a managed identity to authenticate to Azure Service Bus. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
- "service": "Purview",
- "services": [],
- "severity": "Medium",
- "subcategory": "Data catalog",
- "text": "Follow automation best practices",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "WAF checklist",
+ "description": "When creating permissions, provide fine-grained control over a client's access to Azure Service Bus. Permissions in Azure Service Bus can and should be scoped to the individual resource level e.g. queue, topic or subscription. ",
+ "guid": "f615658d-e558-4f93-9249-b831112dbd7e",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
+ "service": "Service Bus",
+ "services": [
+ "Storage",
+ "RBAC",
+ "Subscriptions",
+ "ServiceBus",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Use least privilege data plane RBAC",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Azure Service Bus resource logs include operational logs, virtual network and IP filtering logs. Runtime audit logs capture aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Service Bus.",
+ "guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
+ "service": "Service Bus",
"services": [
- "Backup"
+ "Monitor",
+ "VNet",
+ "ServiceBus",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Data catalog",
- "text": "Follow Backup and Migration Best practices",
- "waf": "Reliability"
+ "text": "Enable logging for security investigation. Use Azure Monitor to trace resource logs and runtime audit logs (currently available only in the premium tier)",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Azure Service Bus by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Service Bus traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+ "guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
+ "service": "Service Bus",
+ "services": [
+ "PrivateLink",
+ "ServiceBus",
+ "VNet",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data catalog",
- "text": "Follow Purview Glossary Best Practices",
- "waf": "Reliability"
+ "text": "Consider using private endpoints to access Azure Service Bus and disable public network access when applicable.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
- "link": "https://learn.microsoft.com/purview/concept-workflow",
- "service": "Purview",
- "services": [],
- "severity": "Low",
- "subcategory": "Data catalog",
- "text": "Leverage Workflows ",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ServiceBus/namespaces",
+ "checklist": "WAF checklist",
+ "description": "With IP firewall, you can restrict the public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+ "guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
+ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
+ "service": "Service Bus",
+ "services": [
+ "ServiceBus",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Consider only allowing access to Azure Service Bus namespace from specific IP addresses or ranges",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "service": "APIM",
+ "services": [
+ "AzurePolicy",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data catalog",
- "text": "Follow Purview Security Best Practices",
- "waf": "Reliability"
+ "text": "Implement an error handling policy at the global level",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "service": "APIM",
+ "services": [
+ "AzurePolicy",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data Map",
- "text": "Follow Purview Data Lineage Best Practices",
- "waf": "Reliability"
+ "text": "Ensure all APIs policies include a element.",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+ "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "service": "APIM",
+ "services": [
+ "ACR",
+ "AzurePolicy",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data Map",
- "text": "Follow Best Practices for Scanning Registered Sources",
- "waf": "Reliability"
+ "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+ "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "service": "APIM",
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data Map",
- "text": "Follow Classification Best Practices in Governance Portal",
- "waf": "Reliability"
+ "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
- "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "service": "APIM",
+ "services": [
+ "Monitor",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+ "waf": "Operations"
+ },
+ {
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "service": "APIM",
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data Map",
- "text": "Perform Sensitivity Labelling in the Purview Data Map",
- "waf": "Reliability"
+ "text": "Enable Application Insights for more detailed telemetry",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
- "link": "https://learn.microsoft.com/purview/concept-data-share",
- "service": "Purview",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "service": "APIM",
"services": [
- "Storage"
+ "Monitor",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Data Sharing",
- "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Configure alerts on the most critical metrics",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
- "link": "https://learn.microsoft.com/purview/concept-insights",
- "service": "Purview",
- "services": [],
- "severity": "Low",
- "subcategory": "Data Estate",
- "text": "Leverage Data Estate Insights",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "service": "APIM",
+ "services": [
+ "AKV",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
- "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
- "service": "Purview",
- "services": [],
- "severity": "Low",
- "subcategory": "Data Estate",
- "text": "Use Data stewardship and Catalog adoption",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "service": "APIM",
+ "services": [
+ "Entra",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
- "link": "https://learn.microsoft.com/purview/concept-insights",
- "service": "Purview",
- "services": [],
- "severity": "Low",
- "subcategory": "Data Estate",
- "text": "Use Inventory and Ownership",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "service": "APIM",
+ "services": [
+ "Entra",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
- "link": "https://learn.microsoft.com/purview/glossary-insights",
- "service": "Purview",
- "services": [],
- "severity": "Low",
- "subcategory": "Data Estate",
- "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "service": "APIM",
+ "services": [
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Create appropriate groups to control the visibility of the products",
+ "waf": "Security"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
- "link": "https://learn.microsoft.com/purview/compliance-manager",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+ "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "service": "APIM",
+ "services": [
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Use Backends feature to eliminate redundant API backend configurations",
+ "waf": "Operations"
+ },
+ {
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "service": "APIM",
+ "services": [
+ "AzurePolicy",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Use Named Values to store common values that can be used in policies",
+ "waf": "Operations"
+ },
+ {
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "service": "APIM",
+ "services": [
+ "ACR",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data Quality ",
- "text": "Generate assessment scores",
+ "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
- "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
- "service": "Purview",
- "services": [],
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+ "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "service": "APIM",
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Data Quality ",
- "text": "Profiling- get summaries of data content",
+ "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
- "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
- "service": "Purview",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+ "service": "APIM",
"services": [
- "AzurePolicy"
+ "Backup",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Data Policy",
- "text": "Follow Microsoft Purview Data Owner access policies",
+ "severity": "High",
+ "text": "Ensure there is an automated backup routine",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
- "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
- "service": "Purview",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+ "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+ "service": "APIM",
"services": [
- "AzurePolicy"
+ "AzurePolicy",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Data Policy",
- "text": "Follow Self-service access policies",
+ "severity": "Medium",
+ "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
- "link": "https://learn.microsoft.com/purview/concept-policies-devops",
- "service": "Purview",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+ "service": "APIM",
"services": [
- "AzurePolicy"
+ "EventHubs",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Data Policy",
- "text": "Follow DevOps policies",
- "waf": "Reliability"
+ "text": "If you need to log at high performance levels, consider Event Hubs policy",
+ "waf": "Operations"
},
{
- "category": "Application Deployment",
- "checklist": "Azure AKS Review",
- "guid": "785c2fa5-5b56-4ad4-a408-fe72734c476b",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+ "service": "APIM",
"services": [
- "AKS"
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Development",
- "text": "Use canary or blue/green deployments",
- "waf": "Operations"
+ "text": "Apply throttling policies to control the number of requests per second",
+ "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+ "waf": "Performance"
},
{
- "category": "Application Deployment",
- "checklist": "Azure AKS Review",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+ "service": "APIM",
"services": [
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Development",
- "text": "If required for AKS Windows workloads HostProcess containers can be used",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Configure autoscaling to scale out the number of instances when the load increases",
+ "waf": "Performance"
},
{
- "category": "Application Deployment",
- "checklist": "Azure AKS Review",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+ "service": "APIM",
"services": [
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Development",
- "text": "Use KEDA if running event-driven workloads",
+ "severity": "Medium",
+ "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
"waf": "Performance"
},
{
- "category": "Application Deployment",
- "checklist": "Azure AKS Review",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+ "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+ "service": "APIM",
"services": [
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Development",
- "text": "Use Dapr to ease microservice development",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Use the premium tier for production workloads.",
+ "waf": "Reliability"
},
{
- "category": "Application Deployment",
- "checklist": "Azure AKS Review",
- "guid": "3acbe04b-be20-49d3-afda-47778424d116",
- "link": "https://learn.microsoft.com/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+ "service": "APIM",
"services": [
- "AKS"
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Infrastructure as Code",
- "text": "Use automation through ARM/TF to create your Azure resources",
- "waf": "Operations"
+ "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
+ "waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "Azure AKS Review",
- "guid": "36cb45e5-7960-4332-9bdf-8cc23318da61",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+ "service": "APIM",
"services": [
- "ASR",
- "AKS"
+ "Entra",
+ "APIM",
+ "WAF"
],
"severity": "High",
- "subcategory": "Disaster Recovery",
- "text": "Schedule and perform DR tests regularly",
+ "text": "Be aware of APIM's limits",
"waf": "Reliability"
},
{
- "category": "BC and DR",
- "checklist": "Azure AKS Review",
- "guid": "170265f4-bb46-4a39-9af7-f317284797b1",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+ "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+ "service": "APIM",
"services": [
- "TrafficManager",
- "LoadBalancer",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Ensure that the self-hosted gateway deployments are resilient.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+ "service": "APIM",
+ "services": [
+ "Entra",
+ "APIM",
"FrontDoor",
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Use Azure Traffic Manager or Azure Front Door as a global load balancer for region failover",
- "waf": "Reliability"
+ "text": "Use Azure Front Door in front of APIM for multi-region deployment",
+ "waf": "Performance"
},
{
- "category": "BC and DR",
- "checklist": "Azure AKS Review",
- "graph": "resources | where type=='microsoft.containerservice/managedclusters' | extend compliant= isnotnull(properties.agentPoolProfiles[0].availabilityZones) | distinct id,compliant",
- "guid": "578a219a-46be-4b54-9350-24922634292b",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+ "service": "APIM",
"services": [
- "AKS"
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "Use Availability Zones if they are supported in your Azure region",
- "waf": "Reliability"
+ "text": "Deploy the service within a Virtual Network (VNet)",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+ "service": "APIM",
"services": [
- "AKS"
+ "Entra",
+ "APIM",
+ "Monitor",
+ "VNet",
+ "WAF"
],
- "severity": "High",
- "subcategory": "High Availability",
- "text": "Use the SLA-backed AKS offering",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure AKS Review",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+ "service": "APIM",
"services": [
- "Cost",
- "AKS"
+ "Entra",
+ "PrivateLink",
+ "APIM",
+ "VNet",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "High Availability",
- "text": "Use Disruption Budgets in your pod and deployment definitions",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure AKS Review",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+ "service": "APIM",
"services": [
- "ACR",
- "AKS"
+ "WAF"
],
"severity": "High",
- "subcategory": "High Availability",
- "text": "If using a private registry, configure region replication to store images in multiple regions",
- "waf": "Reliability"
+ "text": "Disable Public Network Access",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure AKS Review",
- "guid": "daa9a260-c3ea-4490-b077-5fc1f2a80cb0",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+ "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+ "service": "APIM",
"services": [
- "Storage",
- "ASR",
- "AKS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Disaster Recovery",
- "text": "Use Zone-Redundant Storage (ZRS) with stateful workloads",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Simplify management with PowerShell automation scripts",
+ "waf": "Operations"
},
{
- "category": "BC and DR",
- "checklist": "Azure AKS Review",
- "guid": "bc14aea6-e65d-48d9-a3ad-c218e6436b06",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+ "service": "APIM",
"services": [
- "AKS"
+ "Entra",
+ "APIM",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Requirements",
- "text": "Define non-functional requirements such as SLAs, RTO (Recovery Time Objective) and RPO (Recovery Point Objective).",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
+ "waf": "Operations"
},
{
- "category": "Cost Governance",
- "checklist": "Azure AKS Review",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+ "service": "APIM",
"services": [
- "Cost",
- "AKS"
+ "Entra",
+ "APIM",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Cost",
- "text": "Use an external application such as kubecost to allocate costs to different users",
- "waf": "Cost"
+ "severity": "Medium",
+ "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
+ "waf": "Operations"
},
{
- "category": "Cost Governance",
- "checklist": "Azure AKS Review",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+ "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+ "service": "APIM",
"services": [
- "Cost",
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Cost",
- "text": "Use scale down mode to delete/deallocate nodes",
- "waf": "Cost"
+ "severity": "Medium",
+ "text": "Implement DevOps and CI/CD in your workflow",
+ "waf": "Operations"
},
{
- "category": "Cost Governance",
- "checklist": "Azure AKS Review",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+ "service": "APIM",
"services": [
- "Cost",
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Cost",
- "text": "When required use multi-instance partitioning GPU on AKS Clusters",
- "waf": "Cost"
+ "text": "Secure APIs using client certificate authentication",
+ "waf": "Security"
},
{
- "category": "Cost Governance",
- "checklist": "Azure AKS Review",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+ "service": "APIM",
"services": [
- "Cost",
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Cost",
- "text": "If running a Dev/Test cluster use NodePool Start/Stop",
- "waf": "Cost"
+ "severity": "Medium",
+ "text": "Secure backend services using client certificate authentication",
+ "waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+ "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+ "service": "APIM",
"services": [
- "AzurePolicy",
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Compliance",
- "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
+ "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
"waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+ "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+ "service": "APIM",
"services": [
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Compliance",
- "text": "Separate applications from the control plane with user/system node pools",
+ "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
"waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+ "service": "APIM",
"services": [
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "Add taint to your system nodepool to make it dedicated",
+ "severity": "High",
+ "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
"waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
- "service": "AKS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+ "service": "APIM",
"services": [
- "ACR",
- "AKS"
+ "AKV",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Compliance",
- "text": "Use a private registry for your images, such as ACR",
+ "severity": "High",
+ "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
"waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+ "service": "APIM",
"services": [
- "AKS"
+ "Entra",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Compliance",
- "text": "Scan your images for vulnerabilities",
+ "text": "Use managed identities to authenticate to other Azure resources whenever possible",
"waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "cc639637-a652-42ac-89e8-06965388e9de",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "WAF checklist",
+ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+ "service": "APIM",
"services": [
- "Defender",
- "AKS"
+ "Entra",
+ "APIM",
+ "AppGW",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Compliance",
- "text": "Use Azure Security Center to detect security posture vulnerabilities",
+ "severity": "High",
+ "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
"waf": "Security"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "42d4aefe-2383-470e-b019-c30df24996b2",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Services",
"services": [
- "AKS"
+ "WAF"
],
"severity": "Low",
- "subcategory": "Compliance",
- "text": "If required configure FIPS",
- "waf": "Security"
+ "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"services": [
- "AKS"
+ "Backup",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Services",
+ "services": [
+ "WAF"
],
"severity": "High",
- "subcategory": "Compliance",
- "text": "Define app separation requirements (namespace/nodepool/cluster)",
- "waf": "Security"
+ "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"services": [
- "AKV",
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Secrets",
- "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
- "waf": "Security"
+ "text": "Implement health checks",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+ "service": "App Services",
"services": [
- "AKV",
- "AKS"
+ "AppSvc",
+ "Backup",
+ "WAF"
],
"severity": "High",
- "subcategory": "Secrets",
- "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
- "waf": "Security"
+ "text": "Refer to backup and restore best practices for Azure App Service",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+ "service": "App Services",
"services": [
- "AKV",
- "AKS"
+ "AppSvc",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Secrets",
- "text": "If required add Key Management Service etcd encryption",
- "waf": "Security"
+ "severity": "High",
+ "text": "Implement Azure App Service reliability best practices",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+ "service": "App Services",
"services": [
- "AKV",
- "AKS"
+ "AppSvc",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Secrets",
- "text": "If required consider using Confidential Compute for AKS",
- "waf": "Security"
+ "text": "Familiarize with how to move an App Service app to another region During a disaster",
+ "waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure AKS Review",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+ "service": "App Services",
"services": [
- "Defender",
- "AKV",
- "AKS"
+ "AppSvc",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Secrets",
- "text": "Consider using Defender for Containers",
- "waf": "Security"
+ "severity": "High",
+ "text": "Familiarize with reliability support in Azure App Service",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "App Services",
"services": [
- "Entra",
- "AKS"
+ "AppSvc",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Identity",
- "text": "Use managed identities instead of Service Principals",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Ensure \"Always On\" is enabled for Function Apps running on a app service plan",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"services": [
- "Entra",
- "AKS"
+ "AppSvc",
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Integrate authentication with AAD (using the managed integration)",
- "waf": "Security"
+ "text": "Monitor App Service instances using Health checks",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+ "service": "App Services",
"services": [
- "Entra",
- "AKS"
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Limit access to admin kubeconfig (get-credentials --admin)",
- "waf": "Security"
+ "text": "Monitor availability and responsiveness of web app or website using Application Insights availability tests",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+ "service": "App Services",
"services": [
- "RBAC",
- "Entra",
- "AKS"
+ "Monitor",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "Integrate authorization with AAD RBAC",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Use Application Insights Standard test to monitor availability and responsiveness of web app or website",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Use Azure Key Vault to store any secrets the application needs. Key Vault provides a safe and audited environment for storing secrets and is well-integrated with App Service through the Key Vault SDK or App Service Key Vault References.",
+ "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"services": [
- "RBAC",
- "Entra",
- "AKS"
+ "AKV",
+ "AppSvc",
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity",
- "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
+ "text": "Use Key Vault to store secrets",
"waf": "Security"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Use a Managed Identity to connect to Key Vault either using the Key Vault SDK or through App Service Key Vault References.",
+ "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"services": [
"Entra",
- "AKS"
+ "AKV",
+ "AppSvc",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
+ "severity": "High",
+ "text": "Use Managed Identity to connect to Key Vault",
"waf": "Security"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Store the App Service TLS certificate in Key Vault.",
+ "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+ "service": "App Services",
"services": [
- "Entra",
- "AKS"
+ "AKV",
+ "AppSvc",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "For AKS non-interactive logins use kubelogin (preview)",
+ "severity": "High",
+ "text": "Use Key Vault to store TLS certificate.",
"waf": "Security"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Systems that process sensitive information should be isolated. To do so, use separate App Service Plans or App Service Environments and consider the use of different subscriptions or management groups.",
+ "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"services": [
- "Entra",
- "AKS"
+ "AppSvc",
+ "Subscriptions",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Disable AKS local accounts",
+ "text": "Isolate systems that process sensitive information",
"waf": "Security"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Local disks on App Service are not encrypted and sensitive data should not be stored on those. (For example: D:\\\\Local and %TMP%).",
+ "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+ "service": "App Services",
"services": [
- "Entra",
- "AKS"
+ "AppSvc",
+ "TrafficManager",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Identity",
- "text": "Configure if required Just-in-time cluster access",
+ "severity": "Medium",
+ "text": "Do not store sensitive data on local disk",
"waf": "Security"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "For authenticated web application, use a well established Identity Provider like Azure AD or Azure AD B2C. Leverage the application framework of your choice to integrate with this provider or use the App Service Authentication / Authorization feature.",
+ "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+ "service": "App Services",
"services": [
"Entra",
- "AKS"
+ "AppSvc",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Identity",
- "text": "Configure if required AAD conditional access for AKS",
+ "severity": "Medium",
+ "text": "Use an established Identity Provider for authentication",
"waf": "Security"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Deploy code to App Service from a controlled and trusted environment, like a well-managed and secured DevOps deployment pipeline. This avoids code that was not version controlled and verified to be deployed from a malicious host.",
+ "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+ "service": "App Services",
"services": [
- "Entra",
- "AKS"
+ "AppSvc",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Identity",
- "text": "If required for Windows AKS workloads configure gMSA ",
+ "severity": "High",
+ "text": "Deploy from a trusted environment",
"waf": "Security"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure AKS Review",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Disable basic authentication for both FTP/FTPS and for WebDeploy/SCM. This disables access to these services and enforces the use of Azure AD secured endpoints for deployment. Note that the SCM site can also be opened using Azure AD credentials.",
+ "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+ "service": "App Services",
"services": [
"Entra",
- "AKS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Identity",
- "text": "For finer control consider using a managed Kubelet Identity",
+ "severity": "High",
+ "text": "Disable basic authentication",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Where possible use Managed Identity to connect to Azure AD secured resources. If this is not possible, store secrets in Key Vault and connect to Key Vault using a Managed Identity instead.",
+ "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+ "service": "App Services",
"services": [
- "ACR",
- "AppGW",
- "AKS"
+ "Entra",
+ "AKV",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Best practices",
- "text": "If using AGIC, do not share an AppGW across clusters",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Use Managed Identity to connect to resources",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Where using images stored in Azure Container Registry, pull these using a Managed Identity.",
+ "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+ "service": "App Services",
"services": [
- "AKS"
+ "Entra",
+ "ACR",
+ "WAF"
],
"severity": "High",
- "subcategory": "Best practices",
- "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
- "waf": "Reliability"
+ "text": "Pull containers using a Managed Identity",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "By configuring the diagnostic settings of App Service, you can send all telemetry to Log Analytics as the central destination for logging and monitoring. This allows you to monitor runtime activity of App Service such as HTTP logs, application logs, platform logs, ...",
+ "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+ "service": "App Services",
"services": [
- "AKS"
+ "Entra",
+ "AppSvc",
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Best practices",
- "text": "For Windows workloads use Accelerated Networking",
- "waf": "Performance"
- },
- {
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
- "services": [
- "LoadBalancer",
- "AKS"
- ],
- "severity": "High",
- "subcategory": "Best practices",
- "text": "Use the standard ALB (as opposed to the basic one)",
- "waf": "Reliability"
+ "text": "Send App Service runtime logs to Log Analytics",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Set up a diagnostic setting to send the activity log to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the App Service resource itself.",
+ "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "service": "App Services",
"services": [
- "VNet",
- "AKS"
+ "Entra",
+ "AppSvc",
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Best practices",
- "text": "If using Azure CNI, consider using different Subnets for NodePools",
+ "text": "Send App Service activity logs to Log Analytics",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Control outbound network access using a combination of regional VNet integration, network security groups and UDR's. Traffic should be routed to an NVA such as Azure Firewall. Ensure to monitor the Firewall's logs.",
+ "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+ "service": "App Services",
"services": [
- "PrivateLink",
- "Cost",
+ "NVA",
+ "Monitor",
"VNet",
- "AKS"
+ "Firewall",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Cost",
- "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
+ "text": "Outbound network access should be controlled",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "e8a03f97-8794-468d-96a7-86d60f96c97b",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "You can provide a stable outbound IP by using VNet integration and using a VNet NAT Gateway or an NVA like Azure Firewall. This allows the receiving party to allow-list based on IP, should that be needed. Note that for communications towards Azure Services often there's no need to depend on the IP address and mechanics like Service Endpoints should be used instead. (Also the use of private endpoints on the receiving end avoids for SNAT to happen and provides a stable outbound IP range.)",
+ "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+ "service": "App Services",
"services": [
- "VPN",
- "AKS"
+ "PrivateLink",
+ "Storage",
+ "NVA",
+ "VNet",
+ "Firewall",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "HA",
- "text": "If hybrid connectivity is required, use 2xER or ER+VPN for better availability",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "Ensure a stable IP for outbound communications towards internet addresses",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Control inbound network access using a combination of App Service Access Restrictions, Service Endpoints or Private Endpoints. Different access restrictions can be required and configured for the web app itself and the SCM site.",
+ "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
"services": [
- "AKS"
+ "PrivateLink",
+ "AppSvc",
+ "WAF"
],
"severity": "High",
- "subcategory": "IPAM",
- "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
- "waf": "Reliability"
+ "text": "Inbound network access should be controlled",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Protect against malicious inbound traffic using a Web Application Firewall like Application Gateway or Azure Front Door. Make sure to monitor the WAF's logs.",
+ "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+ "service": "App Services",
"services": [
- "VNet",
- "AKS"
+ "AppGW",
+ "FrontDoor",
+ "Monitor",
+ "AppSvc",
+ "WAF"
],
"severity": "High",
- "subcategory": "IPAM",
- "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
- "waf": "Performance"
+ "text": "Use a WAF in front of App Service",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Make sure the WAF cannot be bypassed by locking down access to only the WAF. Use a combination of Access Restrictions, Service Endpoints and Private Endpoints.",
+ "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
"services": [
- "AKS"
+ "PrivateLink",
+ "WAF"
],
"severity": "High",
- "subcategory": "IPAM",
- "text": "If using Azure CNI, check the maximum pods/node (default 30)",
- "waf": "Performance"
+ "text": "Avoid for WAF to be bypassed",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Set minimum TLS policy to 1.2 in App Service configuration.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+ "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+ "service": "App Services",
"services": [
- "VNet",
- "AKS"
+ "AppSvc",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "IPAM",
- "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
+ "severity": "Medium",
+ "text": "Set minimum TLS policy to 1.2",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Configure App Service to use HTTPS only. This causes App Service to redirect from HTTP to HTTPS. Strongly consider the use of HTTP Strict Transport Security (HSTS) in your code or from your WAF, which informs browsers that the site should only be accessed using HTTPS.",
+ "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+ "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+ "service": "App Services",
"services": [
- "AKS"
+ "AppSvc",
+ "WAF"
],
"severity": "High",
- "subcategory": "IPAM",
- "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
- "waf": "Reliability"
+ "text": "Use HTTPS only",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Do not use wildcards in your CORS configuration, as this allows all origins to access the service (thereby defeating the purpose of CORS). Specifically only allow the origins that you expect to be able to access the service.",
+ "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+ "service": "App Services",
"services": [
- "AKS"
+ "Storage",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Operations",
- "text": "If required add your own CNI plugin",
+ "severity": "High",
+ "text": "Wildcards must not be used for CORS",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Remote debugging must not be turned on in production as this opens additional ports on the service which increases the attack surface. Note that the service does turn of remote debugging automatically after 48 hours.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+ "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+ "service": "App Services",
"services": [
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Operations",
- "text": "If required configure Public IP per node in AKS",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Turn off remote debugging",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Enable Defender for App Service. This (amongst other threats) detects communications to known malicious IP addresses. Review the recommendations from Defender for App Service as part of your operations.",
+ "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+ "service": "App Services",
"services": [
- "AKS"
+ "AppSvc",
+ "Defender",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Scalability",
- "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
- "waf": "Reliability"
+ "text": "Enable Defender for Cloud - Defender for App Service",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Azure provides DDoS Basic protection on its network, which can be improved with intelligent DDoS Standard capabilities which learns about normal traffic patterns and can detect unusual behavior. DDoS Standard applies to a Virtual Network so it must be configured for the network resource in front of the app, such as Application Gateway or an NVA.",
+ "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "App Services",
"services": [
- "AKS"
+ "AppGW",
+ "DDoS",
+ "NVA",
+ "EventHubs",
+ "VNet",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Scalability",
- "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Enable DDOS Protection Standard on the WAF VNet",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Where using images stored in Azure Container Registry, pull these over a virtual network from Azure Container Registry using its private endpoint and the app setting 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
+ "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+ "service": "App Services",
"services": [
- "AKS"
+ "PrivateLink",
+ "ACR",
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Scalability",
- "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
- "waf": "Reliability"
+ "text": "Pull containers over a Virtual Network",
+ "waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Conduct a penetration test on the web application following the penetration testing rules of engagement.",
+ "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "service": "App Services",
"services": [
- "NVA",
- "AKS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Security",
- "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+ "severity": "Medium",
+ "text": "Conduct a penetration test",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+ "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+ "service": "App Services",
"services": [
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+ "text": "Deploy validated code",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
- "service": "AKS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "WAF checklist",
+ "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+ "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+ "service": "App Services",
"services": [
- "AKS"
+ "WAF"
],
"severity": "High",
- "subcategory": "Security",
- "text": "Use private clusters if your requirements mandate it",
+ "text": "Use up-to-date platforms, languages, protocols and frameworks",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "WAF checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
"services": [
- "AzurePolicy",
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
- "waf": "Security"
+ "text": "Leverage Flexible Server",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "WAF checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
"services": [
- "AzurePolicy",
- "AKS"
+ "WAF"
],
"severity": "High",
- "subcategory": "Security",
- "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
- "waf": "Security"
+ "text": "Leverage Availability Zones where regionally applicable",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "WAF checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
"services": [
- "AzurePolicy",
- "AKS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Security",
- "text": "Use Kubernetes network policies to increase intra-cluster security",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Leverage Data-in replication for cross-region DR scenarios",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
+ "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
+ "service": "Azure Data Explorer",
"services": [
- "WAF",
- "AKS"
+ "Storage",
+ "Cost",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Security",
- "text": "Use a WAF for web workloads (UIs or APIs)",
- "waf": "Security"
+ "text": "Leverage External Tables and Continuous data export overview to reduce costs",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
+ "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
+ "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
+ "service": "Azure Data Explorer",
"services": [
- "DDoS",
- "VNet",
- "AKS"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Use DDoS Standard in the AKS Virtual Network",
- "waf": "Security"
+ "text": "To share data, explore Leader-follower cluster configuration",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
+ "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
+ "service": "Azure Data Explorer",
"services": [
- "AKS"
+ "ASR",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Security",
- "text": "If required add company HTTP Proxy",
- "waf": "Security"
+ "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
+ "waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure AKS Review",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
+ "service": "Azure Data Explorer",
"services": [
- "AKS"
+ "RBAC",
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Consider using a service mesh for advanced microservice communication management",
- "waf": "Security"
+ "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
+ "service": "Azure Data Explorer",
"services": [
- "Monitor",
- "AKS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Alerting",
- "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
- "waf": "Operations"
+ "text": "Ingest data into each cluster in parallel",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
+ "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
+ "service": "Azure Data Explorer",
+ "services": [
+ "ACR",
+ "WAF"
+ ],
+ "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
+ "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
+ "service": "Azure Data Explorer",
+ "services": [
+ "ACR",
+ "WAF"
+ ],
+ "text": "For critical applications, create Active-Active configuration in two paired regions",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
+ "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
+ "service": "Azure Data Explorer",
"services": [
- "Entra",
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "Check regularly Azure Advisor for recommendations on your cluster",
- "waf": "Operations"
+ "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
+ "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
+ "service": "Azure Data Explorer",
"services": [
- "AKS"
+ "Storage",
+ "ASR",
+ "AzurePolicy",
+ "Cost",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "Enable AKS auto-certificate rotation",
- "waf": "Operations"
+ "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
+ "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
"services": [
- "AKS"
+ "AzurePolicy",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Compliance",
- "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
- "waf": "Operations"
+ "text": "Wrap DevOps and source control around all your code",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
"services": [
- "AKS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Compliance",
- "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
- "waf": "Operations"
+ "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
- "service": "AKS",
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "WAF checklist",
+ "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
"services": [
- "AKS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Compliance",
- "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
- "waf": "Operations"
+ "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
- "service": "AKS",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "WAF checklist",
+ "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+ "service": "Redis",
"services": [
- "AKS"
+ "ACR",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
- "service": "AKS",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "WAF checklist",
+ "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+ "service": "Redis",
"services": [
- "AKS"
+ "Storage",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "Consider using AKS command invoke on private clusters",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
- "service": "AKS",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "WAF checklist",
+ "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+ "service": "Redis",
"services": [
- "AKS"
+ "Storage",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "For planned events consider using Node Auto Drain",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
- "service": "AKS",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "WAF checklist",
+ "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+ "service": "Redis",
"services": [
- "AKS"
+ "ASR",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Compliance",
- "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+ "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+ "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+ "service": "Event Hubs",
"services": [
- "AKS"
+ "EventHubs",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Compliance",
- "text": "Use custom Node RG (aka 'Infra RG') name",
- "waf": "Operations"
+ "text": "Use customer-managed key option in data at rest encryption when required",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
+ "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+ "service": "Event Hubs",
"services": [
- "AKS"
+ "EventHubs",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Compliance",
- "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
- "waf": "Operations"
+ "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+ "service": "Event Hubs",
"services": [
- "AKS"
+ "Entra",
+ "AzurePolicy",
+ "RBAC",
+ "TrafficManager",
+ "EventHubs",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "Taint Windows nodes",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Avoid using root account when it is not necessary",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
+ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+ "service": "Event Hubs",
"services": [
- "AKS"
+ "Entra",
+ "AKV",
+ "Storage",
+ "VM",
+ "EventHubs",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "Keep windows containers patch level in sync with host patch level",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "description": "Via Diagnostic Settings at the cluster level",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
+ "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+ "service": "Event Hubs",
"services": [
- "Monitor",
- "AKS"
+ "RBAC",
+ "EventHubs",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Use least privilege data plane RBAC",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
+ "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+ "service": "Event Hubs",
"services": [
- "AKS"
+ "EventHubs",
+ "Monitor",
+ "VNet",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Compliance",
- "text": "If required use nodePool snapshots",
- "waf": "Cost"
+ "severity": "Medium",
+ "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+ "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+ "service": "Event Hubs",
"services": [
- "Cost",
- "AKS"
+ "PrivateLink",
+ "EventHubs",
+ "VNet",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Cost",
- "text": "Consider spot node pools for non time-sensitive workloads",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+ "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+ "service": "Event Hubs",
"services": [
- "Cost",
- "AKS"
+ "EventHubs",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Cost",
- "text": "Consider AKS virtual node for quick bursting",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+ "service": "Event Hubs",
"services": [
- "Monitor",
- "AKS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Monitoring",
- "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Leverage FTA Resillency HandBook",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
+ "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+ "service": "Event Hubs",
"services": [
- "Monitor",
- "AKS"
+ "EventHubs",
+ "ACR",
+ "WAF"
],
"severity": "High",
- "subcategory": "Monitoring",
- "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
- "waf": "Operations"
+ "text": "Leverage Availability Zones if regionally applicable",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+ "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+ "service": "Event Hubs",
"services": [
- "Monitor",
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Monitor CPU and memory utilization of the nodes",
- "waf": "Operations"
+ "text": "Use the Premium or Dedicated SKUs for predicable performance",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
+ "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+ "service": "Event Hubs",
"services": [
- "Monitor",
- "AKS"
+ "EventHubs",
+ "ASR",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Monitoring",
- "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
+ "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+ "service": "Event Hubs",
"services": [
- "Storage",
- "Monitor",
"EventHubs",
- "AKS",
- "ServiceBus"
+ "ASR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Monitor OS disk queue depth in nodes",
- "waf": "Operations"
+ "text": "For Business Critical Applications, use Active Active configuration",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "WAF checklist",
+ "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+ "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+ "service": "Event Hubs",
"services": [
- "NVA",
- "LoadBalancer",
- "Monitor",
- "AKS"
+ "EventHubs",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
- "waf": "Operations"
+ "text": "Design Resilient Event Hubs",
+ "waf": "Reliability"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+ "service": "AVS",
+ "services": [
+ "Entra",
+ "Subscriptions",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "75089c20-990d-4927-b105-885576f76fc2",
+ "service": "AVS",
"services": [
- "Monitor",
- "AKS"
+ "AVS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Monitoring",
- "text": "Subscribe to resource health notifications for your AKS cluster",
- "waf": "Operations"
+ "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+ "service": "AVS",
"services": [
- "AKS"
+ "WAF"
],
"severity": "High",
- "subcategory": "Resources",
- "text": "Configure requests and limits in your pod specs",
- "waf": "Operations"
+ "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+ "service": "AVS",
"services": [
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Resources",
- "text": "Enforce resource quotas for namespaces",
- "waf": "Operations"
+ "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+ "service": "AVS",
"services": [
- "Subscriptions",
- "AKS"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Resources",
- "text": "Ensure your subscription has enough quota to scale out your nodepools",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
- "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+ "service": "AVS",
"services": [
- "AKS"
+ "Entra",
+ "WAF"
],
"severity": "High",
- "subcategory": "Resources",
- "text": "Configure Liveness and Readiness probes for all deployments",
- "waf": "Operations"
+ "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+ "service": "AVS",
"services": [
- "AKS"
+ "RBAC",
+ "AVS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Scalability",
- "text": "Use the Cluster Autoscaler",
- "waf": "Performance"
+ "text": "Has an RBAC model been created for use within VMware vSphere",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+ "service": "AVS",
"services": [
- "AKS"
+ "RBAC",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Scalability",
- "text": "Customize node configuration for AKS node pools",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+ "service": "AVS",
"services": [
- "AKS"
+ "RBAC",
+ "AVS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Scalability",
- "text": "Use the Horizontal Pod Autoscaler when required",
- "waf": "Performance"
+ "severity": "High",
+ "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+ "service": "AVS",
"services": [
- "AKS"
+ "RBAC",
+ "WAF"
],
"severity": "High",
- "subcategory": "Scalability",
- "text": "Consider an appropriate node size, not too large or too small",
- "waf": "Performance"
+ "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+ "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+ "service": "AVS",
"services": [
- "AKS"
+ "AVS",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Scalability",
- "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+ "severity": "High",
+ "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
"waf": "Performance"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+ "service": "AVS",
"services": [
- "AKS"
+ "NetworkWatcher",
+ "VPN",
+ "Monitor",
+ "ExpressRoute",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Scalability",
- "text": "Consider subscribing to EventGrid Events for AKS automation",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+ "service": "AVS",
"services": [
- "AKS"
+ "NetworkWatcher",
+ "AVS",
+ "VM",
+ "Monitor",
+ "ExpressRoute",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Scalability",
- "text": "For long running operation on an AKS cluster consider event termination",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+ "service": "AVS",
"services": [
- "AKS"
+ "NetworkWatcher",
+ "AVS",
+ "VM",
+ "Monitor",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Scalability",
- "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
- "waf": "Performance"
+ "severity": "Medium",
+ "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+ "service": "AVS",
"services": [
- "Storage",
- "AKS"
+ "ARS",
+ "WAF"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "Use ephemeral OS disks",
- "waf": "Performance"
+ "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+ "service": "AVS",
"services": [
- "Storage",
- "AKS"
+ "Entra",
+ "RBAC",
+ "AVS",
+ "WAF"
],
"severity": "High",
- "subcategory": "Storage",
- "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
- "waf": "Performance"
+ "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+ "service": "AVS",
"services": [
- "Storage",
- "AKS"
+ "Entra",
+ "RBAC",
+ "AVS",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Storage",
- "text": "For hyper performance storage option use Ultra Disks on AKS",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+ "service": "AVS",
"services": [
- "SQL",
- "Storage",
- "AKS"
+ "Entra",
+ "AVS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
- "waf": "Performance"
+ "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+ "service": "AVS",
"services": [
- "Storage",
- "AKS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Limit use of CloudAdmin account to emergency access only",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure AKS Review",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+ "service": "AVS",
"services": [
- "Storage",
- "AKS"
+ "RBAC",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
- "waf": "Performance"
+ "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "9f519499-5820-4060-88fe-cab4538c9dd0",
- "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+ "service": "AVS",
"services": [
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Physical",
- "text": "All planned storage pools should use direct-attached storage (SATA, SAS, NVMe)",
- "waf": "Performance"
+ "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "f7c015e0-7d97-4283-b006-567afeb2b5ca",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/drive-symmetry-considerations#understand-capacity-imbalance",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+ "service": "AVS",
"services": [
- "Storage",
- "ACR"
+ "Entra",
+ "AVS",
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Physical",
- "text": "Disks are symmetrical across all nodes",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "f785b143-2c1e-4466-9baa-dde8ba4c7aaa",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/fault-tolerance#parity",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+ "service": "AVS",
"services": [
- "Storage",
- "Backup"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "S2D",
- "text": "Parity type disk redundancy should only be used for low I/O volumes (backup/archive)",
- "waf": "Performance"
+ "text": "Is East-West traffic filtering implemented within NSX-T",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "8a705965-9840-43cc-93b3-06d089406bb4",
- "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/storage-spaces-direct-hardware-requirements#physical-deployments",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+ "service": "AVS",
"services": [
- "Storage"
+ "AVS",
+ "AppGW",
+ "Firewall",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "S2D",
- "text": "Ensure there at least 2 capacity disks with available capacity in the Storage Pool",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "2a4f629a-d623-4610-a8e3-d6fd66057d8e",
- "link": "https://learn.microsoft.com/windows-server/storage/storage-spaces/delimit-volume-allocation",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+ "service": "AVS",
"services": [
- "Storage"
+ "AVS",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "S2D",
- "text": "'Delimited allocation' has been considered to improve volume resiliency in a multi-node failure",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "960eb9be-1f0f-4fc1-9b31-fcf1cf9e34e6",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#choosing-how-many-volumes-to-create",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+ "service": "AVS",
"services": [
- "Storage"
+ "Monitor",
+ "AVS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "S2D",
- "text": "CSVs are created in multiples of node count",
- "waf": "Performance"
+ "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "859ba2b9-a3a8-4ca1-bb61-165effbf1c03",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/cache",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "334fdf91-c234-4182-a652-75269440b4be",
+ "service": "AVS",
"services": [
- "Storage"
+ "DDoS",
+ "VPN",
+ "ExpressRoute",
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "S2D",
- "text": "If a cache tier is implemented, the number of capacity drives is a multiple of the number of cache drives",
- "waf": "Performance"
+ "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "Defender",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "d8a65f05-db06-461d-81dc-7899ad3f8f1e",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/plan-volumes#reserve-capacity",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+ "service": "AVS",
"services": [
- "Storage"
+ "AVS",
+ "Arc",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "S2D",
- "text": "A minimum of 1 type of each disk type per node has been factored as a reserve disk",
- "waf": "Reliability"
+ "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "description": "VMFleet is a tool that can be used to measure the performance of a storage subsystem, best used to baseline performance prior to workload deployment",
- "guid": "9d138f1d-5363-476e-bbd7-acfa500bdc0c",
- "link": "https://github.com/microsoft/diskspd/wiki/VMFleet",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+ "service": "AVS",
"services": [
- "Storage"
+ "AVS",
+ "SQL",
+ "WAF"
],
"severity": "Low",
- "subcategory": "S2D",
- "text": "VMFleet has been run prior to workload deployment to baseline storage performance",
- "waf": "Performance"
+ "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "13c12e2a-c938-4dd1-9223-507d5e17f9c5",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+ "service": "AVS",
"services": [
- "Storage"
+ "AKV",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Host OS",
- "text": "OS drives use a dedicated storage controller",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
+ "waf": "Security"
},
{
- "category": "Storage",
- "checklist": "Azure Stack HCI Review",
- "guid": "a631e7dc-8879-45bd-b0a7-e5927b805428",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-csv-cache",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "5ac94222-3e13-4810-9230-81a941741583",
+ "service": "AVS",
"services": [
- "Storage"
+ "AVS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Host OS",
- "text": "CSV in-memory read caching is enabled and properly configured",
- "waf": "Performance"
+ "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
+ "waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "c062cd9a-f1db-4f83-aab3-9cb03f56c140",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements#switch-embedded-teaming-set",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+ "service": "AVS",
"services": [
- "ACR"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Host",
- "text": "NICs are symmetrical across nodes",
+ "severity": "High",
+ "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
"waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "ea8054db-a558-4533-80c8-5d9cf447ba19",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "d88408f3-7273-44c8-96ba-280214590146",
+ "service": "AVS",
"services": [
- "Storage"
+ "Storage",
+ "AzurePolicy",
+ "WAF"
],
"severity": "High",
- "subcategory": "Host",
- "text": "Storage networking is redundant",
- "waf": "Reliability"
- },
- {
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "15d976c5-e267-49a1-8b00-62010bfa5188",
- "link": "https://learn.microsoft.com/azure-stack/hci/deploy/network-atc",
- "services": [],
- "severity": "Medium",
- "subcategory": "Host",
- "text": "Host networking configuration is managed by Network ATC and intents are healthy",
+ "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
"waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "676c53ad-b29a-4de1-9d03-d7d2674405b8",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/network-hud-overview",
- "services": [],
- "severity": "Low",
- "subcategory": "Host",
- "text": "Network HUD has been configured",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+ "service": "AVS",
+ "services": [
+ "ASR",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
"waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "8f6d58d9-6c1a-4ec1-b2d7-b2c6ba8f3949",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/host-network-requirements",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+ "service": "AVS",
"services": [
- "Storage",
- "VNet"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Host",
- "text": "Storage NICs are assigned static IP addresses on separate subnets and VLANs",
- "waf": "Reliability"
+ "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+ "waf": "Operations"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "824e53ec-953e-40c2-a6b8-52970b5b0f74",
- "link": "https://learn.microsoft.com/azure-stack/hci/plan/two-node-switched-converged",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+ "service": "AVS",
+ "services": [
+ "AzurePolicy",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Host",
- "text": "For switchless designs, dual link full mesh connectivity has been implemented",
- "waf": "Reliability"
+ "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
+ "waf": "Operations"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "dbc85d0e-0ebd-4589-a789-0fa8ceb1d0f0",
- "link": "https://learn.microsoft.com/azure-stack/hci/concepts/physical-network-requirements#using-switchless",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+ "service": "AVS",
"services": [
- "Storage"
+ "AVS",
+ "Cost",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Host",
- "text": "If the cluster is made up of more than 3 nodes, a switched storage network has been implemented",
- "waf": "Reliability"
+ "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
+ "waf": "Cost"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "603c6d71-59d2-419c-a312-8edc6e799c6a",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+ "service": "AVS",
"services": [
- "Storage"
+ "AVS",
+ "Cost",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Host",
- "text": "RDMA is enabled on the Storage networking",
- "waf": "Performance"
- },
- {
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "9e260eae-bca1-4827-a259-76ee63fda8d6",
- "link": "https://github.com/microsoft/SDN/blob/master/Diagnostics/Test-Rdma.ps1",
- "services": [],
- "severity": "Medium",
- "subcategory": "Host",
- "text": "Test-RDMA.ps1 has been run to validate the RDMA configuration",
- "waf": "Performance"
+ "severity": "Low",
+ "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
+ "waf": "Cost"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "description": "This ensures that Management traffic is not exposed to the VM traffic",
- "guid": "abc85d0e-0ebd-4589-a777-0fa8ceb1d0f0",
- "link": "",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+ "service": "AVS",
"services": [
- "VM"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Host",
- "text": "If a VMSwitch is shared for Compute and Management traffic, require that Management traffic is tagged with a VLAN ID",
+ "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
"waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "description": "This ensures you have at least 3 NCs active at all times during NC upgrades.",
- "guid": "eb36f5f4-0fa7-4a2c-85f3-1b1c7c7817c0",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+ "service": "AVS",
"services": [
- "VM"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "SDN",
- "text": "There are at least 3 Network Controller VMs deployed",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Ensure all required resource reside within the same Azure availability zone(s)",
+ "waf": "Performance"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "8bc78c85-6028-4a43-af2d-082a0a344909",
- "link": "https://learn.microsoft.com/windows-server/networking/sdn/manage/update-backup-restore",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+ "service": "AVS",
"services": [
- "Backup"
+ "AVS",
+ "VM",
+ "Defender",
+ "WAF"
],
- "severity": "High",
- "subcategory": "SDN",
- "text": "Backups of SDN infrastructure are configured and tested",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Stack HCI Review",
- "guid": "51eaa4b6-b9a7-43e1-a7dc-634d3107bc6d",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+ "service": "AVS",
"services": [
- "Monitor"
+ "AVS",
+ "VM",
+ "Arc",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Cluster",
- "text": "SCOM Managed Instance has been considered for more complex monitoring and alerting scenarios",
- "waf": "Operations"
+ "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Stack HCI Review",
- "guid": "831f5aca-99ef-41e7-8263-9509f5093b43",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/setup-hci-system-alerts",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+ "service": "AVS",
"services": [
- "Monitor"
+ "AVS",
+ "WAF"
],
"severity": "High",
- "subcategory": "Cluster",
- "text": "Alerts have been configured for the cluster, either using Azure Monitor, SCOM, or a third-party solution",
+ "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
"waf": "Operations"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Stack HCI Review",
- "guid": "f95d0e7e-9f61-476d-bf65-59f2454d1d39",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+ "service": "AVS",
"services": [
- "Monitor"
+ "Monitor",
+ "AVS",
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Cluster",
- "text": "Insights has been enabled at the cluster level and all nodes are reporting data",
+ "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
"waf": "Operations"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Stack HCI Review",
- "guid": "f4250fcb-ff53-40c9-b304-3560464fd90c",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/monitor-hci-single?tabs=22h2-and-later",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+ "service": "AVS",
"services": [
- "Monitor"
+ "Backup",
+ "AVS",
+ "VM",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Cluster",
- "text": "Azure Monitoring Agent has been deployed to hosts and an appropriate Data Collection Rule has been configured",
+ "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
"waf": "Operations"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Stack HCI Review",
- "guid": "6143af1d-0d1a-4163-b1c9-662f7459bb98",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+ "service": "AVS",
"services": [
- "Monitor"
+ "Monitor",
+ "AVS",
+ "Defender",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Hardware",
- "text": "Relevant hardware monitoring has been configured",
- "waf": "Operations"
+ "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
+ "waf": "Security"
},
{
- "category": "Management and Monitoring",
- "checklist": "Azure Stack HCI Review",
- "guid": "9cbdf225-549a-41cf-9c97-794766a6f2b0",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/health-service-overview",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+ "service": "AVS",
"services": [
- "Monitor"
+ "Defender",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Hardware",
- "text": "Relevant hardware alerting has been configured",
- "waf": "Operations"
+ "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "c0da5bbd-0f0d-4a26-98ec-38c9cc42b323",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+ "service": "AVS",
"services": [
- "VM"
+ "AVS",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "VM Management - Resource Bridge",
- "text": "The Azure CLI has been installed on every node to enable RB management from WAC",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
+ "waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "a8ecf23c-c048-4fa9-b87b-51ebfb409863",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+ "service": "AVS",
"services": [
- "VM"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "VM Management - Resource Bridge",
- "text": "DHCP is available in the cluster to support Guest Configuration at VM deployment from Azure",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Are data processing implications (service provider / service consumer model) clear and documented",
+ "waf": "Security"
},
{
- "category": "Backup and Disaster Recovery",
- "checklist": "Azure Stack HCI Review",
- "guid": "074541e3-fe08-458a-8062-32d13dcc10c6",
- "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+ "service": "AVS",
"services": [
- "Backup",
- "VM",
- "ASR"
+ "WAF"
],
- "severity": "High",
- "subcategory": "VM",
- "text": "Backups of HCI VMs have been configured using MABS or a third-party solution",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+ "waf": "Security"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "48f7ae57-1035-4101-8a38-fbe163d03e8a",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+ "service": "AVS",
+ "services": [
+ "Monitor",
+ "AVS",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Cluster Configuration",
- "text": "Cluster configuration or a configuration script has been documented and maintained",
+ "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
"waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "f2a6a19a-ffe6-444d-badb-cb336c8e7b50",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/witness",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+ "service": "AVS",
+ "services": [
+ "Monitor",
+ "AVS",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Cluster Configuration",
- "text": "A cluster witness has been configured for clusters with less than 5 nodes",
- "waf": "Reliability"
- },
- {
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "a47339fe-62c5-44a0-bb83-3d46ef16292f",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/update-cluster",
- "services": [],
- "severity": "Medium",
- "subcategory": "Cluster Configuration",
- "text": "Cluster-Aware Updating has been configured for Windows and hardware updates (if available)",
+ "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
"waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "7f1d6fe8-3079-44ea-8ea6-14494d1aa470",
- "link": "https://learn.microsoft.com/azure-stack/hci/deploy/validate",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+ "service": "AVS",
+ "services": [
+ "Monitor",
+ "AVS",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Cluster Configuration",
- "text": "Cluster validation has been run against the configured cluster",
- "waf": "Reliability"
+ "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "81693af0-5638-4aa2-a153-1d6189df30a7",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+ "service": "AVS",
"services": [
- "VM"
+ "Monitor",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Cluster Configuration",
- "text": "Azure Benefits has been enabled at the cluster and VM levels",
- "waf": "Cost"
- },
- {
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "8c967ee8-8170-4537-a28d-33431cd3632a",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/use-environment-checker",
- "services": [],
- "severity": "Medium",
- "subcategory": "Cluster Configuration",
- "text": "The Environment Checker module has been run to validate the environment",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "43ffbfab-766e-4950-a102-78b479136e4d",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-benefits",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+ "service": "AVS",
"services": [
- "AzurePolicy"
+ "AVS",
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Cluster Configuration",
- "text": "Group Policy inheritance on the HCI cluster and node Active Directory organizational unit has been blocked or applied policies have been evaluated for compatibility issues (usually WinRM and PowerShell execution policy)",
+ "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
"waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "e6a3f3a7-4a7d-49e2-985a-6e39dd284027",
- "services": [],
- "severity": "Medium",
- "subcategory": "Cluster Configuration",
- "text": "WAC is on the latest release and configured to automatically upgrade extensions",
- "waf": "Reliability"
- },
- {
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "d1caa31f-cc26-42b2-b92f-2b667c0e6020",
- "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+ "service": "AVS",
"services": [
- "Entra"
+ "AVS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Stretch Clustering",
- "text": "There is sub 5ms latency between each site if synchronous replication is being configured AAD",
- "waf": "Performance"
+ "severity": "Low",
+ "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
+ "waf": "Operations"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "3277558e-3155-4088-b49a-78594cb4ce1a",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+ "service": "AVS",
"services": [
"Storage",
- "VNet"
+ "VM",
+ "AzurePolicy",
+ "WAF"
],
"severity": "High",
- "subcategory": "Stretch Clustering",
- "text": "Management, Replication and Storage networks excluded from stretched VLANs configurations, are routed, and in different subnets",
- "waf": "Reliability"
- },
- {
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "baed6066-8531-44ba-bd94-38cbabbf4099",
- "services": [],
- "severity": "High",
- "subcategory": "Stretch Clustering",
- "text": "There is a plan detailed for site failure and recovery",
+ "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
"waf": "Operations"
},
{
- "category": "Networking",
- "checklist": "Azure Stack HCI Review",
- "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b4",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+ "service": "AVS",
"services": [
- "ACR"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Stretch Clustering",
- "text": "Separate vLANs and networks are used for each replication network across both sites",
- "waf": "Reliability"
+ "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b5",
- "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+ "service": "AVS",
"services": [
- "Storage"
+ "Storage",
+ "Backup",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Stretch Clustering",
- "text": "Use either a cloud witness or a file share witness in a third site for cluster quorum for clusters with less than 5 nodes",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "8e62945f-b9ac-4a5c-a4e4-836f527010b6",
- "link": "https://learn.microsoft.com/azure/architecture/hybrid/azure-stack-hci-dr#cost-optimization",
- "services": [],
- "severity": "High",
- "subcategory": "Stretch Clustering",
- "text": "When using data deduplication, only enable it on the primary/source volumes",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "Arc",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
+ "waf": "Operations"
},
{
- "category": "Operations",
- "checklist": "Azure Stack HCI Review",
- "guid": "ac527887-f6f4-40a3-b883-e04d704f013b",
- "link": "https://learn.microsoft.com/windows-server/storage/storage-replica/stretch-cluster-replication-using-shared-storage#provision-operating-system-features-roles-storage-and-network",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+ "service": "AVS",
"services": [
- "Storage"
+ "Monitor",
+ "AVS",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Stretch Clustering",
- "text": "Storage backing log volumes must be faster (ideally) or at least as fast as capacity storage",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
+ "waf": "Operations"
},
{
- "category": "Backup and Disaster Recovery",
- "checklist": "Azure Stack HCI Review",
- "guid": "8ea49f70-1038-4283-b0c4-230165d3eabc",
- "link": "https://learn.microsoft.com/azure-stack/hci/manage/azure-site-recovery",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+ "service": "AVS",
"services": [
- "Backup",
- "ASR"
+ "AVS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Azure Site Recovery has been considered for DR purposes",
+ "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
"waf": "Operations"
},
{
- "category": "Security",
- "checklist": "Azure Stack HCI Review",
- "guid": "03e65fdc-2628-4a1a-ba2e-a5174340ba52",
- "link": "https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+ "service": "AVS",
+ "services": [
+ "Monitor",
+ "AVS",
+ "AzurePolicy",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Host",
- "text": "BitLocker has been enabled on CSVs for volume encryption, where appropriate",
- "waf": "Security"
+ "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
+ "waf": "Operations"
},
{
- "category": "Security",
- "checklist": "Azure Stack HCI Review",
- "guid": "9645d2e6-ba28-453c-b6d5-d9ef29fc34be",
- "link": "https://learn.microsoft.com/windows-server/storage/file-server/smb-security",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "Defender",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Host",
- "text": "SMB encryption has been enabled, where appropriate",
+ "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Stack HCI Review",
- "guid": "8f03437a-5068-4486-9a78-0402ce771298",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+ "service": "AVS",
"services": [
- "Defender"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Host",
- "text": "Microsoft Defender Antivirus has been enabled on all nodes",
- "waf": "Security"
+ "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Stack HCI Review",
- "guid": "dba6b211-fc02-43b3-b7c8-f163c188332e",
- "link": "https://learn.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+ "service": "AVS",
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Host",
- "text": "Credential Guard has been configured, where appropriate",
- "waf": "Security"
+ "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "d7e47431-76c8-4bdb-b55b-ce619e8a03f9",
- "link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+ "service": "AVS",
"services": [
- "RBAC",
- "Entra"
+ "ASR",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Identity",
- "text": "Create a service principal and its role assignments before creating the ARO clusters.",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "7879424d-6267-486d-90b9-6c97be985190",
- "link": "https://learn.microsoft.com/azure/openshift/configure-azure-ad-ui",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+ "service": "AVS",
"services": [
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity",
- "text": "Use AAD to authenticate users in your ARO cluster.",
- "waf": "Security"
+ "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "adfec5f9-a82d-46e9-a8d1-5a0c7fed5d15",
- "link": "https://docs.openshift.com/container-platform/4.14/authentication/remove-kubeadmin.html",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+ "service": "AVS",
"services": [
- "Entra"
+ "ASR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "When using AAD authentication, remove kubeadmin user from the cluster.",
- "waf": "Security"
+ "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "483835c9-86bb-4291-8155-a11475e39f54",
- "link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+ "service": "AVS",
"services": [
- "RBAC",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity",
- "text": "Define OpenShift projects to restrict RBAC privilege and isolate workloads in your cluster.",
- "waf": "Security"
+ "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "0acccd97-9376-4bcd-a375-0ab2ab039da6",
- "link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+ "service": "AVS",
"services": [
- "RBAC",
- "Entra"
+ "AVS",
+ "ExpressRoute",
+ "NVA",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Define the required RBAC roles in OpenShift are scoped to either a project or a cluster.",
- "waf": "Security"
+ "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "d54d7c89-29db-4107-b532-5ae625ca44e4",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+ "service": "AVS",
"services": [
- "AKV",
- "Entra"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Minimize the number of users who have administrator rights and secrets access.",
- "waf": "Security"
+ "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+ "waf": "Reliability"
},
{
- "category": "Identity and Access Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "685e2223-ace8-4bb1-8307-ca5f16f154e3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+ "service": "AVS",
"services": [
- "RBAC",
- "Entra"
+ "AVS",
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity",
- "text": "Use Privileged Identity Management in AAD for ARO users with privileged roles.",
- "waf": "Security"
+ "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+ "waf": "Reliability"
},
{
- "category": "Network topology and connectivity",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "aa369282-9e7e-4216-8836-87af467a1f89",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+ "service": "AVS",
"services": [
- "WAF",
- "Subscriptions",
- "VNet",
- "Entra",
- "DDoS",
- "Firewall"
+ "Backup",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "DDoS",
- "text": "Use Azure DDoS Network/IP Protection to protect the virtual network you use for the ARO cluster unless you use Azure Firewall or WAF in a centralized subscription",
- "waf": "Security"
- },
- {
- "category": "Network topology and connectivity",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "35bda433-24f1-4481-8533-182aa5174269",
- "link": "https://docs.openshift.com/container-platform/4.13/networking/routes/secured-routes.html",
- "services": [],
- "severity": "High",
- "subcategory": "Encryption",
- "text": "All web applications you configure to use an ingress should use TLS encryption and shouldn't allow access over unencrypted HTTP.",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Deploy your backup solution outside of vSan, on Azure native components",
+ "waf": "Reliability"
},
{
- "category": "Network topology and connectivity",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "44008ae7-d7e4-4743-876c-8bdbf55bce61",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+ "service": "AVS",
"services": [
- "WAF",
- "FrontDoor"
+ "AVS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "Use Azure Front Door with WAF to securely publish ARO applications to the internet, especially in multi-region environments.",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+ "waf": "Reliability"
},
{
- "category": "Network topology and connectivity",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "9e8a03f9-7879-4424-b626-786d60b96c97",
- "link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+ "service": "AVS",
"services": [
- "FrontDoor",
- "PrivateLink"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "If exposing an app on ARO with Azure Front Door, use private link to connect Front Door with the ARO router.",
- "waf": "Security"
+ "severity": "Low",
+ "text": "For manual deployments, all configuration and deployments must be documented",
+ "waf": "Operations"
},
{
- "category": "Network topology and connectivity",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "be985190-4838-435c-a86b-b2912155a114",
- "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+ "service": "AVS",
"services": [
- "AzurePolicy",
- "NVA",
- "Firewall"
+ "AVS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "If your security policy requires you to inspect all outbound internet traffic that's generated in the ARO cluster, secure egress network traffic by using Azure Firewall or an NVA.",
- "waf": "Security"
+ "severity": "Low",
+ "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
+ "waf": "Operations"
},
{
- "category": "Network topology and connectivity",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "75e39f54-0acc-4cd9-9937-6bcda3750ab2",
- "link": "https://learn.microsoft.com/azure/openshift/howto-create-private-cluster-4x",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+ "service": "AVS",
"services": [
- "AzurePolicy"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Private access",
- "text": "If your security policy requires you to use a private IP address for the OpenShift API, deploy a private ARO cluster.",
- "waf": "Security"
+ "severity": "Low",
+ "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
+ "waf": "Operations"
},
{
- "category": "Network topology and connectivity",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "ab039da6-d54d-47c8-a29d-b107d5325ae6",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+ "service": "AVS",
"services": [
- "ACR",
- "PrivateLink"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Private access",
- "text": "Use Azure Private Link to secure network connections to managed Azure services, including to Azure Container Registry.",
- "waf": "Security"
+ "severity": "Low",
+ "text": "For automated deployments, request or reserve quota prior to starting the deployment",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "25ca44e4-685e-4222-9ace-8bb12307ca5f",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-enable-arc-enabled-clusters",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+ "service": "AVS",
"services": [
- "Monitor"
+ "AzurePolicy",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Operations",
- "text": "Establish a monitoring process using the inbuilt Prometheus, OpenShift Logging or Container Insights integration.",
+ "severity": "Low",
+ "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
"waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "16f154e3-aa36-4928-89e7-e216183687af",
- "link": "https://docs.openshift.com/container-platform/4.13/cicd/pipelines/understanding-openshift-pipelines.html",
- "services": [],
- "severity": "Medium",
- "subcategory": "Operations",
- "text": "Automate the application delivery process through DevOps practices and CI/CD solutions, such as Pipelines/GitOps provided by OpenShift.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+ "service": "AVS",
+ "services": [
+ "AKV",
+ "WAF"
+ ],
+ "severity": "Low",
+ "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
"waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "467a1f89-35bd-4a43-924f-14811533182a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+ "service": "AVS",
+ "services": [
+ "AKV",
+ "AVS",
+ "ExpressRoute",
+ "WAF"
+ ],
"severity": "Low",
- "subcategory": "Operations",
- "text": "Whenever possible, remove the service state from inside containers. Instead, use an Azure platform as a service (PaaS) that supports multiregion replication.",
+ "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
"waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "1b7da8cf-aa66-4e15-b4d5-ada97dc3e232",
- "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-storageclass",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+ "service": "AVS",
"services": [
- "Storage"
+ "AVS",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Operations",
- "text": "Use RWX storage with inbuilt Azure Files storage class.",
+ "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
"waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "6bb235c7-05e1-4696-bded-fa8a4c8cdec4",
- "link": "https://docs.openshift.com/container-platform/4.13/nodes/clusters/nodes-cluster-limit-ranges.html",
- "services": [],
- "severity": "Medium",
- "subcategory": "Performance",
- "text": "Use pod requests and limits to manage the compute resources within a cluster.",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+ "service": "AVS",
+ "services": [
+ "WAF"
+ ],
+ "severity": "Low",
+ "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "c620c30c-14ee-4b7f-9ae8-d9b3fec228e7",
- "link": "https://docs.openshift.com/container-platform/4.13/applications/quotas/quotas-setting-per-project.html",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+ "service": "AVS",
+ "services": [
+ "AVS",
+ "Subscriptions",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Performance",
- "text": "Enforce resource quotas on projects.",
+ "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
"waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "87ab177a-db59-4f6b-a613-334fd09dc234",
- "link": "https://docs.openshift.com/container-platform/4.13/machine_management/applying-autoscaling.html",
- "services": [],
- "severity": "High",
- "subcategory": "Performance",
- "text": "Define ClusterAutoScaler and MachineAutoScaler to scale machines when your cluster runs out of resources to support more deployments.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+ "service": "AVS",
+ "services": [
+ "Storage",
+ "AzurePolicy",
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
"waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "19db6128-1269-4040-a4ba-4d3e0804276d",
- "link": "https://learn.microsoft.com/azure/openshift/support-policies-v4#supported-virtual-machine-sizes",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+ "service": "AVS",
"services": [
- "VM"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Reliability",
- "text": "Use virtual machine sizes that are large enough to contain multiple container instances so you get the benefits of increased density, but not so large that your cluster can't handle the workload of a failing node.",
- "waf": "Reliability"
- },
- {
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "4b98b15c-8b31-4aa5-aceb-58889135e227",
- "link": "https://docs.openshift.com/container-platform/4.13/machine_management/deploying-machine-health-checks.html",
- "services": [],
- "severity": "High",
- "subcategory": "Reliability",
- "text": "Deploy machine health checks to automatically repair damaged machines in a machine pool.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+ "waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "896d31b6-6c67-4ba5-a119-c08e8f5d587c",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-metric-alerts",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+ "service": "AVS",
"services": [
- "Monitor"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Reliability",
- "text": "Use an alerting system to provide notifications when things need direct action: Container Insights metric alerts or in-built Alerting UI.",
- "waf": "Reliability"
- },
- {
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "7e9ced16-acd1-476e-b9b2-41a998a57ae7",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones",
- "services": [],
- "severity": "High",
- "subcategory": "Reliability",
- "text": "Ensure that the cluster is created in a region that supports AZs and create a machine set for each AZ.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+ "waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "7b997e71-1b7d-4a8c-baa6-6e15d4d5ada9",
- "link": "https://docs.openshift.com/container-platform/4.13/machine_management/creating-infrastructure-machinesets.html",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+ "service": "AVS",
"services": [
- "AKS"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Reliability",
- "text": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines.",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
+ "waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "7dc3e232-6bb2-435c-905e-1696fdedfa8a",
- "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup#create-a-backup-with-velero-to-include-snapshots",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+ "service": "AVS",
"services": [
- "Backup"
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Reliability",
- "text": "Create application backup and plan for restore and include persistent volumes in the backup.",
- "waf": "Reliability"
+ "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+ "waf": "Operations"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "81c12318-1a64-4174-8583-3fb4ae3c2df7",
- "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-priority.html",
- "services": [],
- "severity": "Low",
- "subcategory": "Reliability",
- "text": "Use pod priorities, so that in case of limited resources the most critical pods will run.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "services": [
+ "VM",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "43166c3b-cbe0-45bb-b209-d4a0da577784",
- "link": "https://docs.openshift.com/container-platform/4.13/architecture/admission-plug-ins.html",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
"services": [
- "AzurePolicy"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Security",
- "text": "Regulate cluster functions using admission plug-ins, which are commonly used to enforce security policy, resource limitations, or configuration requirements.",
- "waf": "Security"
+ "severity": "High",
+ "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "24d21678-5d2f-4a56-a56a-d48408fe8273",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+ "service": "AVS",
"services": [
- "ACR"
+ "VPN",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Security",
- "text": "Store your container images in Azure Container Registry and geo-replicate the registry to each region.",
- "waf": "Security"
- },
- {
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "4c486ba2-80dc-4059-8cf7-5ee8e1309ccc",
- "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-vertical-autoscaler.html",
- "services": [],
"severity": "Medium",
- "subcategory": "Workload",
- "text": "Optimize the CPU and memory request values, and maximize the efficiency of the cluster resources using vertical pod autoscaler.",
+ "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
"waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "d579366b-cda2-4750-aa1a-bfe9d55d14c3",
- "link": "https://docs.openshift.com/container-platform/4.13/applications/application-health.html",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+ "service": "AVS",
"services": [
- "Monitor"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Workload",
- "text": "Add health probes to your pods to monitor application health. Make sure pods contain livenessProbe and readinessProbe. Use Startup probes to determine the point at which the application has started up.",
- "waf": "Reliability"
+ "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
+ "waf": "Performance"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "c4929cb1-b3d1-4325-ae12-4ba34d0685ed",
- "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-autoscaling.html",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+ "service": "AVS",
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Workload",
- "text": "Scale pods to meet demand using horizontal pod autoscaler.",
+ "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "dce9be3b-b0dd-4b3b-95fb-2ec14eeaa359",
- "link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-configuring.html#nodes-pods-pod-distruption-about_nodes-pods-configuring",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AVS",
"services": [
- "Cost"
+ "AVS",
+ "VM",
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Workload",
- "text": "Use disruption budgets to ensure the required number of pod replicas exist to handle expected application load.",
+ "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
"waf": "Reliability"
},
{
- "category": "Operations management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "2829e2ed-b217-4367-9aff-6791b4935ada",
- "link": "https://docs.openshift.com/container-platform/4.13/nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.html",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "AVS",
+ "services": [
+ "Storage",
+ "ExpressRoute",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Workload",
- "text": "Use pod topology constraints to automatically schedule pods on nodes throughout the cluster.",
+ "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "fea1dbf3-dd95-4d48-a7c8-91dcb1f7d575",
- "link": "https://learn.microsoft.com/azure/openshift/intro-openshift#service-level-agreement",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "AVS",
+ "services": [
+ "Storage",
+ "ExpressRoute",
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Availablity",
- "text": "Leverage Current ARO SLA - 99.95 into BCDR planning",
+ "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "b95e06e1-58e2-4ea3-a92c-2de6e2065b3a",
- "link": "https://www.redhat.com/rhdc/managed-files/pa-getting-started-azure-openshift-ebook-f20686-201911-en_0.pdf",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "AVS",
+ "services": [
+ "ASR",
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Cluster Design",
- "text": "Run user workloads on the worker nodes, not the control plane nodes",
+ "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure Red Hat OpenShift",
- "description": "Create infrastructure machine sets to hold infrastructure components. Apply specific Kubernetes labels to these machines and then update the infrastructure components to run on only those machines",
- "guid": "76af4a69-1e88-439a-ba46-667e13c10567",
- "link": "https://learn.microsoft.com/azure/openshift/howto-segregate-machinesets",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "AVS",
"services": [
- "VNet",
- "AKS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Cluster Design",
- "text": "Isolate workloads into worker nodes running in individual subnets as needed",
+ "severity": "High",
+ "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "785c6fe9-6c96-4ad8-a44c-f3b2b38c886b",
- "link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "AVS",
"services": [
- "Backup"
+ "ExpressRoute",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Backup",
- "text": "Backup a cluster state for stateful workload scenarios to a paired region",
+ "severity": "High",
+ "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "a2c02149-9014-4a5d-9ce5-74dccbd9792a",
- "link": "https://access.redhat.com/documentation/red_hat_openshift_container_storage/4.4/html/deploying_and_managing_openshift_container_storage_on_microsoft_azure/deploying-openshift-container-storage-on-microsoft-azure_rhocs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "AVS",
"services": [
- "Storage",
- "ACR"
+ "ExpressRoute",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Data Store",
- "text": "If container storage is required, ensure availability across regions if needed: Using RWX storage with inbuilt Azure Files storage class. Using CSI Drivers for storage provisioning",
- "waf": "Reliability"
- },
- {
- "category": "Operations Management",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "6bcca2b4-fea1-4dbf-9dd9-5d48c7c891dc",
- "link": "https://docs.openshift.com/aro/3/dev_guide/persistent_volumes.html",
- "services": [],
- "severity": "Medium",
- "subcategory": "Data Store",
- "text": "Whenever possible, move state out of containers and into external databases that support multi-region replication. Avoid Persistent Volumes",
+ "severity": "High",
+ "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
"waf": "Reliability"
},
{
- "category": "Platform Automation",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "42324ece-81c1-4231-a1a6-417415833fb4",
- "link": "https://docs.openshift.com/container-platform/4.13/applications/deployments/route-based-deployment-strategies.html",
- "services": [],
- "severity": "Low",
- "subcategory": "Workload",
- "text": "Consider blue/green or canary strategies to deploy new releases of application.",
- "waf": "Operations"
- },
- {
- "category": "Platform Automation",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "ae3c2df7-4316-46c3-acbe-05bbe209d4a0",
- "link": "https://docs.openshift.com/container-platform/4.13/cicd/gitops/understanding-openshift-gitops.html",
- "services": [],
- "severity": "Low",
- "subcategory": "Workload",
- "text": "Consider using Red Hat OpenShift GitOps. Red Hat OpenShift GitOps uses Argo CD to maintain cluster resources and support application CI/CD.",
- "waf": "Operations"
- },
- {
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "da577784-24d2-4167-a5d2-fa56c56ad484",
- "link": "https://learn.microsoft.com/azure/openshift/support-lifecycle",
- "services": [],
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "WAF checklist",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
+ "services": [
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Control plane",
- "text": "Keep your clusters on the latest OpenShift version to avoid potential security or upgrade issues.",
- "waf": "Security"
+ "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "08fe8273-4c48-46ba-880d-c0591cf75ee8",
- "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "WAF checklist",
+ "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+ "service": "IoT",
"services": [
- "Arc",
- "AKS"
+ "WAF"
],
"severity": "High",
- "subcategory": "Control plane",
- "text": "Connect Azure Red Hat OpenShift clusters to Azure Arc-enabled Kubernetes.",
- "waf": "Security"
- },
- {
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "e1309ccc-d579-4366-acda-2750aa1abfe9",
- "link": "https://docs.openshift.com/container-platform/4.10/security/encrypting-etcd.html",
- "services": [],
- "severity": "Low",
- "subcategory": "Encryption",
- "text": "For Azure Red Hat OpenShift 4 clusters, etcd data isn't encrypted by default, but it's recommended to enable etcd encryption to provide another layer of data security.",
- "waf": "Security"
+ "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled)",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "d55d14c3-c492-49cb-8b3d-1325ae124ba3",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "WAF checklist",
+ "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
"services": [
- "Arc",
- "Defender",
- "AKS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Posture",
- "text": "Use Microsoft Defender for Containers supported via Arc-enabled Kubernetes to secure clusters, containers, and applications.",
- "waf": "Security"
+ "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the IoT hubs from an affected region to the corresponding geo-paired region.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "4d0685ed-dce9-4be3-ab0d-db3b55fb2ec1",
- "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "WAF checklist",
+ "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+ "service": "IoT",
"services": [
- "Arc",
- "AKV",
- "AKS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Secrets",
- "text": "For applications that require access to sensitive information, use a service principal and the AKV Secrets Provider with the extension for Arc-enabled Kubernetes clusters.",
- "waf": "Security"
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "4eeaa359-2829-4e2e-bb21-73676aff6791",
- "link": "https://learn.microsoft.com/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources",
- "services": [],
- "severity": "Medium",
- "subcategory": "Workload",
- "text": "Secure pod access to resources. Provide the least number of permissions, and avoid using root or privileged escalation.",
- "waf": "Security"
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "WAF checklist",
+ "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
+ "services": [
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Learn how to trigger a manual failover.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "b4935ada-4232-44ec-b81c-123181a64174",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "WAF checklist",
+ "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+ "service": "IoT",
"services": [
- "Monitor",
- "AzurePolicy"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Workload",
- "text": "Monitor and enforce configuration by using the Azure Policy Extension.",
- "waf": "Security"
+ "severity": "High",
+ "text": "Learn how to fail back after a failover.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "15833fb4-ae3c-42df-9431-66c3bcbe05bb",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+ "service": "Azure OpenAI",
"services": [
- "Defender"
+ "WAF"
],
"severity": "High",
- "subcategory": "Workload",
- "text": "Scan your images for vulnerabilities with Microsoft Defender or any other image scanning solution.",
- "waf": "Security"
+ "text": "Follow Metaprompting guardrails for resonsible AI",
+ "waf": "Operational Excellence"
},
{
- "category": "Security",
- "checklist": "Azure Red Hat OpenShift",
- "guid": "e209d4a0-da57-4778-924d-216785d2fa56",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+ "link": "https://github.com/Azure-Samples/AI-Gateway",
+ "service": "Azure OpenAI",
"services": [
- "ACR",
- "Subscriptions"
+ "Entra",
+ "APIM",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Workload",
- "text": "Deploy a dedicated and private instance of Azure Container Registry to each landing zone subscription.",
- "waf": "Security"
+ "severity": "High",
+ "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
+ "waf": "Operational Excellence"
},
{
- "category": "Governance",
- "checklist": "Azure Key Vault",
- "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+ "service": "Azure OpenAI",
"services": [
- "AKV",
- "Backup"
+ "Monitor",
+ "WAF"
],
"severity": "High",
- "subcategory": "Deployment best practices",
- "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
- "waf": "Reliability"
+ "text": "Enable monitoring for your AOAI instances",
+ "waf": "Operational Excellence"
},
{
- "category": "BC and DR",
- "checklist": "Azure Key Vault",
- "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+ "service": "Azure OpenAI",
"services": [
- "ACR",
- "AKV"
+ "AKV",
+ "Monitor",
+ "Subscriptions",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "High Availability",
- "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
+ "waf": "Operational Excellence"
},
{
- "category": "BC and DR",
- "checklist": "Azure Key Vault",
- "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
"services": [
- "AKV"
+ "Monitor",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "High Availability",
- "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Monitor token usage to prevent service disruptions due to capacity",
+ "waf": "Operational Excellence"
},
{
- "category": "BC and DR",
- "checklist": "Azure Key Vault",
- "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
"services": [
- "AzurePolicy",
- "AKV"
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "High Availability",
- "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
- "waf": "Reliability"
+ "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
+ "waf": "Operational Excellence"
},
{
- "category": "Management",
- "checklist": "Azure Key Vault",
- "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+ "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+ "service": "Azure OpenAI",
"services": [
- "AKV",
- "Storage",
- "ASR",
- "Backup",
- "Subscriptions"
+ "APIM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Business continuity and disaster recovery",
- "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
+ "waf": "Operational Excellence"
},
{
- "category": "Management",
- "checklist": "Azure Key Vault",
- "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+ "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+ "service": "Azure OpenAI",
"services": [
- "AKV",
- "ASR"
+ "WAF"
],
"severity": "High",
- "subcategory": "Business continuity and disaster recovery",
- "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
- "waf": "Reliability"
+ "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
+ "waf": "Operational Excellence"
},
{
- "category": "Management",
- "checklist": "Azure Key Vault",
- "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
"services": [
- "AKV",
- "ASR"
+ "Entra",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Business continuity and disaster recovery",
- "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
+ "waf": "Security"
},
{
- "category": "Management",
- "checklist": "Azure Key Vault",
- "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"services": [
- "AKV",
- "Backup",
- "ASR"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Business continuity and disaster recovery",
- "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
+ "waf": "Operational Excellence"
},
{
- "category": "Management",
- "checklist": "Azure Key Vault",
- "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "68889535-e327-4897-b31b-67d67be5962a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+ "service": "Azure OpenAI",
"services": [
- "AKV",
- "Backup",
- "ASR"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Business continuity and disaster recovery",
- "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Evaluate usage of Provisioned throughput model ",
+ "waf": "Performance"
},
{
- "category": "Management",
- "checklist": "Azure Key Vault",
- "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
- "service": "Key Vault",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+ "service": "Azure OpenAI",
"services": [
- "ASR",
- "AKV",
- "EventHubs"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Business continuity and disaster recovery",
- "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Review and implement Azure AI content safety",
+ "waf": "Operational Excellence"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": " Overview",
- "text": "Consider the 'Azure security baseline for storage'",
- "waf": "Security"
+ "severity": "High",
+ "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "PrivateLink"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Networking",
- "text": "Consider using private endpoints for Azure Storage",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Improve latency of the system by limiting token sizes, streaming options",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"services": [
- "RBAC",
"Storage",
- "Subscriptions"
+ "ServiceBus",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Governance",
- "text": "Ensure older storage accounts are not using 'classic deployment model'",
- "waf": "Security"
+ "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Defender"
+ "WAF"
],
"severity": "High",
- "subcategory": "Governance",
- "text": "Enable Microsoft Defender for all of your storage accounts",
- "waf": "Security"
+ "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Data Availability",
- "text": "Enable 'soft delete' for blobs",
- "waf": "Security"
+ "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Confidentiality",
- "text": "Disable 'soft delete' for blobs",
- "waf": "Security"
+ "severity": "High",
+ "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Data Availability",
- "text": "Enable 'soft delete' for containers",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
+ "waf": "Performance"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "ACR",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Confidentiality",
- "text": "Disable 'soft delete' for containers",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Deploy multiple OAI instances across regions",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "Entra",
+ "APIM",
+ "WAF"
],
"severity": "High",
- "subcategory": "Data Availability",
- "text": "Enable resource locks on storage accounts",
- "waf": "Security"
+ "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "AzurePolicy",
- "Subscriptions"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Data Availability, Compliance",
- "text": "Consider immutable blobs",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+ "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Networking",
- "text": "Require HTTPS, i.e. disable port 80 on the storage account",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
+ "waf": "Operational Excellence"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "ACR",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Networking",
- "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Deploy separate fine tuned models across regions if finetuning is employed",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+ "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "Backup",
+ "ASR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
- "waf": "Security"
+ "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "AAD tokens should be favored over shared access signatures, wherever possible",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
- "waf": "Security"
+ "text": "Azure AI search service tiers should be choosen to have a SLA ",
+ "waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+ "link": "https://learn.microsoft.com/purview/purview",
+ "service": "Azure OpenAI",
"services": [
- "RBAC",
- "Storage",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "Least privilege in IaM permissions",
+ "severity": "Low",
+ "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+ "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+ "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Monitor",
- "AKV",
- "Entra"
+ "ACR",
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+ "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "AzurePolicy",
- "AKV",
- "Monitor"
+ "RBAC",
+ "WAF"
],
"severity": "High",
- "subcategory": "Monitoring",
- "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+ "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "AKV",
- "AzurePolicy",
- "Entra"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+ "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "AzurePolicy",
- "Entra"
+ "Sentinel",
+ "Monitor",
+ "Defender",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "Consider configuring an SAS expiration policy",
+ "severity": "High",
+ "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+ "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "AKV",
"AzurePolicy",
- "Entra"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "Consider linking SAS to a stored access policy",
+ "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "AKV"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "CI/CD",
- "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
- "waf": "Security"
+ "severity": "High",
+ "text": "Implement Prompt shields and groundedness detection using Content Safety ",
+ "waf": "Operational Excellence"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+ "link": "https://learn.microsoft.com/azure/compliance/",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+ "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "AzurePolicy",
- "Entra"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "Strive for short validity periods for ad-hoc SAS",
+ "severity": "Medium",
+ "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "Apply a narrow scope to a SAS",
+ "severity": "High",
+ "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Entra"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "Consider scoping SAS to a specific client IP address, wherever possible",
+ "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Entra"
+ "RBAC",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Identity and Access Management",
- "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
+ "severity": "Medium",
+ "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+ "service": "Azure OpenAI",
"services": [
- "RBAC",
- "Storage",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
+ "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Entra"
+ "RBAC",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Identity and Access Management",
- "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
+ "severity": "High",
+ "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "AzurePolicy"
+ "PrivateLink",
+ "WAF"
],
"severity": "High",
- "subcategory": "Networking",
- "text": "Avoid overly broad CORS policies",
+ "text": "Configure private endpoint for AI services to restrict service access within your network",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "VNet",
+ "Firewall",
+ "WAF"
],
"severity": "High",
- "subcategory": "Confidentiality and Encryption",
- "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
+ "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Confidentiality and Encryption",
- "text": "Determine which/if platform encryption should be used.",
+ "severity": "High",
+ "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+ "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Confidentiality and Encryption",
- "text": "Determine which/if client-side encryption should be used.",
- "waf": "Security"
+ "text": "Use prompt compression tools like LLMLingua or gprtrim",
+ "waf": "Cost Optimization"
},
{
- "category": "Security",
- "checklist": "Azure Storage Review Checklist",
- "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
"services": [
- "Storage",
- "Entra"
+ "Entra",
+ "AKV",
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Management",
- "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
+ "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
"waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure Storage Review Checklist",
- "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Platform Version",
- "text": "Leverage a storagev2 account type for better performance and reliability",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Storage Review Checklist",
- "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "Monitor",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Availablity",
- "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+ "waf": "Security"
},
{
- "category": "BC and DR",
- "checklist": "Azure Storage Review Checklist",
- "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Failover",
- "text": "For write operation after failover, use customer-Managed Failover ",
- "waf": "Reliability"
+ "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+ "waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "Azure Storage Review Checklist",
- "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Failover",
- "text": "Understand Microsoft-Managed Failover details",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "Azure AI Services are properly tagged for better management",
+ "waf": "Operational Excellence"
},
{
- "category": "Operations Management",
- "checklist": "Azure Storage Review Checklist",
- "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "service": "Azure OpenAI",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Data Protection",
- "text": "Enable Soft Delete",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "Azure AI Service accounts follows organizational naming conventions",
+ "waf": "Operational Excellence"
},
{
- "category": "BCDR",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality. For regular Azure service backup, backup data is automatically encrypted using Azure platform-managed keys. You can also choose to encrypt the backup using a customer-managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.",
- "guid": "676f6951-0368-49e9-808d-c33a692c9a64",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-2-encrypt-backup-data",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "AKV",
- "Backup"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Azure Key Vault",
- "text": "Protect your backup data with encryption and store keys safely in Azure Key Vault",
- "waf": "Security"
+ "severity": "High",
+ "text": "Diagnostic logs in Azure AI services resources should be enabled",
+ "waf": "Operational Excellence"
},
{
- "category": "BCDR",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Azure SQL Database uses SQL Server technology to create full backups every week, differential backup every 12-24 hours, and transaction log backup every 5 to 10 minutes. By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region.",
- "guid": "e2518261-b3bc-4bd1-b331-637fb2df833f",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Storage",
- "Backup"
+ "Entra",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Backup",
- "text": "Configure Azure SQL Database automated backups",
+ "severity": "High",
+ "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
"waf": "Security"
},
{
- "category": "BCDR",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "By default, SQL Database stores data in geo-redundant storage blobs that are replicated to a paired region. For SQL Database, the backup storage redundancy can be configured at the time of database creation or can be updated for an existing database; the changes made to an existing database apply to future backups only.",
- "guid": "f8c7cda2-3ed7-43fb-a100-85dcd12a0ee4",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Storage",
- "Backup"
+ "Entra",
+ "AKV",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Backup",
- "text": "Enable geo-redundant backup storage to protect against single region failure and data loss",
+ "severity": "High",
+ "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
"waf": "Security"
},
{
- "category": "Code",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Malicious code can potentially circumvent security controls. Before deploying custom code to production, it is essential to review what's being deployed. Use a database tool like Azure Data Studio that supports source control. Implement tools and logic for code analysis, vulnerability and credential scanning.",
- "guid": "7ca9f006-d2a9-4652-951c-de8e4ac5e76e",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
"services": [
- "SQL"
+ "AKV",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Source Control and Code Review",
- "text": "Use Source Control systems to store, maintain and review application code deployed inside Azure SQLDB Database",
+ "severity": "High",
+ "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
"waf": "Security"
},
{
- "category": "Data Discovery and Classification",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "In case of classification requirements Purview is the preferred option. Only use SQL Data Discovery & Classification in case Purview is not an option. Discover columns that potentially contain sensitive data. What is considered sensitive data heavily depends on the customer, compliance regulation, etc., and needs to be evaluated by the users in charge of that data. Classify the columns to use advanced sensitivity-based auditing and protection scenarios. Review results of automated discovery and finalize the classification if necessary.",
- "guid": "d401509b-2629-4484-9a7f-af0d29a7778f",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/data-discovery-and-classification-overview?view=azuresql#faq---advanced-classification-capabilities",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+ "link": "https://github.com/openai/tiktoken",
+ "service": "Azure OpenAI",
"services": [
- "SQL"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Data Discovery and Classification",
- "text": "Plan and configure Data Discovery & Classification to protect the sensitive data",
- "waf": "Security"
+ "severity": "High",
+ "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
+ "waf": "Cost Optimization"
},
{
- "category": "Data Masking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Usage of this feature is recommended only if column encryption is not an option and there is a specific requirement to preserve data types and formats. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer.",
- "guid": "9391fd50-135e-453e-90a7-c1a23f88cc13",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/dynamic-data-masking-overview",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+ "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "service": "Azure OpenAI",
"services": [
- "SQL"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Data Masking",
- "text": "Use Data Masking to prevent unauthorized non-admin users data access if no encryption is possible",
+ "severity": "High",
+ "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
"waf": "Security"
},
{
- "category": "Defender",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "SQL Advanced Threat Detection (ATP) provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Microsoft Defender for Cloud, which includes clear investigation and remediation steps for the specific threat.",
- "guid": "4e52d73f-5d37-428f-b3a2-e6997e835979",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+ "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Defender",
- "EventHubs"
+ "WAF"
],
"severity": "High",
- "subcategory": "Advanced Threat Protection",
- "text": "Review and complete Advanced Threat Protection (ATP) configuration",
+ "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
"waf": "Security"
},
{
- "category": "Defender",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Enable Microsoft Defender for Azure SQL at the subscription level to automatically onboard and protect all existing and future servers and databases. When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.",
- "guid": "dff87489-9edb-4cef-bdda-86e8212b2aa1",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql ",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+ "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Defender",
- "Subscriptions"
+ "AzurePolicy",
+ "WAF"
],
"severity": "High",
- "subcategory": "Defender for Azure SQL",
- "text": "Enable Microsoft Defender for Azure SQL",
- "waf": "Security"
+ "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
+ "waf": "Operational Excellence"
},
{
- "category": "Defender",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Microsoft Defender for Azure SQL ATP detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Alerts can be configured and generated and will be reported in the Defender for console.",
- "guid": "ca342fdf-d25a-4427-b105-fcd50ff8a0ea",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Defender",
- "Monitor"
+ "Cost",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Defender for Azure SQL",
- "text": "Prepare a security response plan to promptly react to Microsoft Defender for Azure SQL alerts",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
+ "waf": "Cost Optimization"
},
{
- "category": "Defender",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Azure SQLDB vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.",
- "guid": "a6101ae7-534c-45ab-86fd-b34c55ea21ca",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Defender",
- "Monitor"
+ "Cost",
+ "WAF"
],
"severity": "High",
- "subcategory": "Vulnerability Assessment",
- "text": "Configure Vulnerability Assessment (VA) findings and review recommendations",
- "waf": "Security"
+ "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
+ "waf": "Cost Optimization"
},
{
- "category": "Defender",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL Databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.",
- "guid": "c8c5f112-1e50-4f77-9264-8195b4cd61ac",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-find?view=azuresql",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Defender"
+ "Monitor",
+ "Cost",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Vulnerability Assessment",
- "text": "Regularly review of Vulnerability Assessment (VA) findings and recommendations and prepare a plan to fix",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
+ "waf": "Cost Optimization"
},
{
- "category": "Encryption",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Always Encrypted with Secure Enclaves expands confidential computing capabilities of Always Encrypted by enabling in-place encryption and richer confidential queries. Always Encrypted with Secure Enclaves addresses these limitations by allowing some computations on plaintext data inside a secure enclave on the server side. Usage of this feature is recommended for the cases where you need to limit administrator access and need your queries to support more than equality matching of encrypted columns.",
- "guid": "65d7e54a-10a6-4094-b673-9ff3809c9277",
- "link": "https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "166cd072-af9b-4141-a898-a535e737897e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "service": "Azure OpenAI",
"services": [
- "SQL"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Always Encrypted",
- "text": "If protecting sensitive PII data from admin users is a key requirement, but Column Encryption limitations cannot be tolerated, consider the adoption of Always Encrypted with Secure Enclaves",
- "waf": "Security"
+ "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
+ "waf": "Cost Optimization"
},
{
- "category": "Encryption",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This approach is called column encryption, because you can use it to encrypt specific columns with different encryption keys. Doing so gives you more granular encryption capability than TDE, which encrypts data in pages. Using Always Encrypted to ensure sensitive data isn't exposed in plaintext in Azure SQL Database or SQL Managed Instance, even in memory/in use. Always Encrypted protects the data from Database Administrators (DBAs) and cloud admins (or bad actors who can impersonate high-privileged but unauthorized users) and gives you more control over who can access your data.",
- "guid": "c03ce136-e3d5-4e17-bf25-ed955ee480d3",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Storage",
- "AKV"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Column Encryption",
- "text": "To protect sensitive PII data from non-admin users in specific table columns, consider using Column Encryption",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Review the guidance provided on setting up AI search for Reliability",
+ "waf": "Operational Excellence"
},
{
- "category": "Encryption",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Enabled by default, Transparent data encryption (TDE) helps to protect the database files against information disclosure by performing real-time encryption and decryption of the database, associated backups, and transaction log files 'at rest', without requiring changes to the application.",
- "guid": "c614ac47-bebf-4061-b0a1-43e0c6b5e00d",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+ "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
"Storage",
- "Backup"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Transparent Data Encryption",
- "text": "Ensure Transparent Data Encryption (TDE) is kept enabled",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Plan and manage AI Search Vector storage",
+ "waf": "Operational Excellence"
},
{
- "category": "Encryption",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "If separation of duties in the management of keys and data within the organization is required, leverage Customer Managed Keys (CMK) for Transparent Data Encryption (TDE) for your Azure SQLDB and use Azure Key Vault to store (refer to its checklist). Leverage this feature when you have strict security requirements which cannot be met by the managed service keys.",
- "guid": "2edb4165-4f54-47cc-a891-5c82c2f21e25",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-overview",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "AKV"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Transparent Data Encryption",
- "text": "Use customer-managed keys (CMK) in Azure Key Vault (AKV) if you need increased transparency and granular control over the TDE protection",
- "waf": "Security"
+ "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
+ "waf": "Operational Excellence"
},
{
- "category": "Encryption",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses. It's possible to change the minimum TLS version by using the Azure portal, Azure PowerShell, and the Azure CLI.",
- "guid": "7754b605-57fd-4bcb-8213-52c39d8e8225",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?source=recommendations&view=azuresql&tabs=azure-portal#minimal-tls-version",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "service": "Azure OpenAI",
"services": [
- "SQL"
+ "WAF"
],
"severity": "High",
- "subcategory": "Transport Layer Security",
- "text": "Enforce minimum TLS version to the latest available",
- "waf": "Security"
+ "text": "Evaluate usage of billing models - PAYG vs PTU",
+ "waf": "Cost Optimization"
},
{
- "category": "Identity",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Use Azure Active Directory (Azure AD) authentication for centralized identity management. Use SQL Authentication only if really necessary and document as exceptions.",
- "guid": "c9b8b6bf-2c6b-453d-b400-de9a43a549d7",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+ "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Entra"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Azure Active Directory",
- "text": "Leverage Azure AD authentication for connections to Azure SQL Databases",
- "waf": "Security"
+ "text": "Evaluate the quality of prompts and applications when switching between model versions",
+ "waf": "Operational Excellence"
},
{
- "category": "Identity",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Using Azure AD groups simplifies permission management and both the group owner, and the resource owner can add/remove members to/from the group. Create a separate group for Azure AD administrators for each logical server. Monitor Azure AD group membership changes using Azure AD audit activity reports.",
- "guid": "29820254-1d14-4778-ae90-ff4aeba504a3",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
"Monitor",
- "Entra"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Azure Active Directory",
- "text": "Create a separate Azure AD group with two admin accounts for each Azure SQL Database logical server",
- "waf": "Security"
+ "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
+ "waf": "Operational Excellence"
},
{
- "category": "Identity",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Ensure that distinct system and user assigned managed identities, that are dedicated to the function, with least permissions assigned, are used for communication from Azure services and applications to the Azure SQLDB databases.",
- "guid": "df3a09ee-03bb-4198-8637-d141acf5f289",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#minimize-the-use-of-password-based-authentication-for-applications",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Entra"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Azure Active Directory",
- "text": "Minimize the use of password-based authentication for applications",
- "waf": "Security"
+ "text": "Evaluate your Azure AI Search results based on different search parameters",
+ "waf": "Operational Excellence"
},
{
- "category": "Identity",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "System or User assigned managed identities enable Azure SQLDB to authenticate to other cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control to the specific Azure SQLDB instance. Do not share user assigned managed identities across multiple services if not strictly required.",
- "guid": "69891194-5074-4e30-8f69-4efc3c580900",
- "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "service": "Azure OpenAI",
"services": [
- "AKV",
- "RBAC",
- "SQL",
- "ACR",
- "Entra"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Managed Identities",
- "text": "Assign Azure SQL Database a managed identity for outbound resource access",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+ "waf": "Operational Excellence"
},
{
- "category": "Identity",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Use an Azure AD integrated authentication that eliminates the use of passwords. Password-based authentication methods are a weaker form of authentication. Credentials can be compromised or mistakenly given away. Use single sign-on authentication using Windows credentials. Federate the on-premises AD domain with Azure AD and use integrated Windows authentication (for domain-joined machines with Azure AD).",
- "guid": "88287d4a-8bb8-4640-ad78-03f51354d003",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#active-directory-integrated-authentication",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Entra"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Passwords",
- "text": "Minimize the use of password-based authentication for users",
- "waf": "Security"
+ "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+ "waf": "Operational Excellence"
},
{
- "category": "Ledger",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Confidential Ledger is one of the supported store, it can be used and supports automatic generation and storage of database digests. Azure Ledger provides advanced security features like Blockchain Ledger Proof and Confidential Hardware Enclaves. Use it only if advanced security features are required, otherwise revert to Azure storage.",
- "guid": "0e853380-50ba-4bce-b2fd-5c7391c85ecc",
- "link": "https://learn.microsoft.com/azure/architecture/guide/technology-choices/multiparty-computing-service#confidential-ledger-and-azure-blob-storage",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Database Digest",
- "text": "Use Azure Confidential Ledger to store database digests only if advanced security features are required",
+ "text": "Red team your GenAI applications",
"waf": "Security"
},
{
- "category": "Ledger",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "The hash of the latest block in the database ledger is called the database digest. It represents the state of all ledger tables in the database at the time when the block was generated. Generating a database digest is efficient, because it involves computing only the hashes of the blocks that were recently appended. Azure Blob Storage with Immutable Storage feature can be used and supports automatic generation and storage of database digests. To prevent tampering of your digest files, configure and lock a retention policy for your container.",
- "guid": "afefb2d3-95da-4ac9-acf5-33d18b32ef9a",
- "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+ "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Storage",
- "AzurePolicy"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Database Digest",
- "text": "If Azure storage account is used to store database digests, ensure security is properly configured",
- "waf": "Security"
+ "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+ "waf": "Operational Excellence"
},
{
- "category": "Ledger",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Ledger provides a form of data integrity called forward integrity, which provides evidence of data tampering on data in your ledger tables. The database verification process takes as input one or more previously generated database digests. It then recomputes the hashes stored in the database ledger based on the current state of the ledger tables. If the computed hashes don't match the input digests, the verification fails. The failure indicates that the data has been tampered with. The verification process reports all inconsistencies that it detects.",
- "guid": "f8d4ffda-8aac-4cc6-b72b-c81cb8625420",
- "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-database-verification",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"services": [
- "SQL",
- "Storage"
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Consider Quota management practices",
+ "waf": "Cost Optimization"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "WAF checklist",
+ "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+ "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "service": "Azure OpenAI",
+ "services": [
+ "Entra",
+ "APIM",
+ "LoadBalancer",
+ "ACR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Integrity",
- "text": "Schedule the Ledger verification process regularly to verify data integrity",
- "waf": "Security"
+ "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+ "waf": "Operational Excellence"
},
{
- "category": "Ledger",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "The Ledger feature provides tamper-evidence capabilities in your database. You can cryptographically attest to other parties, such as auditors or other business parties, that your data hasn't been tampered with. Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators.",
- "guid": "2563f498-e2d3-42ea-9e7b-5517881a06a2",
- "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
+ "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
+ "service": "Purview",
"services": [
- "SQL"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Ledger",
- "text": "If cryptographic proof of data integrity is a critical requirement, Ledger feature should be considered",
- "waf": "Security"
+ "text": "Leverage FTA Resillency Handbook",
+ "waf": "Reliability"
},
{
- "category": "Ledger",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Depending on the type of tampering, there are cases where you can repair the ledger without losing data. In the article contained in the --More Info-- column, different scenarios and recovery techniques are described.",
- "guid": "804fc554-6554-4842-91c1-713b32f99902",
- "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-how-to-recover-after-tampering",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
"services": [
- "SQL"
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Plan for Data Center level outage",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
+ "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "services": [
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Recovery",
- "text": "Prepare a response plan to investigate and repair a database after a tampering event",
- "waf": "Security"
+ "text": "Practice Failover for BCDR",
+ "waf": "Reliability"
},
{
- "category": "Logging",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. By default auditing policy includes all actions (queries, stored procedures and successful and failed logins) against the databases, which may result in high volume of audit logs. It's recommended for customers to configure auditing for different types of actions and action groups using PowerShell.",
- "guid": "4082e31d-35f4-4a49-8507-d3172cc930a6",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
"services": [
- "SQL",
- "Storage",
- "AzurePolicy"
+ "Backup",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Auditing",
- "text": "Ensure that Azure SQL Database Auditing is enabled at the server level",
- "waf": "Security"
+ "severity": "High",
+ "text": "Plan a backup strategy and take regular backups",
+ "waf": "Reliability"
},
{
- "category": "Logging",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Azure SQL Database Auditing logs can be written to external storage accounts, Log Analytics workspace or Event Hub. Be sure to protect the target repository using backups and secured configuration. Use Azure SQL Database Managed Identity to access the storage and set an explicit retention period. Do not grant permissions to administrators to the audit log repository. Use a different target storage for --Enabling Auditing of Microsoft support operations--. ",
- "guid": "9b64bc50-b60f-4035-bf7a-28c4806dfb46",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
+ "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
+ "service": "Purview",
"services": [
- "Storage",
- "Monitor",
"EventHubs",
- "SQL",
- "Entra",
- "Backup"
+ "WAF"
],
"severity": "Low",
- "subcategory": "Auditing",
- "text": "Ensure that Azure SQL Database Auditing logs are backed up and secured in the selected repository type",
- "waf": "Security"
+ "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
+ "waf": "Reliability"
},
{
- "category": "Logging",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "The Azure Monitor activity log is a platform log in Azure that provides insight into subscription-level events. The activity log includes information like when a resource is modified. It is recommended to send this activity log to the same external storage repository as the Azure SQL Database Audit Log (storage account, Log Analytics workspace, Event Hub).",
- "guid": "fcd34708-87ac-4efc-aaf6-57a47f76644a",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
+ "link": "https://learn.microsoft.com/purview/deployment-best-practices",
+ "service": "Purview",
"services": [
- "Storage",
- "Monitor",
- "EventHubs",
- "SQL",
- "Subscriptions"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Auditing",
- "text": "Ensure that Azure SQL Database Activity Log is collected and integrated with Auditing logs",
- "waf": "Security"
+ "text": "Follow Purview accounts architectures and deployment best practices",
+ "waf": "Reliability"
},
{
- "category": "Logging",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR). Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
- "guid": "f96e127e-9572-453a-b325-ff89ae9f6b44",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
+ "service": "Purview",
"services": [
- "SQL",
- "Monitor"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "SIEM/SOAR",
- "text": "Ensure that Azure SQL Database Auditing logs are being presented in to your organizations SIEM/SOAR",
- "waf": "Security"
+ "text": "Follow Collection Architectures and best practices",
+ "waf": "Reliability"
},
{
- "category": "Logging",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Forward any logs from Azure SQL to your Security Information and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR), which can be used to set up custom threat detections. Ensure that you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.",
- "guid": "41503bf8-73da-4a10-af9f-5f7fceb5456f",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
+ "service": "Purview",
"services": [
- "SQL",
- "Monitor"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "SIEM/SOAR",
- "text": "Ensure that Azure SQL Database Activity Log data is presented in to your SIEM/SOAR",
- "waf": "Security"
+ "text": "Follow Assest lifecycle best practices",
+ "waf": "Reliability"
},
{
- "category": "Logging",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Security Operation Center (SOC) team should create an incident response plan (playbooks or manual responses) to investigate and mitigate tampering, malicious activities, and other anomalous behaviors.",
- "guid": "19ec7c97-c563-4e1d-82f0-54d6ec12e754",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
+ "service": "Purview",
"services": [
- "SQL",
- "EventHubs"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "SIEM/SOAR",
- "text": "Ensure that you have response plans for malicious or aberrant audit logging events",
- "waf": "Security"
+ "text": "Follow automation best practices",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "When you create a logical server from the Azure portal for Azure SQL Database, the result is a public endpoint that is visible and reachable over the public network (Public Access). You can then limit connectivity based on firewall rules and Service Endpoint. You can also configure private connectivity only limiting connections to internal networks using Private Endpoint (Private Access). Private Access using Private Endpoint should be the default unless a business case or performance/technical reason applies that cannot support it. Usage of Private Endpoints has performance implications that need to be considered and assessed.",
- "guid": "2c6d356a-1784-475b-a42c-ec187dc8c925",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
"services": [
- "SQL",
- "PrivateLink"
+ "Backup",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Connectivity",
- "text": "Review Public vs. Private Access connectivity methods and select the appropriate one for the workload",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Follow Backup and Migration Best practices",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "IMPORTANT: Connections to private endpoint only support Proxy as the connection policy. When using private endpoints connections are proxied via the Azure SQL Database gateway to the database nodes. Clients will not have a direct connection.",
- "guid": "557b3ce5-bada-4296-8d52-a2d447bc1718",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
+ "service": "Purview",
"services": [
- "SQL",
- "AzurePolicy",
- "PrivateLink"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Connectivity",
- "text": "Keep default Azure SQL Database Connection Policy if not differently required and justified",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Follow Purview Glossary Best Practices",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only. If not strictly required, keep this setting to OFF.",
- "guid": "f48efacf-4405-4e8d-9dd0-16c5302ed082",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
+ "link": "https://learn.microsoft.com/purview/concept-workflow",
+ "service": "Purview",
"services": [
- "SQL",
- "Subscriptions"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Connectivity",
- "text": "Ensure Allow Azure Services and Resources to Access this Server setting is disabled in Azure SQL Database firewall",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Leverage Workflows ",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Azure SQL Database has a new built-in feature that allows native integration with external REST endpoints. This means that integration of Azure SQL Database with Azure Functions, Azure Logic Apps, Cognitive Services, Event Hubs, Event Grid, Azure Containers, API Management and in general any REST or even GraphQL endpoint. If not properly restricted, code inside an Azure SQL Database database could leverage this mechanism to exfiltrate data. If not strictly required, it is recommended to block or restrict this feature using Outbound Firewall Rules.",
- "guid": "cb3274a7-e36d-46f6-8de5-46d30c8dde8e",
- "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
+ "service": "Purview",
"services": [
- "APIM",
- "SQL",
- "EventHubs"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Outbound Control",
- "text": "Block or restrict outbound REST API calls to external endpoints",
- "waf": "Security"
+ "text": "Follow Purview Security Best Practices",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Outbound firewall rules limit network traffic from the Azure SQL Database logical server to a customer defined list of Azure Storage accounts and Azure SQL Database logical servers. Any attempt to access storage accounts or databases not in this list is denied.",
- "guid": "a566dd3d-314e-4a94-9378-102c42d82b38",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/outbound-firewall-rule-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
+ "service": "Purview",
"services": [
- "SQL",
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Outbound Control",
- "text": "If outbound network access is required, it is recommended to configure outbound networking restrictions using built-in Azure SQL Database control feature",
- "waf": "Security"
+ "text": "Follow Purview Data Lineage Best Practices",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Private Endpoint is created inside a subnet in an Azure Virtual Network. Proper security configuration must be applied also to the containing network environment, including NSG/ASG, UDR, firewall, monitoring and auditing.",
- "guid": "246cd832-f550-4af0-9c74-ca9baeeb8860",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
+ "service": "Purview",
"services": [
- "PrivateLink",
- "Monitor",
- "SQL",
- "VNet",
- "Firewall"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Private Access",
- "text": "If Private Access connectivity is used, ensure that you are using the Private Endpoint, Azure Virtual Network, Azure Firewall, and Azure Network Security Group checklists",
- "waf": "Security"
- },
- {
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "When adding a Private Endpoint connection, public routing to your logical server isn't blocked by default. In the --Firewall and virtual networks-- pane, the setting --Deny public network access-- is not selected by default. To disable public network access, ensure that you select --Deny public network access--.",
- "guid": "3a0808ee-ea7a-47ab-bdce-920a6a2b3881",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server",
- "services": [
- "SQL",
- "VNet",
- "PrivateLink"
- ],
- "severity": "High",
- "subcategory": "Private Access",
- "text": "If Private Endpoint (Private Access) is used, consider disabling Public Access connectivity",
- "waf": "Security"
+ "text": "Follow Best Practices for Scanning Registered Sources",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Network Security Group (NSG) and Application Security Group (ASG) can be now applied to subnet containing Private Endpoints to restrict connections to Azure SQLDB based on internal source IP ranges.",
- "guid": "8600527e-e8c4-4424-90ef-1f0dca0224f2",
- "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
+ "service": "Purview",
"services": [
- "SQL",
- "VNet",
- "PrivateLink"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Private Access",
- "text": "If Private Endpoint (Private Access) is used, apply NSG and eventually ASG to limit incoming source IP address ranges",
- "waf": "Security"
+ "text": "Follow Classification Best Practices in Governance Portal",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. Applications and tools that are in the same or peered virtual network in the same region could access it directly. Applications and tools that are in different region could use virtual-network-to-virtual-network connection or ExpressRoute circuit peering to establish connection. Customer should use Network Security Groups (NSG), and eventually internal firewalls, to restrict access over port 1433 only to resources that require access to a managed instance.",
- "guid": "18123ef4-a0a6-45e3-87fe-7f454f65d975",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
+ "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
+ "service": "Purview",
"services": [
- "SQL",
- "ExpressRoute",
- "VNet"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Private Access",
- "text": "Apply Network Security Groups (NSG) and firewall rules to restrict access to Azure SQL Managed Instance internal subnet",
- "waf": "Security"
+ "text": "Perform Sensitivity Labelling in the Purview Data Map",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Azure Virtual Network Service Endpoint is preferred solution if you want to establish a direct connection to the Azure SQL Database backend nodes using Redirect policy. This will allow access in high performance mode and is the recommended approach from a performance perspective.",
- "guid": "55187443-6852-4fbd-99c6-ce303597ca7f",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
+ "link": "https://learn.microsoft.com/purview/concept-data-share",
+ "service": "Purview",
"services": [
- "SQL",
- "AzurePolicy",
- "VNet"
+ "Storage",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Public Access",
- "text": "If Public Access connectivity is used, leverage Service Endpoint to restrict access from selected Azure Virtual Networks",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted. This approach is fine for stable IP addresses that are outside the Azure private network.",
- "guid": "a73e32da-b3f4-4960-b5ec-2f42a557bf31",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
+ "link": "https://learn.microsoft.com/purview/concept-insights",
+ "service": "Purview",
"services": [
- "SQL",
- "Storage"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Public Access",
- "text": "If Public Access connectivity is used, ensure that only specific known IPs are added to the firewall",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Leverage Data Estate Insights",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.",
- "guid": "e0f31ac9-35c8-4bfd-9865-edb60ffc6768",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/firewall-configure",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
+ "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
+ "service": "Purview",
"services": [
- "SQL",
- "Storage"
+ "WAF"
],
"severity": "Low",
- "subcategory": "Public Access",
- "text": "If Public Access connectivity is used and controlled by Azure SQL Database firewall rules, use database-level over server-level IP rules",
- "waf": "Security"
+ "text": "Use Data stewardship and Catalog adoption",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "A Managed Instance (SQL MI) can be isolated inside a virtual network to prevent external access. The Managed Instance public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. If company policy disallows the use of public endpoints, use Azure Policy to prevent enabling public endpoints in the first place.",
- "guid": "b8435656-143e-41a8-9922-61d34edb751a",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
+ "link": "https://learn.microsoft.com/purview/concept-insights",
+ "service": "Purview",
"services": [
- "SQL",
- "AzurePolicy",
- "VNet"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Public Access",
- "text": "Do not enable Azure SQL Managed Instance public endpoint",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Use Inventory and Ownership",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "A Managed Instance (SQL MI) public endpoint is not enabled by default, must be explicitly enabled, only if strictly required. In this case, it is recommended to apply a Network Security Groups (NSG) to restrict access to port 3342 only to trusted source IP addresses.",
- "guid": "057dd298-8726-4aa6-b590-1f81d2e30421",
- "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
+ "link": "https://learn.microsoft.com/purview/glossary-insights",
+ "service": "Purview",
"services": [
- "SQL",
- "VNet"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Public Access",
- "text": "Restrict access if Azure SQL Managed Instance public endpoint is required",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
+ "waf": "Reliability"
},
{
- "category": "Privileged Access",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Most operations, support, and troubleshooting performed by Microsoft personnel and sub-processors do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. In support scenarios where Microsoft needs to access customer data, Azure SQL Database supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.",
- "guid": "37b6eb0f-553d-488f-8a8a-cb9bf97388ff",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
+ "link": "https://learn.microsoft.com/purview/compliance-manager",
+ "service": "Purview",
"services": [
- "SQL"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Lockbox",
- "text": "Review and enable Customer Lockbox for Azure SQL Database access by Microsoft personnel",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Generate assessment scores",
+ "waf": "Reliability"
},
{
- "category": "Privileged Access",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "The principle of least privilege states that users shouldn't have more privileges than needed to complete their tasks. High-privileged database and server users can perform many configuration and maintenance activities on the database and can also drop databases in Azure SQL instance. Tracking database owners and privileged accounts is important to avoid having excessive permission.",
- "guid": "5fe5281f-f0f9-4842-a682-8baf18bd8316",
- "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#implement-principle-of-least-privilege",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
+ "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
+ "service": "Purview",
"services": [
- "SQL"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Permissions",
- "text": "Ensure that users are assigned the minimum level of access necessarily to complete their job functions",
- "waf": "Security"
+ "text": "Profiling- get summaries of data content",
+ "waf": "Reliability"
},
{
- "category": "Privileged Access",
- "checklist": "Azure SQLDB Security Checklist (Preview)",
- "description": "Identities (both Users and SPNs) should be scoped to the least amount of access needed to perform the function. A higher number of tightly scoped SPNs should be used, instead of having one SPN with multiple sets of unrelated permissions. For example, if there are three external web applications hosted on-prem that make queries to the Azure SQL Database, they should not all use the same SPN for these activities. Instead, they should each have their own tightly scoped SPN.",
- "guid": "7b5b55e5-4750-4920-be97-eb726c256a5c",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#im-3-use-azure-ad-single-sign-on-sso-for-application-access",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
+ "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
+ "service": "Purview",
"services": [
- "SQL",
- "Entra"
+ "AzurePolicy",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Permissions",
- "text": "Ensure that distinct applications will be assigned different credentials with minimal permissions to access Azure SQL Database",
- "waf": "Security"
+ "text": "Follow Microsoft Purview Data Owner access policies",
+ "waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
- "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
- "service": "VMSS",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
+ "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
+ "service": "Purview",
"services": [
- "VM"
+ "AzurePolicy",
+ "WAF"
],
"severity": "Low",
- "subcategory": "VM Scale Sets",
- "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
+ "text": "Follow Self-service access policies",
"waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
- "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
- "service": "VM",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "WAF checklist",
+ "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
+ "link": "https://learn.microsoft.com/purview/concept-policies-devops",
+ "service": "Purview",
"services": [
- "Backup",
- "VM"
+ "AzurePolicy",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Virtual Machines",
- "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
+ "severity": "Low",
+ "text": "Follow DevOps policies",
"waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
- "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
"services": [
- "VM"
+ "AKS",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Virtual Machines",
- "text": "Use Premium or Ultra disks for production VMs",
+ "severity": "Low",
+ "text": "If required for AKS Windows workloads HostProcess containers can be used",
"waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
- "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
- "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
"services": [
- "VM"
- ],
- "severity": "High",
- "subcategory": "Virtual Machines",
- "text": "Ensure Managed Disks are used for all VMs",
- "waf": "Reliability"
+ "WAF"
+ ],
+ "severity": "Low",
+ "text": "Use KEDA if running event-driven workloads",
+ "waf": "Performance"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
- "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
- "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
"services": [
- "Storage",
- "SQL",
- "VM"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Virtual Machines",
- "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "Use Dapr to ease microservice development",
+ "waf": "Operations"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
- "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
"services": [
- "Storage",
- "ACR",
- "VM"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Virtual Machines",
- "text": "Leverage Availability Zones for your VMs in regions where they are supported",
+ "severity": "High",
+ "text": "Use the SLA-backed AKS offering",
"waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
- "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"services": [
- "VM"
+ "Cost",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Virtual Machines",
- "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+ "severity": "Low",
+ "text": "Use Disruption Budgets in your pod and deployment definitions",
"waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
- "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "VM",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
"services": [
- "VM",
- "ASR"
+ "ACR",
+ "WAF"
],
"severity": "High",
- "subcategory": "Virtual Machines",
- "text": "Avoid running a production workload on a single VM",
+ "text": "If using a private registry, configure region replication to store images in multiple regions",
"waf": "Reliability"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
- "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
"services": [
- "AVS",
- "VM",
- "ASR"
+ "Cost",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Virtual Machines",
- "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "Use an external application such as kubecost to allocate costs to different users",
+ "waf": "Cost"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
- "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
- "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
"services": [
- "VM"
+ "WAF"
],
"severity": "Low",
- "subcategory": "Virtual Machines",
- "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
- "waf": "Reliability"
+ "text": "Use scale down mode to delete/deallocate nodes",
+ "waf": "Cost"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
- "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
- "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
"services": [
- "VM",
- "ASR"
+ "AKS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Virtual Machines",
- "text": "Increase quotas in DR region before testing failover with ASR",
- "waf": "Reliability"
+ "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+ "waf": "Cost"
},
{
- "category": "Compute",
- "checklist": "Resiliency Review",
- "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
- "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
- "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
"services": [
- "VM"
+ "WAF"
],
"severity": "Low",
- "subcategory": "Virtual Machines",
- "text": "Utilize Scheduled Events to prepare for VM maintenance",
- "waf": "Reliability"
+ "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+ "waf": "Cost"
},
{
- "category": "Data",
- "checklist": "Resiliency Review",
- "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
- "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Azure Storage",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
"services": [
- "Storage"
+ "AKS",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage Accounts",
- "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
- "waf": "Reliability"
+ "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
+ "waf": "Security"
},
{
- "category": "Data",
- "checklist": "Resiliency Review",
- "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
- "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"services": [
- "Storage"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Storage Accounts",
- "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Separate applications from the control plane with user/system node pools",
+ "waf": "Security"
},
{
- "category": "Data",
- "checklist": "Resiliency Review",
- "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
- "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"services": [
- "Storage"
+ "WAF"
],
"severity": "Low",
- "subcategory": "Storage Accounts",
- "text": "Enable soft delete for Storage Account Containers",
- "waf": "Reliability"
+ "text": "Add taint to your system nodepool to make it dedicated",
+ "waf": "Security"
},
{
- "category": "Data",
- "checklist": "Resiliency Review",
- "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
- "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
"services": [
- "Storage"
+ "ACR",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Storage Accounts",
- "text": "Enable soft delete for blobs",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Use a private registry for your images, such as ACR",
+ "waf": "Security"
},
{
- "category": "General",
- "checklist": "Resiliency Review",
- "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
- "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
- "service": "Azure Backup",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
"services": [
- "Backup"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Backup",
- "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
- "waf": "Reliability"
+ "text": "Scan your images for vulnerabilities",
+ "waf": "Security"
},
{
- "category": "General",
- "checklist": "Resiliency Review",
- "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
- "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
- "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
- "service": "Azure Backup",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
"services": [
- "Backup"
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Backup",
- "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Define app separation requirements (namespace/nodepool/cluster)",
+ "waf": "Security"
},
{
- "category": "General",
- "checklist": "Resiliency Review",
- "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
- "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
- "service": "Azure Backup",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
"services": [
- "Storage",
- "Backup"
+ "AKV",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Backup",
- "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
+ "waf": "Security"
},
{
- "category": "General",
- "checklist": "Resiliency Review",
- "description": "Clearly define your organization's business continuity and disaster recovery requirements for your Azure environment. This includes identifying the critical applications, data, and services that need to be protected, as well as specifying the desired recovery objectives and strategies.",
- "guid": "72e52e36-11dd-458c-9a4b-1521e43a58a9",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-business-continuity-disaster-recovery",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
"services": [
- "ASR"
+ "WAF"
],
"severity": "High",
- "subcategory": "Design",
- "text": "Define business continuity and disaster recovery requirements",
- "waf": "Reliability"
+ "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
+ "waf": "Security"
},
{
- "category": "General",
- "checklist": "Resiliency Review",
- "description": "Ensure that your Azure architectures are designed with a focus on reliability. Consider implementing fault-tolerant mechanisms, redundancy, and resiliency patterns to minimize the impact of failures and maximize the availability of your applications and services.",
- "guid": "c2399c4d-7b67-4d0c-9555-62f2b3e4563a",
- "link": "https://learn.microsoft.com/azure/architecture/reliability/architect",
- "services": [],
- "severity": "High",
- "subcategory": "Design",
- "text": "Implement reliability best practices in Azure architectures",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
+ "services": [
+ "WAF"
+ ],
+ "severity": "Medium",
+ "text": "If required add Key Management Service etcd encryption",
+ "waf": "Security"
},
{
- "category": "General",
- "checklist": "Resiliency Review",
- "description": "IaC configurations can play a role in your disaster recovery plan, particularly in situations where recovery time is not time-sensitive. In the event of infrastructure recreation in a second region, IaC can be used to reproduce the necessary infrastructure.",
- "guid": "fe237de2-43b1-46c3-8d7a-a9b7570449aa",
- "link": "https://learn.microsoft.com/azure/well-architected/devops/automation-infrastructure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
"services": [
- "RBAC",
- "ASR"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "DevOps",
- "text": "Implement Infrastructure as Code (IaC) for Rapid Infrastructure Recovery",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "If required consider using Confidential Compute for AKS",
+ "waf": "Security"
},
{
- "category": "General",
- "checklist": "Resiliency Review",
- "description": "Azure offers region pairs that are geographically separated and can be used for cross-region replication and disaster recovery. These region pairs provide redundancy and protection against regional or large-scale disasters.",
- "guid": "dcb1f7d5-769a-4e56-aba3-8d4a85e2213d",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
"services": [
- "ASR"
+ "Defender",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Multi-region",
- "text": "Plan for cross-region recovery by leveraging region pairs",
- "waf": "Reliability"
+ "text": "Consider using Defender for Containers",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "By deploying an Application Gateway with a minimum instance count of two, you will have at least two instances available under normal circumstances. In the event that one of the instances encounters a problem, the other instance will handle the traffic while a new instance is being created. This approach significantly reduces the risk of service disruption and ensures a seamless experience for your users.",
- "guid": "93c76286-37a5-451c-9b04-e4f1854387e5",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant#autoscaling-and-high-availability",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
"services": [
- "AppGW"
+ "Entra",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Use managed identities instead of Service Principals",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
+ "services": [
+ "Entra",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Application Gateways",
- "text": "Deploy Application Gateways with a minimum instance count of 2 to avoid instance provisioning downtime",
- "waf": "Reliability"
+ "text": "Integrate authentication with AAD (using the managed integration)",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "The v2 SKU offers several advantages and critical new features that enhance the availability and resilience of your application infrastructure. One notable feature supported by the v2 SKU is zone redundancy, which allows an Application Gateway deployment to span multiple Availability Zones.",
- "guid": "ced126cd-032a-4f5b-8fc6-998a535e3378",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
"services": [
- "Storage",
- "AppGW"
+ "WAF"
],
- "severity": "High",
- "subcategory": "Application Gateways",
- "text": "Deploy Azure Application Gateway v2 for zone redundancy support",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Limit access to admin kubeconfig (get-credentials --admin)",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "Azure Front Door provides automatic failover capabilities, ensuring continuity in the event of a primary region becoming unavailable. However, during the failover process, there may be a brief period (typically 20-60 seconds) when clients cannot reach the application. It is essential to review the Azure Front Door service level agreement (SLA) to determine whether relying solely on Front Door meets your business requirements for high availability. ",
- "guid": "97e31c67-d68c-4f6a-92a1-194956d697dc",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/app-service-web-app/multi-region#azure-front-door",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
"services": [
- "FrontDoor"
+ "Entra",
+ "RBAC",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Azure Front Door",
- "text": "Consider a redundant traffic management solution in conjunction with Azure Front Door",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "Integrate authorization with AAD RBAC",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "By implementing Traffic Manager, you can configure it to continuously monitor the health of your application endpoints and automatically redirect traffic to an alternate endpoint when necessary. This automation minimizes downtime and provides a more seamless experience for your users during disaster recovery scenarios.",
- "guid": "8df03a82-2cd4-463c-abbc-8ac299ebc92a",
- "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
"services": [
- "DNS",
- "Monitor",
- "ASR",
- "TrafficManager"
+ "RBAC",
+ "AKS",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "DNS",
- "text": "Plan for automated failover using Traffic Manager for DNS Traffic",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
- "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
- "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
- "service": "DNS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
"services": [
- "DNS",
- "ACR",
- "ASR"
+ "Entra",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "DNS",
- "text": "Implement DNS Failover using Azure DNS Private Resolvers",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
- "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
- "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
- "service": "Data Gateways",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
"services": [
- "ACR"
+ "AKS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Data Gateways",
- "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
- "waf": "Reliability"
+ "text": "For AKS non-interactive logins use kubelogin (preview)",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "When using ExpressRoute, it's important to design for high availability by incorporating redundancy in both the partner and customer networks. This can include multiple ExpressRoute circuits, redundant connections from your network to Microsoft, and ensuring your on-premises network equipment has redundant connections.",
- "guid": "c0e7c28d-c936-4657-802b-ff4564b0d934",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
"services": [
- "ExpressRoute"
+ "AKS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "ExpressRoute",
- "text": "Ensure redundancy within both the partner network and customer network when utilizing ExpressRoute for high availability",
- "waf": "Reliability"
+ "text": "Disable AKS local accounts",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "The primary circuit should handle regular traffic while the backup circuit stays ready to take over if the primary circuit fails. Utilize BGP attributes to influence routing and designate your primary and backup circuits effectively.",
- "guid": "a359c373-e7dd-4616-83a3-64a907ebae48",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "Backup"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "ExpressRoute",
- "text": "When using multiple ExpressRoute circuits ensure that routing allows for a primary and backup",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "Configure if required Just-in-time cluster access",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "S2S VPN connection can provide a cost-effective, resilient backup solution in the event of an ExpressRoute circuit failure. By using S2S VPN as a failover, you can maintain connectivity to your Azure resources without relying solely on ExpressRoute.",
- "guid": "ead53cc7-de2e-48aa-ab35-71549ab9153d",
- "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "service": "AKS",
"services": [
- "Cost",
- "ExpressRoute",
- "VPN",
- "Backup"
+ "Entra",
+ "AKS",
+ "WAF"
],
"severity": "Low",
- "subcategory": "ExpressRoute",
- "text": "Consider deploying site-to-site VPN as a backup for your ExpressRoute private peering",
- "waf": "Reliability"
+ "text": "Configure if required AAD conditional access for AKS",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "Standard Load Balancer SKU offers an SLA of 99.99% and a higher level of service availability compared to the Basic Load Balancer SKU.",
- "guid": "778468d5-5a78-45d6-be96-c96ad8844cf3",
- "link": "https://learn.microsoft.com/azure/load-balancer/skus",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "service": "AKS",
"services": [
- "LoadBalancer"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Load Balancers",
- "text": "Leverage the Standard SKU for Load Balancers that handle traffic to production applications",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "If required for Windows AKS workloads configure gMSA ",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "By configuring the load balancer with a zone-redundant frontend, it can serve zonal resources in any zone with a single IP address. As long as at least one zone remains healthy within the region, the IP address associated with the frontend can survive one or more zone failures. It is recommended to have multiple zonal resources, such as virtual machines from different zones, in the backend pool of the load balancer. ",
- "guid": "b2b38c88-6ba2-4c02-8499-114a5d3ce574",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "service": "AKS",
"services": [
- "LoadBalancer",
- "VM"
+ "Entra",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Load Balancers",
- "text": "For load balancers, consider using a zone-redundant frontend with multiple zonal resources in the backend",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "For finer control consider using a managed Kubelet Identity",
+ "waf": "Security"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "When designing health probes for your Azure Load Balancer, it is important to follow best practices to ensure reliable and accurate monitoring of your backend instances.",
- "guid": "dccbd979-2a6b-4cca-8b5f-ea1ebf3dd95d",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "service": "AKS",
"services": [
- "LoadBalancer",
- "Monitor"
+ "ACR",
+ "AppGW",
+ "WAF"
],
- "severity": "Low",
- "subcategory": "Load Balancers",
- "text": "Select the right protocol, appropriate intervals and timeouts, representative paths and probe responses when defining Load Balancer Health Probes",
+ "severity": "Medium",
+ "text": "If using AGIC, do not share an AppGW across clusters",
"waf": "Reliability"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
- "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
"services": [
- "NVA"
+ "AKS",
+ "WAF"
],
"severity": "High",
- "subcategory": "NVAs",
- "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
+ "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
"waf": "Reliability"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "By deploying VPN Gateways in an active-active mode, you can distribute VPN traffic across multiple gateways, improving reliability and ensuring continuous connectivity in case of failures or maintenance.",
- "guid": "927139b8-2110-42db-b6ea-f11e6f843e53",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "service": "AKS",
"services": [
- "ACR",
- "VPN"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VPN Gateways",
- "text": "Deploy Azure VPN Gateways in an active-active mode to ensure high availability and redundancy for your VPN connections.",
- "waf": "Reliability"
+ "text": "For Windows workloads use Accelerated Networking",
+ "waf": "Performance"
},
{
- "category": "Network",
- "checklist": "Resiliency Review",
- "description": "Zone-redundant SKUs ensure that your VPN gateways are physically and logically separated within a region, providing resiliency and scalability. This deployment configuration safeguards your on-premises network connectivity to Azure from zone-level failures.",
- "guid": "f4722d92-8c1b-41cd-921f-54b29b9de39a",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/about-zone-redundant-vnet-gateways",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
"services": [
- "VPN"
+ "LoadBalancer",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "VPN Gateways",
- "text": "Use zone-redundant SKUs when deploying VPN Gateways to enhance resilience and protect against zone-level failures",
+ "severity": "High",
+ "text": "Use the standard ALB (as opposed to the basic one)",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
- "guid": "976f32a7-30d1-6caa-c2a0-207fdc26571b",
- "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "service": "AKS",
"services": [
- "Storage",
- "AVS",
- "Backup"
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Backup",
- "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
- "waf": "Reliability"
+ "text": "If using Azure CNI, consider using different Subnets for NodePools",
+ "waf": "Security"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Microsoft backup service",
- "guid": "fc8af7a1-c724-e255-c18d-4ca22a6f27f0",
- "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "service": "AKS",
"services": [
- "AVS",
- "Backup"
+ "PrivateLink",
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Business Continuity",
- "text": "Use MABS as your backup solution",
- "waf": "Reliability"
+ "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
+ "waf": "Security"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Best practice - this is Backup, not disaster recovery",
- "guid": "be28860f-3d29-a79a-1a0e-36f1b23b36ae",
- "link": "Best practice to deploy backup in the same region as your AVS deployment",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"services": [
- "AVS",
- "Backup",
- "ASR"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Business Continuity",
- "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+ "severity": "High",
+ "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Best practice - in case AVS is unavailable",
- "guid": "4d2f79a5-4ccf-0dfc-557c-49619b99a540",
- "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"services": [
- "AVS"
+ "VNet",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Business Continuity",
- "text": "Preferably deploy MABS outside of the SDDC as native Azure IaaS",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
+ "waf": "Performance"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
- "guid": "ff431c40-962c-5182-d536-0c2f0c4ce9e0",
- "link": "Will Disaster Recovery Site Recovery, HCX Disaster Recovery, SRM or back tools be used?",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Business Continuity",
- "text": "Escalation process with Microsoft in the event of a regional DR",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+ "waf": "Performance"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Compare SRM with HCX",
- "guid": "f379436d-3051-daa0-01fb-dc4e0e04d677",
- "link": "https://docs.microsoft.com/azure/azure-vmware/disaster-recovery-using-vmware-site-recovery-manager",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "service": "AKS",
"services": [
- "AVS",
- "ASR"
+ "VNet",
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Use VMware Site Recovery Manager when both sites are Azure VMware Solution",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
+ "waf": "Security"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Recovery into Azure instead of Vmware solution",
- "guid": "367f71d8-3cf6-51a0-91a5-3db3d570cc19",
- "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"services": [
- "AVS",
- "ASR"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+ "severity": "High",
+ "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Avoid manual tasks as much as possible",
- "guid": "ee02ada0-1887-bb3a-b84c-423f45a09ef9",
- "link": "https://docs.microsoft.com/azure/site-recovery/avs-tutorial-prepare-azure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "service": "AKS",
"services": [
- "AVS",
- "ASR"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Use Automated recovery plans with either of the Disaster solutions,",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "If required add your own CNI plugin",
+ "waf": "Security"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Any other datacenter in the same region",
- "guid": "0c2b74e5-9c28-780d-1df3-12d3de4aaa76",
- "link": "https://docs.microsoft.com/azure/azure-vmware/connect-multiple-private-clouds-same-region",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "service": "AKS",
"services": [
- "AVS",
- "ASR"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Configure a secondary disaster recovery environment",
- "waf": "Reliability"
+ "severity": "Low",
+ "text": "If required configure Public IP per node in AKS",
+ "waf": "Performance"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
- "guid": "c2a34ec4-2933-4e6c-dc36-e20e67abbe3f",
- "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "service": "AKS",
"services": [
- "AVS",
- "ASR"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Assign IP ranges unique to each region",
+ "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
"waf": "Reliability"
},
{
- "category": "BCDR",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "ExpressRoute Global Reach can be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or routing must be done through network virtual appliances?",
- "guid": "b44fb6ec-bfc1-3a8e-dba2-ca97f0991d2c",
- "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "AVS",
- "NVA",
- "ASR"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Disaster Recovery",
- "text": "Use Global Reach between DR regions",
+ "severity": "Low",
+ "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
"waf": "Reliability"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "An ExR Global Reach connection will be established to the ExR circuit, no other connections",
- "guid": "a2c12df2-07fa-3edd-2cec-fda0b55fb952",
- "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "service": "AKS",
"services": [
- "VWAN",
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Direct (no vWAN, no H&S)",
- "text": "Global Reach to ExR circuit - no Azure resources",
- "waf": "Performance"
+ "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
+ "waf": "Reliability"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use ExR to connect on-premises (other) location to Azure",
- "guid": "f62ce162-ba5a-429d-674e-fafa1af5f706",
- "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "AVS"
+ "NVA",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "ExpressRoute",
- "text": "Connect to Azure using ExR",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use the migration assesment tool and timeline to determine bandwidth required",
- "guid": "cf01c73b-1247-0a7a-740c-e1ea29bda340",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-introduction",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "ExpressRoute",
- "text": "Bandwidth sizing",
- "waf": "Performance"
+ "text": "If using a public API endpoint, restrict the IP addresses that can access it",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "What traffic is routed through a firewall, what goes directly into Azure",
- "guid": "aab216ee-8941-315e-eada-c7e1f2243bd1",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "ExpressRoute",
- "text": "Traffic routing ",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Use private clusters if your requirements mandate it",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "AVS to ExR circuit, no traffic inspection",
- "guid": "1f956e45-f62d-5c95-3a95-3bab718907f8",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "AVS"
+ "AKS",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "ExpressRoute",
- "text": "Global Reach ",
- "waf": "Performance"
+ "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Name of the vNet and a unique address space /24 minimum",
- "guid": "91f7a87b-21ac-d712-959c-8df2ba034253",
- "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"services": [
- "AVS",
- "VNet"
+ "AKS",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Hub & Spoke",
- "text": "VNet name & address space",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Subnet must be called GatewaySubnet",
- "guid": "58a027e2-f37f-b540-45d5-e44843aba26b",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "AVS",
- "VPN",
- "VNet"
+ "AKS",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Hub & Spoke",
- "text": "Gateway subnet",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Use Kubernetes network policies to increase intra-cluster security",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Create a VPN gateway on the hub Gateway subnet",
- "guid": "d4806549-0913-3e79-b580-ac2d3706e65a",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "AVS",
- "VPN",
- "VNet"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Hub & Spoke",
- "text": "VPN Gateway",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Use a WAF for web workloads (UIs or APIs)",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Create an ExR Gateway in the hub Gateway subnet.",
- "guid": "864d7a8b-7016-c769-a717-61af6bfb73d2",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "AVS",
- "VPN",
- "VNet"
+ "AKS",
+ "VNet",
+ "DDoS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Hub & Spoke",
- "text": "ExR Gateway",
- "waf": "Performance"
+ "text": "Use DDoS Standard in the AKS Virtual Network",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "How will Internet traffic be routes, Az Firewall, NVA, Secure Hub, On-Premises firewall?",
- "guid": "cc2e11b9-7911-7da1-458c-d7fcef794aad",
- "link": "https://learn.microsoft.com/azure/azure-vmware/enable-public-internet-access",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "service": "AKS",
"services": [
- "AVS",
- "NVA"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "Egress point",
- "waf": "Performance"
+ "severity": "Low",
+ "text": "If required add company HTTP Proxy",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Allow remote connectivity to AVS via the portal, specifically to vCenter, NSX-T and HCX",
- "guid": "71e68ce3-982e-5e56-0191-01100ad0e66f",
- "link": "https://learn.microsoft.com/answers/questions/171195/how-to-create-jump-server-in-azure-not-bastion-paa.html",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "service": "AKS",
"services": [
- "Bastion",
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Jumpbox & Bastion",
- "text": "Remote connectivity to AVS",
- "waf": "Performance"
+ "text": "Consider using a service mesh for advanced microservice communication management",
+ "waf": "Security"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Name the jumpbox and identify the subnet where it will be hosted",
- "guid": "6f8e93a2-44b1-bb1d-28a1-4d5b3c2ea857",
- "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "service": "AKS",
"services": [
- "Bastion",
- "AVS",
- "VNet"
+ "Monitor",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Jumpbox & Bastion",
- "text": "Configure a jumbox and Azure Bastion",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
+ "waf": "Operations"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Provides secure / seamless RDP/SSH connectivity to your vm's directly through the portal.",
- "guid": "ba430d58-4541-085c-3641-068c00be9bc5",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "service": "AKS",
"services": [
- "Bastion",
- "AVS",
- "VM"
+ "Entra",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Jumpbox & Bastion",
- "text": "Security measure allowing RDP access via the portal",
- "waf": "Performance"
+ "severity": "Low",
+ "text": "Check regularly Azure Advisor for recommendations on your cluster",
+ "waf": "Operations"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Using a VPN to connect to Azure to enable VMware communications (HCX) (not recommended)",
- "guid": "9988598f-2a9f-6b12-9b46-488415ceb325",
- "link": "https://learn.microsoft.com/azure/azure-vmware/configure-site-to-site-vpn-gateway",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "service": "AKS",
"services": [
- "AVS",
- "VPN"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "VPN",
- "text": "Connect to Azure using a VPN",
- "waf": "Performance"
+ "severity": "Low",
+ "text": "Enable AKS auto-certificate rotation",
+ "waf": "Operations"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use the migration assesment tool and timeline to determine bandwidth required (eg 3rd party tool in link)",
- "guid": "956ce5e9-a862-fe2b-a50d-a22923569357",
- "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "service": "AKS",
"services": [
- "AVS",
- "VPN"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "VPN",
- "text": "Bandwidth sizing",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
+ "waf": "Operations"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "What traffic is routed through a firewall, what goes directly into Azure",
- "guid": "e095116f-0bdc-4b51-4d71-b9e469d56f59",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "service": "AKS",
"services": [
- "AVS",
- "VPN"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "VPN",
- "text": "Traffic routing ",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+ "waf": "Operations"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Name and unique address space for the vWAN, name for the vWAN hub",
- "guid": "4dc480ac-cecd-39c4-fdc6-680b300716ab",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+ "service": "AKS",
"services": [
- "VWAN",
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "vWAN hub",
- "text": "vWAN name, hub name and address space",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
+ "waf": "Operations"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Select either boh or the appropriate connection type.",
- "guid": "51d6affd-8e02-6aea-d3d4-0baf618b3076",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+ "service": "AKS",
"services": [
- "VWAN",
- "AVS",
- "VPN"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "vWAN hub",
- "text": "ExR and/or VPN gateway provisioned",
- "waf": "Performance"
+ "severity": "Low",
+ "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
+ "waf": "Operations"
},
{
- "category": "Connectivity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Add Azure firewall to vWAN (recommended)",
- "guid": "e32a4c67-3dc0-c134-1c12-52d46dcbab5b",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+ "service": "AKS",
"services": [
- "VWAN",
- "AVS",
- "Firewall"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "vWAN hub",
- "text": "Secure vWAN",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Consider using AKS command invoke on private clusters",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Active directory or other identity provider servers",
- "guid": "fbc47fbf-bc96-fa93-ed5d-8c9be63cd5c3",
- "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+ "service": "AKS",
"services": [
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Access",
- "text": "External Identity (user accounts)",
- "waf": "Security"
+ "severity": "Low",
+ "text": "For planned events consider using Node Auto Drain",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Not required for LDAPS, required for Kerberos",
- "guid": "b5db7975-f6bb-8ba3-ee5f-e3e805887997",
- "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
+ "service": "AKS",
"services": [
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Access",
- "text": "If using AD domain, ensure Sites & Services has been configured",
- "waf": "Security"
+ "severity": "High",
+ "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Authentication for users, must be secure.",
- "guid": "c30749c4-e2af-558c-2eb9-0b6ae84881d1",
- "link": "https://learn.microsoft.com/azure/azure-vmware/configure-identity-source-vcenter",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
"services": [
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Access",
- "text": "Use LDAPS not ldap ( vCenter)",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Use custom Node RG (aka 'Infra RG') name",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Authentication for users, must be secure.",
- "guid": "64cb9b5c-9edd-787e-1dd8-2b2338e51635",
- "link": "https://learn.microsoft.com/azure/azure-vmware/configure-external-identity-source-nsx-t",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
+ "service": "AKS",
"services": [
- "AVS",
- "Entra"
+ "AKS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Access",
- "text": "Use LDAPS not ldap (NSX-T)",
- "waf": "Security"
+ "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "CN or SAN names, no wildcards, contains private key - CER or PFX",
- "guid": "bec285ab-037e-d629-81d1-f61dac23cd4c",
- "link": "https://youtu.be/4jvfbsrhnEs",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+ "service": "AKS",
"services": [
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Security certificate installed on LDAPS servers ",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Taint Windows nodes",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Standard Azure Roles Based Access Controls",
- "guid": "4ba394a2-3c33-104c-8e34-2dadaba9cc73",
- "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+ "service": "AKS",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "RBAC applied to Azure roles",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Keep windows containers patch level in sync with host patch level",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Create roles in vCenter required to meet minimum viable access guidelines",
- "guid": "b04ca129-83a9-3494-7512-347dd2d766db",
- "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "description": "Via Diagnostic Settings at the cluster level",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+ "service": "AKS",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "Monitor",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "RBAC model in vCenter",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
- "guid": "8e477d2f-8004-3dd0-93d6-0aece9e1b2fb",
- "link": "Best practice",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+ "service": "AKS",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "CloudAdmin role usage",
- "waf": "Security"
+ "severity": "Low",
+ "text": "If required use nodePool snapshots",
+ "waf": "Cost"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "For roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
- "guid": "00e0b729-f9be-f600-8c32-5ec0e8f2ed63",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+ "service": "AKS",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security ",
- "text": "Is Privileged Identity Management implemented",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Consider spot node pools for non time-sensitive workloads",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "For the Azure VMware Solution PIM roles",
- "guid": "0842d45f-41a8-8274-1155-2f6ed554d315",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
"services": [
- "RBAC",
- "AVS",
- "Entra"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security ",
- "text": "Is Privileged Identity Management audit reporting implemented",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Consider AKS virtual node for quick bursting",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Best practice, also see Monitoring/Alerts",
- "guid": "915cbcd7-0640-eb7c-4162-9f33775de559",
- "link": "Best practice",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
"services": [
"Monitor",
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security ",
- "text": "Limit use of CloudAdmin account to emergency access only",
- "waf": "Security"
+ "severity": "High",
+ "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
+ "waf": "Operations"
},
{
- "category": "Identity",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Operational procedure",
- "guid": "7effa0c0-9172-e8e4-726a-67dbea8be40a",
- "link": "https://learn.microsoft.com/azure/azure-vmware/rotate-cloudadmin-credentials?tabs=azure-portal",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
"services": [
- "AVS",
- "Entra"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security ",
- "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
- "waf": "Security"
+ "severity": "High",
+ "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
+ "waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
- "guid": "8f426fd0-d73b-d398-1f6f-df0cbe262a82",
- "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+ "service": "AKS",
"services": [
- "Arc",
- "AVS",
- "VM"
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "AVS VM Management (Azure Arc)",
+ "text": "Monitor CPU and memory utilization of the nodes",
"waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
- "guid": "11dbe773-e380-9191-1418-e886fa7a6fd0",
- "link": "https://docs.microsoft.com/azure/governance/policy/overview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"services": [
- "AzurePolicy",
- "AVS",
- "Monitor"
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Azure policy",
+ "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
"waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
- "guid": "1e59c639-9b7e-a60b-5e93-3798c1aff5db",
- "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+ "service": "AKS",
"services": [
- "AVS"
+ "Storage",
+ "Monitor",
+ "EventHubs",
+ "ServiceBus",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Resource locks",
+ "text": "Monitor OS disk queue depth in nodes",
"waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "For manual deployments, all configuration and deployments must be documented",
- "guid": "8f2c46aa-ca1b-cad3-3ac9-213dfc0a265e",
- "link": "Make sure to create your own runbook on the deployment of AVS.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
"services": [
- "AVS"
+ "LoadBalancer",
+ "Monitor",
+ "NVA",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Run books",
+ "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
"waf": "Operations"
},
{
- "category": "Management",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
- "guid": "86b314f9-1f1e-317a-4dfb-cf510ad4a030",
- "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+ "service": "AKS",
"services": [
- "AVS",
- "AKV"
+ "AKS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Operations",
- "text": "Naming conventions for auth keys",
+ "text": "Subscribe to resource health notifications for your AKS cluster",
"waf": "Operations"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "For automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
- "guid": "e22a2d99-eb71-7d7c-07af-6d4cdb1d4443",
- "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Alerts",
- "text": "Create warning alerts for critical thresholds ",
+ "severity": "High",
+ "text": "Configure requests and limits in your pod specs",
"waf": "Operations"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
- "guid": "6d02f159-627d-79bf-a931-fab6d947eda2",
- "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Alerts",
- "text": "Create critical alert vSAN consumption",
+ "text": "Enforce resource quotas for namespaces",
"waf": "Operations"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Provides platform alerts (generated by Microsoft)",
- "guid": "1cc97b39-2c7e-246f-6d73-789cfebfe951",
- "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS"
+ "Subscriptions",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Alerts",
- "text": "Configured for Azure Service Health alerts and notifications",
+ "severity": "High",
+ "text": "Ensure your subscription has enough quota to scale out your nodepools",
"waf": "Operations"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
- "guid": "0962606c-e3b4-62a9-5661-e4ffd62a4509",
- "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
+ "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
+ "service": "AKS",
"services": [
- "AzurePolicy",
- "Monitor",
- "VM",
- "AVS",
- "Backup"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Backup",
- "text": "Backup policy",
+ "severity": "High",
+ "text": "Configure Liveness and Readiness probes for all deployments",
"waf": "Operations"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Keep in mind the lead time for requesting new nodes",
- "guid": "4ec7ccfb-795e-897e-4a84-fd31c04eadc6",
- "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
"services": [
- "AzurePolicy",
- "AVS",
- "Monitor"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Capacity",
- "text": "Policy around ESXi host density and efficiency",
- "waf": "Operations"
+ "text": "Use the Cluster Autoscaler",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Azure Cost Management can be used - one option, put AVS in it's own Subscription. ",
- "guid": "7f8f175d-13f4-5298-9e61-0bc7e9fcc279",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+ "service": "AKS",
"services": [
- "Cost",
- "Monitor",
- "AVS",
- "Subscriptions"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Costs",
- "text": "Ensure a good cost management process is in place for Azure VMware Solution - ",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "Customize node configuration for AKS node pools",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Create dashboards to enable core Azure VMware Solution monitoring insights",
- "guid": "01e689e0-7c6c-b58f-37bd-4d6b9b1b9c74",
- "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS",
- "NetworkWatcher"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Dashboard",
- "text": "Connection monitor dashboard",
- "waf": "Operations"
+ "text": "Use the Horizontal Pod Autoscaler when required",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Send to an Azure Storage account or Azure EventHub for processing (direct to Log Analytics is pending)",
- "guid": "f9afdcc9-649d-d840-9fb5-a3c0edcc697d",
- "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS",
- "Storage"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Logs & Metrics",
- "text": "Configure Azure VMware Solution logging ",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Consider an appropriate node size, not too large or too small",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Must be on-premises, implement if available",
- "guid": "7cbac8c3-4eda-d5d9-9bda-c6b5abba9fb6",
- "link": "Is vROPS or vRealize Network Insight going to be used? ",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Logs & Metrics",
- "text": "vRealize Operations",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
- "guid": "b243521a-644d-f865-7fb6-21f9019c0dd2",
- "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS",
- "VM"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Logs & Metrics",
- "text": "AVS VM logging",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "Consider subscribing to EventGrid Events for AKS automation",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Between on-premises to Azure are monitored using 'connection monitor'",
- "guid": "2ca97d91-dd36-7229-b668-01036ccc3cd3",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+ "service": "AKS",
"services": [
- "ExpressRoute",
- "VPN",
- "Monitor",
- "NetworkWatcher",
- "AVS"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Network",
- "text": "Monitor ExpressRoute and/or VPN connections ",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "For long running operation on an AKS cluster consider event termination",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "To monitor the Azure VMware Solution back-end ExpressRoute connection (Azure native to AVS)",
- "guid": "99209143-60fe-19f0-5633-8b5671277ba5",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS",
- "ExpressRoute"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Network",
- "text": "Monitor from an Azure native resource to an Azure VMware Solution VM",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "To monitor end-to-end, on-premises to AVS workloads",
- "guid": "b9e5867c-57d3-036f-fb1b-3f0a71664efe",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Network",
- "text": "Monitor from an on-premises resource to an Azure VMware Solution VM",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Use ephemeral OS disks",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Track requests to Azure VMware Solution and Azure VMware Solution based workloads",
- "guid": "4af7c5f7-e5e9-bedf-a8cf-314b81735962",
- "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS"
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Auditing and logging is implemented for inbound internet ",
- "waf": "Operations"
+ "severity": "High",
+ "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
- "guid": "74be60a3-cfac-f057-eda6-3ee087e805d5",
- "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS"
+ "Storage",
+ "AKS",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Session monitoring ",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "For hyper performance storage option use Ultra Disks on AKS",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Enable Diagnostic and metric logging on Azure VMware Solution",
- "guid": "a434b3b5-f258-0845-cd76-d7df6ef5890e",
- "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS"
+ "Storage",
+ "SQL",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VMWare",
- "text": "Logging and diagnostics",
- "waf": "Operations"
+ "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
+ "waf": "Performance"
},
{
- "category": "Monitoring",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Monitor AVS workloads (each VM in AVS)",
- "guid": "fb00b69a-83ec-ce72-446e-6c23a0cab09a",
- "link": "https://docs.microsoft.com/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+ "service": "AKS",
"services": [
- "Monitor",
- "AVS",
- "VM"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VMware",
- "text": "Log Analytics Agents deployed on Azure VMware Solution guest VM workloads",
- "waf": "Operations"
+ "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
+ "waf": "Performance"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Decision on traffic flow",
- "guid": "a1354b87-e18e-bf5c-c50b-8ddf0540e971",
- "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+ "service": "AKS",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Hub & Spoke",
- "text": "North/South routing through Az Firewall or 3rd party ",
- "waf": "Security"
+ "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
+ "waf": "Performance"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)",
- "guid": "29a8a499-ec31-f336-3266-0895f035e379",
- "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-hub-and-spoke",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "services": [
+ "AKV",
+ "Backup",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Key Vault",
"services": [
- "AVS"
+ "AKV",
+ "ACR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Hub & Spoke",
- "text": "East West (Internal to Azure)",
- "waf": "Security"
+ "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Requires a 3rd party NVA with Azure Route server - Scenario 2 (see link)",
- "guid": "ebd3cc3c-ac3d-4293-950d-cecd8445a523",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
+ "service": "Key Vault",
"services": [
- "NVA",
- "AVS",
- "ARS"
+ "AKV",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Hub & Spoke",
- "text": "ExR without Global Reach",
- "waf": "Operations"
+ "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "When route server is used, ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN",
- "guid": "ffb5c5ca-bd89-ff1b-8b73-8a54d503d506",
- "link": "https://learn.microsoft.com/azure/route-server/route-server-faq",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
+ "service": "Key Vault",
"services": [
- "AVS",
- "ARS"
+ "AKV",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Hub & Spoke",
- "text": "Route server ",
- "waf": "Operations"
+ "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Via on-premises, Az Firewall, 3rd Party, NSX-T pubic IP",
- "guid": "a4070dad-3def-818d-e9f7-be440d10e7de",
- "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-design-public-internet-access",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
+ "service": "Key Vault",
"services": [
- "AVS"
+ "AKV",
+ "Storage",
+ "Backup",
+ "Subscriptions",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Internet",
- "text": "Egress point(s)",
- "waf": "Security"
+ "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Az Firewall, 3rd party NVA, Application Gateway, Azure Frontdoor ",
- "guid": "e942c03d-beaa-3d9f-0526-9b26cd5e9937",
- "link": "Research and choose optimal solution for each application",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "Key Vault",
"services": [
- "AVS",
- "AppGW",
- "NVA",
- "FrontDoor"
+ "AKV",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Internet",
- "text": "Internet facing applications",
- "waf": "Security"
+ "severity": "High",
+ "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure no more then 200 routes are propagated from route server to ExR gateway to on-premises (ARS limit). Important when using MoN",
- "guid": "e778a2ec-b4d7-1d27-574c-14476b167d37",
- "link": "https://docs.microsoft.com/azure/route-server/route-server-faq#route-server-limits",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "Key Vault",
"services": [
- "AVS",
- "ARS"
+ "AKV",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Routing",
- "text": "When route server Route limit understood? ",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "(VPN Gateway, AppGW, FrontDoor, Load balancer, VMs (etc) (Remove: enabled on ExR/VPN Gateway subnet in Azure)",
- "guid": "66c97b30-81b9-139a-cc76-dd1d94aef42a",
- "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+ "service": "Key Vault",
"services": [
- "ExpressRoute",
- "VPN",
- "AppGW",
- "VM",
- "VNet",
- "LoadBalancer",
- "AVS",
- "DDoS",
- "FrontDoor"
+ "AKV",
+ "Backup",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Is DDoS standard protection of public facing IP addresses? ",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "To manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
- "guid": "d43da920-4ecc-a4e9-dd45-a2986ce81d32",
- "link": "Best practice: Bastion or 3rd party tool",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+ "service": "Key Vault",
"services": [
- "AVS"
+ "AKV",
+ "Backup",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Security",
- "text": "Use a dedicated privileged access workstation (PAW)",
- "waf": "Security"
+ "severity": "Low",
+ "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use NSX-T for inter-vmware-traffic inspection",
- "guid": "a2dac74f-5380-6e39-25e6-f13b99ece51f",
- "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-F6685367-7AA1-4771-927E-ED77727CFDA3.html",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "WAF checklist",
+ "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
+ "service": "Key Vault",
"services": [
- "AVS"
+ "AKV",
+ "EventHubs",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Traffic Inspection",
- "text": "East West (Internal to AVS)",
- "waf": "Security"
+ "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
+ "waf": "Reliability"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Decision on whether or not to use Secure hub for E/W and Internet traffic - requires Global Reach",
- "guid": "3f621543-dfac-c471-54a6-7b2849b6909a",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+ "service": "Azure Storage",
"services": [
- "VWAN",
- "AVS",
- "Firewall"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Virtual WAN",
- "text": "Use Secure Hub (Azure Firewall or 3rd party)",
+ "text": "Consider the 'Azure security baseline for storage'",
"waf": "Security"
},
{
- "category": "Networking",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Decision to route Azure to Azure traffic through Firewall, not E/W between AVS workloads (internal to AVS)",
- "guid": "d7af5670-1b39-d95d-6da2-8d660dfbe16b",
- "link": "https://learn.microsoft.com/azure/firewall-manager/secure-cloud-network",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+ "service": "Azure Storage",
"services": [
- "VWAN",
- "AVS"
+ "PrivateLink",
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Virtual WAN",
- "text": "East West (Internal to Azure)",
+ "severity": "High",
+ "text": "Consider using private endpoints for Azure Storage",
"waf": "Security"
},
{
- "category": "Other Services/Operations",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
- "guid": "7d049005-eb35-4a93-50a5-3b31a9f61161",
- "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+ "service": "Azure Storage",
"services": [
- "AVS",
- "Subscriptions"
+ "RBAC",
+ "Storage",
+ "Subscriptions",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Scale out operations planning",
- "waf": "Performance"
+ "text": "Ensure older storage accounts are not using 'classic deployment model'",
+ "waf": "Security"
},
{
- "category": "Other Services/Operations",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
- "guid": "7242c1de-da37-27f3-1ddd-565ccccb8ece",
- "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+ "service": "Azure Storage",
"services": [
"Storage",
- "AVS",
- "AzurePolicy"
+ "Defender",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Scale in operations planning",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Enable Microsoft Defender for all of your storage accounts",
+ "waf": "Security"
},
{
- "category": "Other Services/Operations",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
- "guid": "3233e49e-62ce-97f3-8737-8230e771b694",
- "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Scale serialized operations planning",
- "waf": "Performance"
+ "text": "Enable 'soft delete' for blobs",
+ "waf": "Security"
},
{
- "category": "Other Services/Operations",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
- "guid": "68161d66-5707-319b-e77d-9217da892593",
- "link": "Best practice (testing)",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Scale rd operations planning",
- "waf": "Performance"
+ "text": "Disable 'soft delete' for blobs",
+ "waf": "Security"
},
{
- "category": "Other Services/Operations",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Define and enforce scale in/out maximum limits for your environment in the automations",
- "guid": "c32cb953-e860-f204-957a-c79d61202669",
- "link": "Operational planning - understand workload requirements",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Scale maximum operations planning",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Enable 'soft delete' for containers",
+ "waf": "Security"
},
{
- "category": "Other Services/Operations",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
- "guid": "7bd65a5e-7b5d-652d-dbea-fc6f73a42857",
- "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
"services": [
- "Monitor",
- "AVS"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Automated Scale",
- "text": "Monitor scaling operations ",
- "waf": "Performance"
+ "text": "Disable 'soft delete' for containers",
+ "waf": "Security"
},
{
- "category": "Other Services/Operations",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Consider the use of Azure Private-Link when using other Azure Native Services",
- "guid": "95e374af-8a2a-2672-7ab7-b4a1be43ada7",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
"services": [
- "AVS",
- "PrivateLink"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Networking",
- "text": "Private link",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Enable resource locks on storage accounts",
+ "waf": "Security"
},
{
- "category": "Other Services/Operations",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
- "guid": "71eff90d-5ad7-ac60-6244-2a6f7d3c51f2",
- "link": "Best practice",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "Subscriptions",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Networking",
- "text": "Provisioning Vmware VLANs",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Consider immutable blobs",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "In which region will AVS be deployed",
- "guid": "04e3a2f9-83b7-968a-1044-2811811a924b",
- "link": "https://learn.microsoft.com/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Region selected",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Require HTTPS, i.e. disable port 80 on the storage account",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Are there regulatory or compliance policies in play",
- "guid": "e52d1615-9cc6-565c-deb6-743ed7e90f4b",
- "link": "Internal policy or regulatory compliance",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+ "service": "Azure Storage",
"services": [
- "AzurePolicy",
- "AVS"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Data residency compliant with selected regions",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Request through the support blade",
- "guid": "92bd5ad6-441f-a983-7aa9-05dd669d760b",
- "link": "https://learn.microsoft.com/azure/migrate/concepts-azure-vmware-solution-assessment-calculation",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Request for number of AVS hosts submitted ",
- "waf": "Reliability"
+ "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "PG approval for deployment",
- "guid": "28370f63-1cb8-2e35-907f-c5516b6954fa",
- "link": "Support request through portal or get help from Account Team",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "AAD tokens should be favored over shared access signatures, wherever possible",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Entra",
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Region and number of AVS nodes approved",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Portal/subscription/resource providers/ Microsoft.AVS",
- "guid": "96c76997-30a6-bb92-024d-f4f93f5f57fa",
- "link": "Done through the subscription/resource providers/ AVS register in the portal",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+ "service": "Azure Storage",
"services": [
- "AVS",
- "Subscriptions"
+ "RBAC",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Resource provider for AVS registered",
- "waf": "Reliability"
+ "text": "Least privilege in IaM permissions",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Connectivity, subscription & governanace model",
- "guid": "5898e3ff-5e6b-bee1-6f85-22fee261ce63",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone",
- "services": [
- "AVS",
- "Subscriptions"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+ "service": "Azure Storage",
+ "services": [
+ "Entra",
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Landing zone architecture",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "The name of the RG where AVS will exist",
- "guid": "d0181fb8-9cb8-bf4b-f5e5-b5f9bf7ae4ea",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Entra",
+ "AKV",
+ "Storage",
+ "Monitor",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Resource group name selected",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Each resource created as part of the deployment will also utilize this prefix in the name",
- "guid": "0f0d20c2-5a19-726c-de20-0984e070d9d6",
- "link": "Best practice - naming standards",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "AKV",
+ "Storage",
+ "AzurePolicy",
+ "Monitor",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Deployment prefix selected",
- "waf": "Reliability"
+ "severity": "High",
+ "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "/22 unique non-overlapping IPv4 address space",
- "guid": "7fbf2ab7-a36c-5957-c27a-67038557af2a",
- "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-network-checklist#routing-and-subnet-considerations",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "AKV",
+ "Storage",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Network space for AVS management layer",
- "waf": "Reliability"
+ "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "vNets used by workloads running in AVS (non-stretched)",
- "guid": "0c87f999-e517-21ef-f355-f210ad4134d2",
- "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Azure Storage",
"services": [
- "AVS",
- "VNet"
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Network space for AVS NSX-T segments",
- "waf": "Reliability"
+ "text": "Consider configuring an SAS expiration policy",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Choose AV36, AV36P, AV52, AV36T (AV36T = Trial)",
- "guid": "946c8966-f902-6f53-4f37-00847e8895c2",
- "link": "https://azure.microsoft.com/pricing/details/azure-vmware/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "AKV",
+ "Storage",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "AVS SKU (region dependent)",
- "waf": "Performance"
+ "text": "Consider linking SAS to a stored access policy",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use the Azure migration assessment tool to determine the minimum number of nodes required (consider BCDR as well)",
- "guid": "31833808-26ba-9c31-416f-d54a89a17f5d",
- "link": "https://learn.microsoft.com/azure/migrate/how-to-assess",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "AKV",
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Number of hosts to be deployed",
- "waf": "Performance"
+ "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Understand how and if you should be using reserved instances (cost control)",
- "guid": "f2b73c4f-3d46-32c9-5df1-5b8dfcd3947f",
- "link": "https://azure.microsoft.com/en-ca/pricing/details/azure-vmware/#:~:text=Azure%20VMware%20Solution%20%20%20%20Instance%20size,TB%20%28all%20NVMe%29%20%20%20N%2FA%20%2Fhour%20",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Azure Storage",
"services": [
- "Cost",
- "AVS"
+ "Entra",
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Reserverd Instances",
- "waf": "Cost"
+ "severity": "High",
+ "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
- "guid": "94ac48ab-ade5-3fa7-f800-263feeb97070",
- "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"services": [
- "AVS",
- "ASR"
+ "Storage",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Capacity ",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Strive for short validity periods for ad-hoc SAS",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Identify which of the networking scenarios make ",
- "guid": "1f9d4bd5-14b8-928c-b4cb-eb211f9b8de5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "Networking & Connectivity See docs describing scenrario 1 through 5",
- "waf": "Reliability"
+ "text": "Apply a narrow scope to a SAS",
+ "waf": "Security"
},
{
- "category": "Planning",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
- "guid": "070db19b-8a2a-fd6a-c39b-4488d8780da9",
- "link": "Please Check Partner Ecosystem",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Pre-deployment",
- "text": "3rd party application compatibility ",
- "waf": "Reliability"
+ "text": "Consider scoping SAS to a specific client IP address, wherever possible",
+ "waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
- "guid": "70cfbddc-d3d4-9188-77c8-1cabaefef646",
- "link": "General recommendation for storing encryption keys.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Azure Storage",
"services": [
- "AVS",
- "AKV"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Encryption",
- "text": "Use Azure Key Vault with in-guest encryption ",
+ "severity": "Low",
+ "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
- "guid": "c1a81638-18df-0ce9-a73a-4b9a8a8dd392",
- "link": "https://docs.microsoft.com/azure/azure-vmware/concepts-storage#data-at-rest-encryption",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Azure Storage",
"services": [
- "SQL",
- "AVS"
+ "Entra",
+ "RBAC",
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Encryption",
- "text": "Use in-guest encryption",
+ "severity": "High",
+ "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
- "guid": "8d0a8f51-8d35-19cd-c2fe-4e3512fb467e",
- "link": "https://docs.microsoft.com/azure/key-vault/general/authentication",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Azure Storage",
"services": [
- "ExpressRoute",
- "AVS",
- "AKV"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Encryption",
- "text": "Keyvault use for secrets",
+ "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Older OS security patching configured for workloads running on Azure VMware Solution are eligible for ESU",
- "guid": "4f8b20e9-a2a1-f80f-af9b-8aa3b26dca08",
- "link": "https://docs.microsoft.com/windows-server/get-started/extended-security-updates-deploy",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "AzurePolicy",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Extended support",
- "text": "Ensure extended security update support ",
+ "severity": "High",
+ "text": "Avoid overly broad CORS policies",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Use a SIEM/SOAR",
- "guid": "9bb22fec-4d00-3b95-7136-e225d0f5c63a",
- "link": "https://learn.microsoft.com/azure/sentinel/overview",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Azure Storage",
"services": [
- "Sentinel",
- "AVS"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Investigation",
- "text": "Enable Azure Sentinel or 3rd party SIEM ",
+ "severity": "High",
+ "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "MS Defender For Cloud, for workloads running on Azure VMware Solution",
- "guid": "f42b0b09-c591-238a-1580-2de3c485ebd2",
- "link": "https://learn.microsoft.com/azure/azure-vmware/azure-security-integration#prerequisites",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Azure Storage",
"services": [
- "AVS",
- "Defender"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Enable Advanced Threat Detection ",
+ "text": "Determine which/if platform encryption should be used.",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Are the applicable policies enabled (compliance baselines added to MDfC)",
- "guid": "bcdd2348-3d0e-c6bb-1092-aa4cd1a66d6b",
- "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Azure Storage",
"services": [
- "AzurePolicy",
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Security",
- "text": "Policy & Regulatory Compliance",
+ "text": "Determine which/if client-side encryption should be used.",
"waf": "Security"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Azure to Azure (E/W), Azure to On-premises), AVS to Internet, AVS to Azure",
- "guid": "607c1ca9-da92-ae19-5a4c-eb1e876acbe7",
- "link": "https://techcommunity.microsoft.com/t5/azure-migration-and/firewall-integration-in-azure-vmware-solution/ba-p/2254961#:~:text=Azure%20VMware%20Solution%20customers%20have%20multiple%20security%20options,the%20box%20to%20provide%20East-West%20and%20North-South%20firewalling.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Firewalls",
- "text": "Azure / 3rd party firewall",
+ "severity": "High",
+ "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
"waf": "Security"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "To allow HCX appliance to connect/sync",
- "guid": "1d87925c-c02b-7fde-a425-7e95ad846a27",
- "link": "https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws-networking-security/GUID-2CFE1654-9CC9-4EDB-A625-21317299E559.html",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Firewalls",
- "text": "Firewalls allow for East/West traffic inside AVS",
- "waf": "Security"
+ "severity": "High",
+ "text": "Leverage a storagev2 account type for better performance and reliability",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Decision on which tool to use (SRM requires additional license - enables automation & other features)",
- "guid": "468b3495-2f6e-b65a-38ef-3ba631bcaa46",
- "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-B842696B-89EF-4183-9C73-B77157F56055.html",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Networking",
- "text": "HCX and/or SRM",
+ "severity": "High",
+ "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
"waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Read up on requirements for Service Mesh requirements and how HCX ",
- "guid": "be2ced52-da08-d366-cf7c-044c19e29509",
- "link": "https://docs.vmware.com/en/VMware-HCX/4.6/hcx-user-guide/GUID-76BCD059-A31A-4041-9105-ACFB56213E7C.html",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Configuring and Managing the HCX Interconnect",
+ "text": "For write operation after failover, use customer-Managed Failover ",
"waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "If you are planning on using stretch networks ensure that your on-premises environment requirements",
- "guid": "7dcac579-fc5c-5c9c-f1f7-9b1149ff2c37",
- "link": "https://docs.vmware.com/en/VMware-HCX/4.2/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Restrictions and limitations for network extensions",
- "waf": "Performance"
+ "text": "Understand Microsoft-Managed Failover details",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Do workloads require MoN?",
- "guid": "cf45c0b9-6c4b-3bfb-86c5-62fe54061c73",
- "link": "https://learn.microsoft.com/azure/azure-vmware/vmware-hcx-mon-guidance",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+ "service": "Azure Storage",
"services": [
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Networking",
- "text": "Mobility optimized networking",
- "waf": "Performance"
+ "text": "Enable Soft Delete",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Operating system level of Vmware environment",
- "guid": "b7cf11f3-b12e-5189-991a-06df5250d2ca",
- "link": "https://learn.microsoft.com/azure/site-recovery/vmware-physical-azure-support-matrix",
+ "arm-service": "Microsoft.Compute/virtualMachineScaleSets",
+ "checklist": "WAF checklist",
+ "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
+ "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
+ "service": "VMSS",
"services": [
- "AVS"
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "On-premises pre-requisites",
- "text": "Support matrix (OS versions etc).",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Required that all switches are dynamic",
- "guid": "45fe9252-aa1b-4e30-45c6-bc02f3b76acf",
- "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/vsan-network-design-guide/GUID-91E1CD6F-33A6-4AC6-BC22-3E4807296F86.html#:~:text=Migrate%20Management%20Network%201%20Add%20hosts%20to%20the,each%20host.%20...%204%20Finish%20the%20configuration.%20",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
+ "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
+ "service": "VM",
"services": [
- "AVS"
+ "Backup",
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "On-premises pre-requisites",
- "text": "Standard switches converted to dynamic switches",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "See sections on sizing and capacity in the link.",
- "guid": "e9f6d736-ee44-e2ac-e7f9-e361f8c857f3",
- "link": "https://learn.microsoft.com/azure/azure-vmware/plan-private-cloud-deployment",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
+ "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "VM",
"services": [
- "AVS"
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "On-premises pre-requisites",
- "text": "Capacity for HCX appliance",
- "waf": "Performance"
+ "severity": "High",
+ "text": "Use Premium or Ultra disks for production VMs",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Check hardware restrictions to ensure compatibility with AVS/OS ",
- "guid": "1be2cdd6-15a7-9a33-aea7-113859035ce9",
- "link": "https://kb.vmware.com/s/article/2007240#:~:text=ESXi%2FESX%20hosts%20and%20compatible%20virtual%20machine%20hardware%20versions,%20Not%20Supported%20%204%20more%20rows",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
+ "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
+ "service": "VM",
"services": [
- "AVS"
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "On-premises pre-requisites",
- "text": "Hardware compatibility",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Ensure Managed Disks are used for all VMs",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Need to be converted",
- "guid": "16ab821a-27c6-b6d3-6042-10dc4d6dfcb7",
- "link": "https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-01D3CF47-A84A-4988-8103-A0487D6441AA.html",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
+ "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
+ "service": "VM",
"services": [
+ "SQL",
"Storage",
- "AVS"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "VSAN RDM disks are converted - not supported.",
- "waf": "Operations"
+ "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Need to be converted",
- "guid": "eb2f9313-afb2-ab35-aa24-6d97a3cb0611",
- "link": "3rd-Party tools",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
+ "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "VM",
"services": [
+ "ACR",
"Storage",
- "AVS",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "VM with SCSI shared bus are not supported",
- "waf": "Operations"
+ "text": "Leverage Availability Zones for your VMs in regions where they are supported",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Remove Direct IO before migration",
- "guid": "3f2a5cff-c8a6-634a-1f1b-53ef9d321381",
- "link": "Contact VMware",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
+ "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "VM",
"services": [
- "Storage",
- "AVS",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "VM with Direct IO require removing DirectPath device",
- "waf": "Operations"
+ "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Cannot migrate clusters ",
- "guid": "efc8a311-74f8-0252-c6a0-4bac7610e266",
- "link": "Contact VMware",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
+ "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "VM",
"services": [
- "Storage",
- "AVS"
+ "VM",
+ "ASR",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "Shared VMDK files are not supported",
- "waf": "Operations"
+ "severity": "High",
+ "text": "Avoid running a production workload on a single VM",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Convert to a different format",
- "guid": "ab6c89cd-a26f-b894-fe59-61863975458e",
- "link": "Contact VMware",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
+ "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "VM",
"services": [
- "Storage",
- "AVS"
+ "AVS",
+ "VM",
+ "ASR",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "RDM with 'physical compatibility mode' are not supported.",
- "waf": "Operations"
+ "severity": "High",
+ "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning 'RAID-1 FTT-1' is default with Thin Provisioning",
- "guid": "7628d446-6b10-9678-9cec-f407d990de43",
- "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
+ "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
+ "service": "VM",
"services": [
- "Storage",
- "AVS",
- "AzurePolicy",
- "VM"
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "Default storage policy",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "The default storage policy is set to RAID-1 (Mirroring) FTT-1, with Object Space Reservation set to Thin provisioning.",
- "guid": "37fef358-7ab9-43a9-542c-22673955200e",
- "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
+ "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
+ "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
+ "service": "VM",
"services": [
- "Storage",
- "AVS",
- "AzurePolicy",
- "VM"
+ "VM",
+ "ASR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "Ensure that the appropriate VM template storage policy is used",
- "waf": "Operations"
+ "text": "Increase quotas in DR region before testing failover with ASR",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
- "guid": "ebebd109-9f9d-d85e-1b2f-d302012843b7",
- "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
+ "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
+ "service": "VM",
"services": [
- "AzurePolicy",
- "AVS",
- "Storage"
+ "VM",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Storage",
- "text": "Failure to tolerate policy",
- "waf": "Operations"
+ "severity": "Low",
+ "text": "Utilize Scheduled Events to prepare for VM maintenance",
+ "waf": "Reliability"
},
{
- "category": "VMware",
- "checklist": "Azure VMware Solution Implementation Checklist",
- "description": "ANF can be used to extend storage for Azure VMware Solution,",
- "guid": "1be821bd-4f37-216a-3e3d-2a5ac6996863",
- "link": "https://learn.microsoft.com/azure/azure-vmware/netapp-files-with-azure-vmware-solution",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
+ "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Azure Storage",
"services": [
"Storage",
- "AVS"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
- "text": "Use ANF for external storage",
- "waf": "Operations"
- },
- {
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "guid": "65285269-440c-44be-9d3e-0844276d4bdc",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foudations-playbooks-ADB_v1.docx",
- "services": [],
- "severity": "High",
- "subcategory": "Best Practices",
- "text": "Reference Databricks HA/DR playbook",
+ "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "guid": "89d558b9-37d3-4974-b111-2dbd7aaf12e6",
- "link": "https://learn.microsoft.com/azure/databricks/security/secrets/secret-scopes",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
+ "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
"services": [
- "Backup"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Backup",
- "text": "Backup Your Workspace Configuration including ARM templates and Secret Scopes",
+ "severity": "Low",
+ "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "guid": "b94ee5ef-47d2-4d92-a81b-1cd6d1f54b29",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/sharing-metadata-across-different-databricks-workspaces-using/ba-p/3679757",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
+ "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
"services": [
- "ACR",
- "Backup"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Backup",
- "text": "Share MetaData Across different Databricks Workspaces using Hive External Metastore",
+ "severity": "Low",
+ "text": "Enable soft delete for Storage Account Containers",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "guid": "769e3969-0e78-428a-a936-657d03b0f466",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/disaster-recovery-strategy-in-azure-databricks-using-the-hive/ba-p/3684581",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
+ "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
"services": [
- "Backup",
- "ASR"
+ "Storage",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Backup",
- "text": "Plan Disaster Recovery Strategy in Databricks using the Hive External Metastore",
+ "severity": "Low",
+ "text": "Enable soft delete for blobs",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "guid": "4b1d944a-3598-437e-b79d-6c6d3a364a5b",
- "link": "https://www.databricks.com/blog/2021/04/20/attack-of-the-delta-clones-against-disaster-recovery-availability-complexity.html",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "WAF checklist",
+ "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
+ "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
+ "service": "Azure Backup",
"services": [
- "Backup"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Backup",
- "text": "Backup your data with deep and shallow clones",
+ "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "description": "Download the blob using Secondary Endpoint in RAGRS Storage Account",
- "guid": "7abae48a-bd54-4cd7-ae2e-86768357c559",
- "link": "https://techcommunity.microsoft.com/t5/azure-paas-blog/download-the-blob-using-secondary-endpoint-in-ragrs-storage/ba-p/2403750",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "WAF checklist",
+ "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
+ "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
+ "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
+ "service": "Azure Backup",
"services": [
- "Storage",
- "Backup"
+ "Backup",
+ "WAF"
],
- "severity": "Medium",
- "subcategory": "Backup",
- "text": "Backup your data to Azure Storage RA-GRS",
+ "severity": "Low",
+ "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "guid": "675c5ee8-5b85-49c7-944c-e3b1a28b875a",
- "link": "https://learn.microsoft.com/azure/databricks/dev-tools/index-ci-cd",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "WAF checklist",
+ "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
+ "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
+ "service": "Azure Backup",
"services": [
- "Backup"
+ "Storage",
+ "Backup",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Backup",
- "text": "Backup your code with DevOps",
+ "severity": "Low",
+ "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "guid": "a1bf1038-9f03-4a4d-8ce4-63dbbbc8682a",
- "link": "https://learn.microsoft.com/azure/databricks/administration-guide/disaster-recovery",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "WAF checklist",
+ "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
+ "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
+ "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
+ "service": "DNS",
"services": [
- "ASR"
+ "DNS",
+ "ACR",
+ "ASR",
+ "WAF"
],
- "severity": "High",
- "subcategory": "Disaster Recovery",
- "text": "Plan for Disaster recovery using Active/Active or Active/Passive Configuration",
+ "severity": "Low",
+ "text": "Implement DNS Failover using Azure DNS Private Resolvers",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "description": "Migration package to log all Databricks resources for backup and/or migrating to another Databricks workspace",
- "guid": "5abc92a4-eda1-4dae-8cc8-5c47c6b781cc",
- "link": "https://github.com/databrickslabs/migrate",
+ "arm-service": "Microsoft.PowerBI/gateways",
+ "checklist": "WAF checklist",
+ "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
+ "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
+ "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
+ "service": "Data Gateways",
"services": [
- "Backup"
+ "ACR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Migration",
- "text": "Use Databricks Migration tools",
+ "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "DataBricks Review Checklist",
- "guid": "a0e6c465-89d5-458b-a37d-3974d1112dbd",
- "link": "https://github.com/databrickslabs/databricks-sync",
- "services": [],
- "severity": "Low",
- "subcategory": "Migration",
- "text": "Use Databricks Sync",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
+ "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
+ "services": [
+ "NVA",
+ "WAF"
+ ],
+ "severity": "High",
+ "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
"waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
"service": "Front Door",
"services": [
+ "AKV",
"FrontDoor",
- "AKV"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
- "guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "services": [],
- "severity": "Medium",
- "subcategory": "App delivery",
- "text": "Perform app delivery within landing zones for both internal-facing (corp) and external-facing apps (online).",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Security"
- },
- {
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
"guid": "553585a6-abe0-11ed-afa1-0242ac120002",
"link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
"service": "App Gateway",
"services": [
- "AppGW"
+ "AppGW",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Ensure you are using Application Gateway v2 SKU",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "WAF checklist",
"graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
"guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "Load Balancer",
"services": [
- "LoadBalancer"
+ "LoadBalancer",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Load Balancer",
"text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "WAF checklist",
"guid": "9432621a-8397-4654-a882-5bc856b7ef83",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
"service": "Load Balancer",
"services": [
- "LoadBalancer"
+ "LoadBalancer",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Load Balancer",
"text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
"guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
"service": "App Gateway",
"services": [
+ "VNet",
"AppGW",
- "VNet"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
"guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"services": [
+ "Entra",
"AppGW",
"NVA",
+ "Subscriptions",
"VNet",
- "Entra",
- "WAF",
- "Subscriptions"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"services": [
- "DDoS"
+ "DDoS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
"guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Configure autoscaling with a minimum amount of instances of two.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
"guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
"link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
"service": "App Gateway",
"services": [
"ACR",
- "AppGW"
+ "AppGW",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Deploy Application Gateway across Availability Zones",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "Front Door",
"services": [
+ "FrontDoor",
"AzurePolicy",
- "WAF",
- "FrontDoor"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "3f29812b-2363-4cef-b179-b599de0d5973",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"service": "Front Door",
"services": [
- "AzurePolicy",
+ "FrontDoor",
"AppGW",
- "WAF",
- "FrontDoor"
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App delivery",
"text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/trafficManagerProfiles",
+ "checklist": "WAF checklist",
"guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "Traffic Manager",
"services": [
- "TrafficManager"
+ "TrafficManager",
+ "WAF"
],
"severity": "High",
- "subcategory": "Traffic Manager",
"text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "checklist": "WAF checklist",
"guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"services": [
+ "Entra",
"AVD",
- "Entra"
+ "WAF"
],
"severity": "Low",
- "subcategory": "App delivery",
"text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "checklist": "WAF checklist",
"guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"services": [
- "Entra"
+ "Entra",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App delivery",
"text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "ae248989-b306-4591-9186-de482e3f0f0e",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
"service": "Front Door",
"services": [
+ "FrontDoor",
"AzurePolicy",
- "WAF",
- "FrontDoor"
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
"service": "Front Door",
"services": [
+ "TrafficManager",
"FrontDoor",
- "TrafficManager"
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
"service": "Front Door",
"services": [
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
"guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
"service": "Front Door",
"services": [
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Front Door",
"text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
"waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
"service": "Front Door",
"services": [
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
"waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
"guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
"service": "Front Door",
"services": [
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Front Door",
"text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
"waf": "Performance"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "WAF checklist",
"graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
"guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
"link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
"service": "Load Balancer",
"services": [
- "LoadBalancer"
+ "LoadBalancer",
+ "WAF"
],
"severity": "High",
- "subcategory": "Load Balancer",
"text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
"waf": "Reliability"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
"guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
"service": "Front Door",
"services": [
+ "AKV",
"Cost",
"FrontDoor",
- "AKV"
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
"waf": "Operations"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
"service": "Front Door",
"services": [
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
"service": "Front Door",
"services": [
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "Front Door",
"services": [
+ "FrontDoor",
"AzurePolicy",
- "WAF",
- "FrontDoor"
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "High",
- "subcategory": "Front Door",
"text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "b9620385-1cde-418f-914b-a84a06982ffc",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
"service": "Front Door",
"services": [
- "FrontDoor"
+ "WAF"
],
"severity": "Low",
- "subcategory": "Front Door",
"text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "00acd8a9-6975-414f-8491-2be6309893b8",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
"guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
@@ -35905,31 +33603,29 @@
"WAF"
],
"severity": "High",
- "subcategory": "App Gateway",
"text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "App Gateway",
"services": [
- "AzurePolicy",
"AppGW",
+ "AzurePolicy",
"WAF"
],
"severity": "High",
- "subcategory": "App Gateway",
"text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
"service": "App Gateway",
@@ -35938,31 +33634,29 @@
"WAF"
],
"severity": "High",
- "subcategory": "App Gateway",
"text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
"waf": "Security"
},
{
"ammp": true,
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
"service": "App Gateway",
"services": [
- "AzurePolicy",
"AppGW",
+ "AzurePolicy",
"WAF"
],
"severity": "High",
- "subcategory": "App Gateway",
"text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
"service": "App Gateway",
@@ -35971,13 +33665,12 @@
"WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
"service": "App Gateway",
@@ -35986,25 +33679,25 @@
"WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "99937189-ff78-492a-b9ca-18d828d82b37",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Low",
- "subcategory": "App Gateway",
"text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
"service": "App Gateway",
@@ -36013,13 +33706,12 @@
"WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
"service": "App Gateway",
@@ -36028,13 +33720,12 @@
"WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"service": "App Gateway",
@@ -36043,28 +33734,26 @@
"WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"service": "Front Door",
"services": [
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "92664c60-47e3-4591-8b1b-8d557656e686",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
"service": "App Gateway",
@@ -36074,29 +33763,27 @@
"WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "845f5f91-9c21-4674-a725-5ce890850e20",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
"service": "Front Door",
"services": [
"Sentinel",
- "WAF",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
"service": "App Gateway",
@@ -36105,13 +33792,12 @@
"WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
"service": "App Gateway",
@@ -36120,56 +33806,56 @@
"WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Use WAF Policies instead of the legacy WAF configuration.",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
"link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
"service": "App Gateway",
"services": [
+ "AppGW",
"VPN",
"ExpressRoute",
- "AppGW",
- "VNet"
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
"link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
"service": "Front Door",
"services": [
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Front Door",
"text": "Make sure your origins only take traffic from your Azure Front Door instance.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
"link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "App Gateway",
"text": "You should encrypt traffic to the backend servers.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
"link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
"service": "App Gateway",
@@ -36177,408 +33863,408 @@
"WAF"
],
"severity": "High",
- "subcategory": "App Gateway",
"text": "You should use a Web Application Firewall.",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
"link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Redirect HTTP to HTTPS",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
"link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "App Gateway",
"text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
"link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Low",
- "subcategory": "App Gateway",
"text": "Create custom error pages to display a personalized user experience",
"waf": "Operations"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
"link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
"link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"service": "App Gateway",
"services": [
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
"waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "29dcc19f-a8fa-4c35-8281-290577538793",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Use transport layer load balancing",
"waf": "Performance"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
"link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
"service": "App Gateway",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
"link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
"service": "App Gateway",
"services": [
- "Entra"
+ "Entra",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "App Gateway",
"text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
"waf": "Security"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Application Delivery Networking",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "WAF checklist",
"guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
"service": "App Gateway",
"services": [
- "AppGW"
+ "AppGW",
+ "WAF"
],
"severity": "Low",
- "subcategory": "App Gateway",
"text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
"waf": "Security"
},
{
- "category": "Operations Management",
- "checklist": "PostgreSQL Review Checklist",
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "WAF checklist",
"guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
"link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
"service": "PostgreSQL",
"services": [
- "SQL"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Best Practices",
"text": "Leverage Flexible Server",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "PostgreSQL Review Checklist",
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "WAF checklist",
"guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
"link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
"service": "PostgreSQL",
"services": [
- "SQL"
+ "WAF"
],
"severity": "High",
- "subcategory": "Best Practices",
"text": "Leverage Availability Zones where regionally applicable",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "PostgreSQL Review Checklist",
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "WAF checklist",
"guid": "31b67c67-be59-4519-8083-845d587cb391",
"link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
"service": "PostgreSQL",
"services": [
- "SQL"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Best Practices",
"text": "Leverage cross-region read replicas for BCDR",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure Data Factory Review Checklist",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "WAF checklist",
"guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
"link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
"service": "Azure Data Factory",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "Medium",
- "subcategory": "Best Practices",
"text": "Leverage FTA Resiliency Playbook for Azure Data Factory",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure Data Factory Review Checklist",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "WAF checklist",
"guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
"service": "Azure Data Factory",
- "services": [],
+ "services": [
+ "WAF"
+ ],
"severity": "High",
- "subcategory": "Availablity Zone",
"text": "Use zone redundant pipelines in regions that support Availability Zones",
"waf": "Reliability"
},
{
- "category": "Operations Management",
- "checklist": "Azure Data Factory Review Checklist",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "WAF checklist",
"guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
"link": "https://learn.microsoft.com/azure/data-factory/source-control",
"service": "Azure Data Factory",
"services": [
- "Backup"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "DevOps Integration",
"text": "Use DevOps to Backup the ARM templates with Github/Azure DevOps integration ",
"waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Data Factory Review Checklist",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "WAF checklist",
"guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
"service": "Azure Data Factory",
"services": [
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Network",
"text": "Make sure you replicate the Self-Hosted Integration Runtime VMs in another region ",
"waf": "Reliability"
},
{
- "category": "Network Topology and Connectivity",
- "checklist": "Azure Data Factory Review Checklist",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "WAF checklist",
"guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
"link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
"service": "Azure Data Factory",
"services": [
- "VNet"
+ "VNet",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Network",
"text": "Make sure you replicate or duplicate your network in the sister region. You have to make a copy of your Vnet in another region",
"waf": "Reliability"
},
{
- "category": "Governance and Security",
- "checklist": "Azure Data Factory Review Checklist",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "WAF checklist",
"description": "If your ADF Pipelines use Key Vault you don't have to do anything to replicate Key Vault. Key Vault is a managed service and Microsoft takes care of it for you",
"guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
"link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
"service": "Azure Data Factory",
"services": [
- "AKV"
+ "AKV",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Integration",
"text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
"waf": "Reliability"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
"guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
"link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
"service": "ACR",
"services": [
- "ACR"
+ "ACR",
+ "WAF"
],
"severity": "High",
- "subcategory": "Data Protection",
"text": "Disable Azure Container Registry image export",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
"guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
"service": "ACR",
"services": [
+ "ACR",
"AzurePolicy",
- "ACR"
+ "WAF"
],
"severity": "High",
- "subcategory": "Data Protection",
"text": "Enable Azure Policies for Azure Container Registry",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
"guid": "d345293c-7639-4637-a551-c5c04e401955",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
"service": "ACR",
"services": [
+ "AKV",
"ACR",
- "AKV"
+ "WAF"
],
"severity": "High",
- "subcategory": "Data Protection",
"text": "Sign and Verify containers with notation (Notary v2)",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
"guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
"link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
"service": "ACR",
"services": [
"ACR",
- "AKV"
+ "AKV",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Data Protection",
"text": "Encrypt registry with a customer managed key",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
"guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
"service": "ACR",
"services": [
+ "Entra",
"RBAC",
"ACR",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Control",
"text": "Use Managed Identities to connect instead of Service Principals",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
"guid": "be0e38ce-e297-411b-b363-caaab79b198d",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
"service": "ACR",
"services": [
"RBAC",
- "ACR",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Control",
"text": "Disable local authentication for management plane access",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
"guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
"service": "ACR",
"services": [
+ "Entra",
"RBAC",
"ACR",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Control",
"text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Disable anonymous pull/push access",
"guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
"link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
"service": "ACR",
"services": [
- "ACR",
- "Entra"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity and Access Control",
"text": "Disable Anonymous pull access",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
"guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
"service": "ACR",
"services": [
- "ACR",
- "Entra"
+ "Entra",
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Control",
"text": "Disable repository-scoped access tokens",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
"guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
"service": "ACR",
@@ -36586,1398 +34272,1288 @@
"PrivateLink",
"EventHubs",
"ACR",
- "Entra"
+ "WAF"
],
"severity": "High",
- "subcategory": "Identity and Access Control",
"text": "Deploy images from a trusted environment",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
"guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
"service": "ACR",
"services": [
- "AzurePolicy",
+ "Entra",
"ACR",
- "Entra"
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Identity and Access Control",
"text": "Disable Azure ARM audience tokens for authentication",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
"guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
"link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
"service": "ACR",
"services": [
- "Monitor",
+ "Entra",
"ACR",
- "Entra"
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Logging and Monitoring",
"text": "Enable diagnostics logging",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
"guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
"service": "ACR",
"services": [
- "Firewall",
- "ACR",
+ "PrivateLink",
"VNet",
- "PrivateLink"
+ "Firewall",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Network Security",
"text": "Control inbound network access with Private Link",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Disable public network access if inbound network access is secured using Private Link",
"guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
"service": "ACR",
"services": [
- "ACR",
- "PrivateLink"
+ "PrivateLink",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Network Security",
"text": "Disable Public Network access",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Only the ACR Premium SKU supports Private Link access",
"guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
"service": "ACR",
"services": [
+ "PrivateLink",
"ACR",
- "PrivateLink"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Network Security",
"text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
"guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
"service": "ACR",
"services": [
"ACR",
- "Defender"
+ "Defender",
+ "WAF"
],
"severity": "Low",
- "subcategory": "Network Security",
"text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
"guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
"service": "ACR",
"services": [
- "ACR"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Vulnerability Management",
"text": "Deploy validated container images",
"waf": "Security"
},
{
- "category": "Security",
- "checklist": "Azure Container Registry Security Review",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "WAF checklist",
"description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
"guid": "4e401955-387e-45ce-b126-cd132af5b20c",
"service": "ACR",
"services": [
- "ACR"
+ "WAF"
],
"severity": "High",
- "subcategory": "Vulnerability Management",
"text": "Use up-to-date platforms, languages, protocols and frameworks",
"waf": "Security"
},
{
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "WAF checklist",
"guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
"link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
"service": "Azure Monitor",
"services": [
- "Cost",
- "Monitor"
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Azure Monitor - enforce data collection rules",
"text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
"training": "https://azure.microsoft.com/pricing/reservations/",
"waf": "Cost"
},
{
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "WAF checklist",
"guid": "45901365-d38e-443f-abcb-d868266abca2",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
"service": "Azure Backup",
"services": [
- "Cost",
- "Backup"
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Backup",
"text": "check backup instances with the underlying datasource not found",
"waf": "Cost"
},
{
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
"service": "VM",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Delete/archive",
"text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
"waf": "Cost"
},
{
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
- "guid": "659d3958-fd77-4289-a835-556df2bfe456",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Delete/archive",
- "text": "Consider snooze and stop technique (snooze a service after x days, stop after 2x, delete/deallocate after 3x)",
- "waf": "Cost"
- },
- {
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
- "guid": "3b0d834a-3487-426d-b69c-6b5c2a26494b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "services": [
- "Cost",
- "Storage",
- "Backup"
- ],
- "severity": "Medium",
- "subcategory": "Delete/archive",
- "text": "Delete or archive unused resources (old backups, logs, storage accounts, etc...)",
- "waf": "Cost"
- },
- {
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "WAF checklist",
"guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
"service": "Azure Backup",
"services": [
- "Cost",
"Storage",
"Backup",
- "ASR"
+ "ASR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Delete/archive",
"text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
"waf": "Cost"
},
{
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "WAF checklist",
"guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
"link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
"service": "Azure Monitor",
"services": [
- "Cost",
- "Monitor"
+ "Monitor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Log Analytics retention for workspaces",
"text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
"training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
"waf": "Cost"
},
{
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Azure Monitor",
- "services": [
- "Cost",
- "Storage",
- "AzurePolicy"
- ],
- "severity": "Medium",
- "subcategory": "Policy",
- "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "Cost"
- },
- {
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
- "guid": "59bb91a3-ed90-4cae-8cc8-4c37b6b780cb",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Run orphaned resources workbook - delete or snooze ghost items",
- "text": "https://github.com/dolevshor/azure-orphan-resources",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets",
- "waf": "Cost"
- },
- {
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
- "guid": "9fe5c464-89d4-457a-a27c-3874d0102cac",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Shutdown/deallocate",
- "text": "Shutdown underutilized instances",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/understand/analyze-unexpected-charges",
- "waf": "Cost"
- },
- {
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "VM",
- "services": [
- "Cost",
- "Storage",
- "Backup",
- "VM"
- ],
- "severity": "Medium",
- "subcategory": "stopped/deallocated VMs: check disks",
- "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "Cost"
- },
- {
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
- "services": [
- "Cost",
- "Storage",
- "AzurePolicy"
- ],
- "severity": "Medium",
- "subcategory": "storage accounts lifecycle policy",
- "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "waf": "Cost"
- },
- {
- "category": "Cleanup",
- "checklist": "Cost Optimization Checklist",
- "guid": "f2bfe456-3b0d-4834-a348-726de69c6b5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Tagging",
- "text": "Use specific tags for temporary items with 'delete by DATE' format - and automate monthly cleanup",
- "waf": "Cost"
- },
- {
- "category": "DB/App tuning",
- "checklist": "Cost Optimization Checklist",
- "guid": "2a26494b-69ba-4d37-aad5-3cc78e1d7666",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "DB optimization",
- "text": "Plan for db optimization with the intent of downsizing the related services (and improve performance)",
- "waf": "Cost"
- },
- {
- "category": "DB/APP tuning",
- "checklist": "Cost Optimization Checklist",
- "guid": "7357c449-674b-45ed-a5a8-59c7733be2a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "App modernization",
- "text": "Modernizing the app towards a microservices architecture will have the effect of letting the app scale according to the single service and not the entire stack",
- "waf": "Cost"
- },
- {
- "category": "DB/APP tuning",
- "checklist": "Cost Optimization Checklist",
- "guid": "a27b765a-91be-41f3-a8ef-394c2bd463cb",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "services": [
- "Cost",
- "Storage",
- "VM"
- ],
- "severity": "Medium",
- "subcategory": "DB optimization",
- "text": "optimizing the DB queries will increase performance and allow better right-sizing of storage and VMs",
- "waf": "Cost"
- },
- {
- "category": "DB/APP tuning",
- "checklist": "Cost Optimization Checklist",
- "guid": "bac75819-59bb-491a-9ed9-0cae2cc84c37",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Demand shaping",
- "text": "Using demand shaping on PaaS services will optimize costs and performances",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "b6b780cb-9fe5-4c46-989d-457a927c3874",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging",
- "services": [
- "Cost",
- "Entra"
- ],
- "severity": "Medium",
- "subcategory": "Advisor",
- "text": "Start from the Azure Advisor page suggestions.",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "VM",
- "services": [
- "Cost",
- "VM"
- ],
- "severity": "Medium",
- "subcategory": "Advisor",
- "text": "Make sure advisor is configured for VM right sizing ",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "881a1bd5-d1e4-44a1-a659-d3958fd77289",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Automation",
- "text": "Consider implementing IaC scripts or devops pipelines to match the cost governance process",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "b835556d-f2bf-4e45-93b0-d834a348726d",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "services": [
- "Cost",
- "Monitor"
- ],
- "severity": "Medium",
- "subcategory": "Automation",
- "text": "Set up cost alerts for applications that have variable costs (ideally for all of them)",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "e69c6b5c-2a26-4494-a69b-ad37aad53cc7",
- "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Automation",
- "text": "Use Azure Automation: Automate repetitive tasks can help you save time and resources, reducing costs in the process. ",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "8e1d7666-7357-4c44-a674-b5ed85a859c7",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Automation",
- "text": "Run orphaned resources workbook",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "733be2a1-a27b-4765-a91b-e1f388ef394c",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
- "services": [
- "Cost",
- "Storage"
- ],
- "severity": "Medium",
- "subcategory": "Baseline",
- "text": "Try and establish a baseline of monthly spending and an acceptable saving target against the baseline (new services will not be optimized at this stage)",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "2bd463cb-bac7-4581-a59b-b91a3ed90cae",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "services": [
- "Cost",
- "AzurePolicy"
- ],
- "severity": "Medium",
- "subcategory": "Baseline",
- "text": "Establish a cost optimization baseline by using a policy that tags every new resource as #NEW",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "2cc84c37-b6b7-480c-a9fe-5c46489d457a",
- "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Baseline",
- "text": "Organize resources to maximize cost insights and accountability",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "927c3874-d010-42ca-a6aa-e01e6a84de5d",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Budgets",
- "text": "Create budgets",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "e36d1d92-881a-41bd-9d1e-44a19659d395",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#identity-and-access-management-in-the-azure-landing-zone-accelerator",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Cost Analysis",
- "text": "In cost analysis - use daily granularity, grouped by service name to analyze the spending of the past 3 months and identify the top 3 spenders",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "8fd77289-b835-4556-bf2b-fe4563b0d834",
- "link": "https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-staging-server",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Cost Analysis",
- "text": "Check daily for cost spikes and anomalies (ideally with automatic billing exports)",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "a348726d-e69c-46b5-a2a2-6494b69bad37",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Cost Analysis",
- "text": "Automate cost retrieval for deep analysis or integration",
- "waf": "Cost"
- },
- {
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "aad53cc7-8e1d-4766-9735-7c449674b5ed",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "WAF checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Azure Monitor",
"services": [
- "Cost",
- "ACR"
+ "Storage",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Free services",
- "text": "Take advantage of Azure free services: Azure offers a number of free services, such as DevOps, Azure Container Registry, and Azure Logic Apps, that can help you save costs on development and operations. ",
+ "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
"waf": "Cost"
},
{
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "96c96ad8-844c-4f3b-8b38-c886ba2c0214",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
"services": [
- "Cost"
+ "Storage",
+ "Backup",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Tagging",
- "text": "Tag shared resources",
+ "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
"waf": "Cost"
},
{
- "category": "Process Administration",
- "checklist": "Cost Optimization Checklist",
- "guid": "99014a5d-3ce5-474d-acbd-9792a6bcca2b",
- "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
"services": [
- "Cost"
+ "Storage",
+ "AzurePolicy",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Tagging",
- "text": "Consider using tags to all services for cost allocation",
+ "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
"waf": "Cost"
},
{
- "category": "reservations",
- "checklist": "Cost Optimization Checklist",
- "guid": "4fea1dbf-3dd9-45d4-ac7c-891dcb1f7d57",
- "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
"services": [
- "Cost"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "automation",
- "text": "Consider Reservation automation to track and promptly react to changes",
+ "text": "Make sure advisor is configured for VM right sizing ",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"description": "check by searching the Meter Category Licenses in the Cost analysys",
"guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
"service": "VM",
"services": [
+ "VM",
"Cost",
"AzurePolicy",
- "SQL",
- "VM"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL",
"text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
"link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
"service": "VM",
"services": [
- "Cost",
- "LoadBalancer"
+ "LoadBalancer",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Check Red Hat Licences if applicable",
"text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
- "guid": "a76af4a6-91e8-4839-ada4-6667e13c1056",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
- "services": [
- "Cost",
- "AppSvc"
- ],
- "severity": "Medium",
- "subcategory": "Functions",
- "text": "Saving plans will provide 17% on select app service plans",
- "waf": "Cost"
- },
- {
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
"link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
"service": "VM",
"services": [
- "Cost",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Planning",
"text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
"training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
"service": "VM",
"services": [
- "Cost",
"ARS",
- "VM"
+ "VM",
+ "Cost",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Reservations/savings plans",
"text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
- "guid": "a785c6fe-96c9-46ad-a844-cf3b2b38c886",
- "link": "https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Reservations/savings plans",
- "text": "Plan for Azure Savings Plans for all the workloads that are dynamic and need maximum flexibility",
- "waf": "Cost"
- },
- {
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
- "guid": "ba2c0214-9901-44a5-b3ce-574dccbd9792",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Reservations/savings plans",
- "text": "Plan for Azure Reservations for all the workloads that are less dynamic and won't change much",
- "waf": "Cost"
- },
- {
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
"link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
"service": "VM",
"services": [
- "Cost",
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Reserve storage",
"text": "Only larger disks can be reserved => 1 TiB -",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
"link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
"service": "VM",
"services": [
- "Cost",
- "VM"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Reserve VMs with normalized and rationalized sizes",
"text": "After the right-sizing optimization",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Sql/servers",
+ "checklist": "WAF checklist",
"guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
"service": "Azure SQL",
"services": [
- "Cost",
+ "AzurePolicy",
"SQL",
- "AzurePolicy"
+ "Cost",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "SQL Database AHUB",
"text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
"link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
"service": "VM",
"services": [
- "Cost",
- "SQL",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "SQL Database Reservations",
"text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
"waf": "Cost"
},
{
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
- "guid": "e13c1056-75c1-4e94-9b45-9837ff7ae7c6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Tracking",
- "text": "Make sure you Azure Reservations and Savings plans are close to 100% utilization or make the necessary changes to reach it.",
- "waf": "Cost"
- },
- {
- "category": "Reservations",
- "checklist": "Cost Optimization Checklist",
- "guid": "d3b475a5-c7ac-4be4-abbe-64dd89f2e877",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations",
- "services": [
- "Cost",
- "AzurePolicy"
- ],
- "severity": "Medium",
- "subcategory": "Tracking",
- "text": "Make sure that your reservations usage is close to 100%. If not, either enforce an allowed SKU policy or exchange the reservation",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
- "guid": "78468d55-a785-4c6f-b96c-96ad8844cf3b",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review",
- "services": [
- "Cost",
- "AzurePolicy"
- ],
- "severity": "Medium",
- "subcategory": "Automation",
- "text": "Plan and enforce a On/Off policy for production services, where possible",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
- "guid": "2b38c886-ba2c-4021-9990-14a5d3ce574d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "services": [
- "Cost",
- "AzurePolicy"
- ],
- "severity": "Medium",
- "subcategory": "Automation",
- "text": "Plan and enforce a On-Demand policy with auto-shutdown for non-production services, where possible",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
"service": "VM",
"services": [
- "Cost",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Autoscale",
"text": "Consider using a VMSS to match demand rather than flat sizing",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "WAF checklist",
"guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
"link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
"service": "AKS",
"services": [
- "Cost",
- "AKS"
+ "AKS",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Autoscale",
"text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
- "guid": "93665720-2bff-4456-9b0d-934a359c363e",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Autoscale",
- "text": "Right-size PaaS service according to average use and accomodate spikes with auto or manual scaling",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
- "guid": "7dd61623-a364-4a90-9eba-e38ead53cc7d",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Autoscale",
- "text": "Plan for demand shaping where applicable",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
- "guid": "e2e8aaab-3571-4549-ab91-53d89f89dc7b",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Autoscale",
- "text": "Consider implementing a service re-scaling logic within the application",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/savings-plan/",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "WAF checklist",
"guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
"service": "Azure Backup",
"services": [
- "Cost",
- "Backup"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Backup",
"text": "Move recovery points to vault-archive where applicable (Validate)",
"training": "https://azure.microsoft.com/pricing/reservations/",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Databricks/workspaces",
+ "checklist": "WAF checklist",
"guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
"link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
"service": "Databricks",
"services": [
- "Cost",
"LoadBalancer",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Databricks",
"text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
"guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
"link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
"service": "Azure Functions",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Functions",
"text": "Functions - Reuse connections",
"training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
"guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
"link": "https://learn.microsoft.com/azure/automation/update-management/overview",
"service": "Azure Functions",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Functions",
"text": "Functions - Cache data locally",
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
"guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
"link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
"service": "Azure Functions",
"services": [
- "Cost",
- "Storage"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Functions",
"text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
"training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
"guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
"link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
"service": "Azure Functions",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Functions",
"text": "Functions - Keep your functions warm",
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
"guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
"link": "https://learn.microsoft.com/azure/governance/policy/overview",
"service": "Azure Functions",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Functions",
"text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
"guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
"link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
"service": "Azure Functions",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Functions",
"text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "WAF checklist",
"guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
"link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
"service": "Azure Functions",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Functions",
"text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
- "guid": "df03a822-cd46-43cb-abc8-ac299ebc91a4",
- "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Networking",
- "text": "Evaluate your network topology against networking costs and where applicable reduce the egress and peering data",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
"link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
"service": "Front Door",
"services": [
- "Cost",
+ "EventHubs",
"FrontDoor",
- "EventHubs"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Networking",
"text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "WAF checklist",
"guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
"service": "Front Door",
"services": [
- "Cost",
"AppSvc",
- "FrontDoor"
+ "FrontDoor",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Networking",
"text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
- "guid": "f843e52f-4722-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "PaaS",
- "text": "Consider using free tiers where applicable for all non-production environments",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
- "guid": "b9de39ac-0e7c-428d-a936-657202bff456",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
- "services": [
- "Cost"
- ],
- "severity": "Medium",
- "subcategory": "Serverless",
- "text": "Using serverless patterns for spikes can help keeping costs down",
- "waf": "Cost"
- },
- {
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
"guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
"link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
"service": "Storage",
"services": [
- "Cost",
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
"text": "Consider archiving tiers for less used data",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
"link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
"service": "VM",
"services": [
- "Cost",
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
"text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
"guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
"link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
"service": "Storage",
"services": [
- "Cost",
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
"text": "Consider using standard SSD rather than Premium or Ultra where possible",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
"guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
"service": "Storage",
"services": [
- "Cost",
- "Storage"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
"text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "WAF checklist",
"guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
"link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
"service": "Site Recovery",
"services": [
- "Cost",
- "Storage",
- "ASR"
+ "ASR",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
"text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "WAF checklist",
"guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
"link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
"service": "Storage",
"services": [
- "Cost",
- "Storage"
+ "Storage",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "storage",
"text": "Storage accounts: check hot tier and/or GRS necessary",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
"link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
"service": "VM",
"services": [
- "Cost",
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Storage",
"text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "WAF checklist",
"guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
"link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
"service": "Synapse",
"services": [
- "Cost",
+ "EventHubs",
"Monitor",
- "EventHubs"
+ "Cost",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Synapse",
"text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "WAF checklist",
"guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
"link": "https://learn.microsoft.com/azure/virtual-machines/availability",
"service": "Synapse",
"services": [
+ "Storage",
"Cost",
- "Storage"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Synapse",
"text": "Export cost data to a storage account for additional data analysis.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "WAF checklist",
"guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "Synapse",
"services": [
+ "SQL",
"Cost",
- "SQL"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Synapse",
"text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "WAF checklist",
"guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
"link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
"service": "Synapse",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Synapse",
"text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "WAF checklist",
"guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
"service": "Synapse",
"services": [
- "Cost"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Synapse",
"text": "Create multiple Apache Spark pool definitions of various sizes.",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "WAF checklist",
"guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
"service": "Synapse",
"services": [
- "Cost"
+ "Cost",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "Synapse",
"text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
"link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
"service": "VM",
"services": [
+ "VM",
"Cost",
- "VM"
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VM",
"text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "544451e1-92d3-4442-a3c7-628637a551c5",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "VM",
"services": [
- "Cost",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VM",
"text": "Right-sizing all VMs",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
"service": "VM",
"services": [
- "Cost",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VM",
"text": "Swap VM sized with normalized and most recent sizes",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "VM",
"services": [
- "Cost",
"Monitor",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VM",
"text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Cost"
},
{
- "category": "Right-sizing",
- "checklist": "Cost Optimization Checklist",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "WAF checklist",
"guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "VM",
"services": [
- "Cost",
- "VM"
+ "VM",
+ "WAF"
],
"severity": "Medium",
- "subcategory": "VM",
"text": "Containerizing an application can improve VM density and save money on scaling it",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Cost"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
+ "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Best Practices",
+ "text": "Leverage FTA Resillency Handbook",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "services": [
+ "ASR"
+ ],
+ "severity": "High",
+ "subcategory": "Disaster Recovery",
+ "text": "Plan for Data Center level outage",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
+ "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "services": [
+ "ASR"
+ ],
+ "severity": "Medium",
+ "subcategory": "Disaster Recovery",
+ "text": "Practice Failover for BCDR",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "services": [
+ "Backup"
+ ],
+ "severity": "High",
+ "subcategory": "Backup and Restore ",
+ "text": "Plan a backup strategy and take regular backups",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
+ "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
+ "service": "Purview",
+ "services": [
+ "EventHubs"
+ ],
+ "severity": "Low",
+ "subcategory": "Purview Accounts Replications",
+ "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
+ "link": "https://learn.microsoft.com/purview/deployment-best-practices",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data catalog",
+ "text": "Follow Purview accounts architectures and deployment best practices",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data catalog",
+ "text": "Follow Collection Architectures and best practices",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data catalog",
+ "text": "Follow Assest lifecycle best practices",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data catalog",
+ "text": "Follow automation best practices",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "services": [
+ "Backup"
+ ],
+ "severity": "Medium",
+ "subcategory": "Data catalog",
+ "text": "Follow Backup and Migration Best practices",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data catalog",
+ "text": "Follow Purview Glossary Best Practices",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
+ "link": "https://learn.microsoft.com/purview/concept-workflow",
+ "service": "Purview",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Data catalog",
+ "text": "Leverage Workflows ",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data catalog",
+ "text": "Follow Purview Security Best Practices",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data Map",
+ "text": "Follow Purview Data Lineage Best Practices",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data Map",
+ "text": "Follow Best Practices for Scanning Registered Sources",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data Map",
+ "text": "Follow Classification Best Practices in Governance Portal",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
+ "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data Map",
+ "text": "Perform Sensitivity Labelling in the Purview Data Map",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
+ "link": "https://learn.microsoft.com/purview/concept-data-share",
+ "service": "Purview",
+ "services": [
+ "Storage"
+ ],
+ "severity": "Low",
+ "subcategory": "Data Sharing",
+ "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
+ "link": "https://learn.microsoft.com/purview/concept-insights",
+ "service": "Purview",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Data Estate",
+ "text": "Leverage Data Estate Insights",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
+ "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
+ "service": "Purview",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Data Estate",
+ "text": "Use Data stewardship and Catalog adoption",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
+ "link": "https://learn.microsoft.com/purview/concept-insights",
+ "service": "Purview",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Data Estate",
+ "text": "Use Inventory and Ownership",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
+ "link": "https://learn.microsoft.com/purview/glossary-insights",
+ "service": "Purview",
+ "services": [],
+ "severity": "Low",
+ "subcategory": "Data Estate",
+ "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
+ "link": "https://learn.microsoft.com/purview/compliance-manager",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data Quality ",
+ "text": "Generate assessment scores",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
+ "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
+ "service": "Purview",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "Data Quality ",
+ "text": "Profiling- get summaries of data content",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
+ "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
+ "service": "Purview",
+ "services": [
+ "AzurePolicy"
+ ],
+ "severity": "Low",
+ "subcategory": "Data Policy",
+ "text": "Follow Microsoft Purview Data Owner access policies",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
+ "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
+ "service": "Purview",
+ "services": [
+ "AzurePolicy"
+ ],
+ "severity": "Low",
+ "subcategory": "Data Policy",
+ "text": "Follow Self-service access policies",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Operations management",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
+ "link": "https://learn.microsoft.com/purview/concept-policies-devops",
+ "service": "Purview",
+ "services": [
+ "AzurePolicy"
+ ],
+ "severity": "Low",
+ "subcategory": "Data Policy",
+ "text": "Follow DevOps policies",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Device Update Review",
+ "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
+ "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+ "service": "Device Update for IoT Hub",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Device Update Review",
+ "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
+ "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+ "service": "Device Update for IoT Hub",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Device Update Review",
+ "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Device Update for IoT Hub",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Device Update Review",
+ "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Device Update for IoT Hub",
+ "services": [
+ "AppSvc"
+ ],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
+ "services": [],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
+ },
+ {
+ "category": "BC and DR",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
+ "services": [
+ "AppSvc"
+ ],
+ "severity": "High",
+ "subcategory": "High Availability",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
+ },
+ {
+ "category": "Application Deployment",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
+ "services": [],
+ "severity": "Medium",
+ "subcategory": "CI/CD",
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "waf": "Operations"
}
],
"metadata": {
"name": "Master checklist",
- "timestamp": "August 05, 2024"
+ "timestamp": "August 08, 2024"
},
"severities": [
{
diff --git a/checklists/network_appdelivery_checklist.en.json b/checklists/network_appdelivery_checklist.en.json
index 05f38ce18..f89e9c89c 100644
--- a/checklists/network_appdelivery_checklist.en.json
+++ b/checklists/network_appdelivery_checklist.en.json
@@ -823,6 +823,6 @@
"name": "Azure Application Delivery Networking",
"state": "GA",
"waf": "all",
- "timestamp": "March 15, 2024"
+ "timestamp": "August 08, 2024"
}
-}
+}
\ No newline at end of file
diff --git a/checklists/network_appdelivery_checklist.es.json b/checklists/network_appdelivery_checklist.es.json
index 6720132f4..fe1399650 100644
--- a/checklists/network_appdelivery_checklist.es.json
+++ b/checklists/network_appdelivery_checklist.es.json
@@ -1,12 +1,12 @@
{
"categories": [
{
- "name": "Topología y conectividad de red"
+ "name": "Topología de red y conectividad"
}
],
"items": [
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
"id": "A01.01",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
@@ -17,18 +17,18 @@
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf",
"id": "A01.02",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
"severity": "Medio",
"subcategory": "Entrega de aplicaciones",
- "text": "Realice la entrega de aplicaciones dentro de las zonas de aterrizaje tanto para aplicaciones internas (corporativas) como externas (en línea).",
+ "text": "Realice la entrega de aplicaciones dentro de las zonas de aterrizaje para aplicaciones internas (corporativas) y externas (en línea).",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
"guid": "553585a6-abe0-11ed-afa1-0242ac120002",
"id": "A01.03",
@@ -41,7 +41,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
"guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
"id": "A01.04",
@@ -49,22 +49,22 @@
"service": "Load Balancer",
"severity": "Medio",
"subcategory": "Equilibrador de carga",
- "text": "Asegúrese de que usa la SKU estándar para Azure Load Balancers",
+ "text": "Asegúrese de que usa la SKU estándar para los equilibradores de carga de Azure",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "9432621a-8397-4654-a882-5bc856b7ef83",
"id": "A01.05",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
"service": "Load Balancer",
"severity": "Medio",
"subcategory": "Equilibrador de carga",
- "text": "Asegúrese de que las direcciones IP de front-end de Load Balancers tengan redundancia de zona (a menos que necesite front-end zonal).",
+ "text": "Asegúrese de que las direcciones IP de front-end de los equilibradores de carga sean con redundancia de zona (a menos que necesite front-end zonal).",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
"guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
"id": "A01.06",
@@ -77,32 +77,32 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
- "description": "La administración de proxies inversos en general y de WAF en particular está más cerca de la aplicación que de la red, por lo que pertenecen a la misma suscripción que la aplicación. La centralización de Application Gateway y WAF en la suscripción de conectividad puede ser correcta si la administra un solo equipo.",
+ "category": "Topología de red y conectividad",
+ "description": "La administración de proxies inversos en general y WAF en particular está más cerca de la aplicación que de la red, por lo que pertenecen a la misma suscripción que la aplicación. La centralización de Application Gateway y WAF en la suscripción de conectividad puede ser correcta si la administra un solo equipo.",
"guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
"id": "A01.07",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "Medio",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Implemente Azure Application Gateway v2 o aplicaciones virtuales de red de asociados que se usan para proxy de conexiones HTTP(S) entrantes dentro de la red virtual de la zona de aterrizaje y con las aplicaciones que están protegiendo.",
+ "text": "Implemente Azure Application Gateway v2 o NVA de asociados que se usan para proxy de conexiones HTTP(S) entrantes dentro de la red virtual de la zona de aterrizaje y con las aplicaciones que protegen.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
"id": "A01.08",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "Medio",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Use una red DDoS o planes de protección IP para todas las direcciones IP públicas en las zonas de aterrizaje de la aplicación.",
+ "text": "Utilice una red DDoS o planes de protección IP para todas las direcciones IP públicas en las zonas de aterrizaje de aplicaciones.",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
"guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
"id": "A01.09",
@@ -115,7 +115,7 @@
"waf": "Fiabilidad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
"guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
"id": "A01.10",
@@ -128,7 +128,7 @@
"waf": "Fiabilidad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
"id": "A01.11",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
@@ -140,7 +140,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "3f29812b-2363-4cef-b179-b599de0d5973",
"id": "A01.12",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
@@ -153,7 +153,7 @@
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
"id": "A01.13",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
@@ -165,7 +165,7 @@
"waf": "Fiabilidad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
"id": "A01.14",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
@@ -177,20 +177,20 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
"id": "A01.15",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"severity": "Medio",
"subcategory": "Entrega de aplicaciones",
- "text": "Para reducir el número de puertos de firewall abiertos para las conexiones entrantes en la red, considere la posibilidad de usar Microsoft Entra ID Application Proxy para proporcionar a los usuarios remotos acceso seguro y autenticado a las aplicaciones internas.",
+ "text": "Para reducir el número de puertos de firewall abiertos para las conexiones entrantes en la red, considere la posibilidad de usar el proxy de aplicación de identificador de Microsoft Entra para proporcionar a los usuarios remotos acceso seguro y autenticado a las aplicaciones internas.",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "Seguridad"
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "ae248989-b306-4591-9186-de482e3f0f0e",
"id": "A01.16",
@@ -198,12 +198,12 @@
"service": "Front Door",
"severity": "Alto",
"subcategory": "Puerta",
- "text": "Implemente la directiva de WAF para Front Door en modo de \"prevención\".",
+ "text": "Implemente la directiva de WAF para Front Door en modo de \"Prevención\" para que el firewall de aplicaciones web tome las medidas adecuadas para permitir o denegar el tráfico.",
"waf": "Seguridad"
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
"id": "A01.17",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
@@ -215,18 +215,18 @@
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
"id": "A01.18",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
"service": "Front Door",
"severity": "Alto",
"subcategory": "Puerta",
- "text": "Use el mismo nombre de dominio en Azure Front Door y su origen. Los nombres de host no coincidentes pueden causar errores sutiles.",
+ "text": "Use el mismo nombre de dominio en Azure Front Door y en su origen. Los nombres de host no coincidentes pueden causar errores sutiles.",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
"guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
"id": "A01.19",
@@ -234,11 +234,11 @@
"service": "Front Door",
"severity": "Bajo",
"subcategory": "Puerta",
- "text": "Deshabilite los sondeos de estado cuando solo haya un origen en un grupo de orígenes de Azure Front Door.",
+ "text": "Deshabilite los sondeos de estado cuando solo haya un origen en un grupo de origen de Azure Front Door.",
"waf": "Rendimiento"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
"id": "A01.20",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
@@ -249,7 +249,7 @@
"waf": "Fiabilidad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
"guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
"id": "A01.21",
@@ -262,7 +262,7 @@
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
"guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
"id": "A01.22",
@@ -270,12 +270,12 @@
"service": "Load Balancer",
"severity": "Alto",
"subcategory": "Equilibrador de carga",
- "text": "Use Azure NAT Gateway en lugar de reglas de salida de Load Balancer para mejorar la escalabilidad de SNAT",
+ "text": "Use Azure NAT Gateway en lugar de las reglas de salida de Load Balancer para mejorar la escalabilidad de SNAT",
"waf": "Fiabilidad"
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
"guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
"id": "A01.23",
@@ -287,7 +287,7 @@
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
"id": "A01.24",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
@@ -299,7 +299,7 @@
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
"id": "A01.25",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
@@ -310,19 +310,19 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
"id": "A01.26",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
"service": "Front Door",
"severity": "Medio",
"subcategory": "Puerta",
- "text": "Use el redireccionamiento de HTTP a HTTPS con Azure Front Door. Apoye a los clientes más antiguos redirigiéndolos automáticamente a una solicitud HTTPS.",
+ "text": "Use el redireccionamiento de HTTP a HTTPS con Azure Front Door. Apoye a los clientes más antiguos redirigiéndolos a una solicitud HTTPS automáticamente.",
"waf": "Seguridad"
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
"id": "A01.27",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
@@ -334,19 +334,19 @@
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
"id": "A01.28",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
"service": "Front Door",
"severity": "Alto",
"subcategory": "Puerta",
- "text": "Ajuste el WAF de Azure Front Door para su carga de trabajo. Reduzca las detecciones de falsos positivos.",
+ "text": "Ajuste el WAF de Azure Front Door para su carga de trabajo configurando el WAF en modo de detección para reducir y corregir las detecciones de falsos positivos.",
"waf": "Seguridad"
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
"id": "A01.29",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
@@ -358,52 +358,52 @@
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
"id": "A01.30",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
"service": "Front Door",
"severity": "Alto",
"subcategory": "Puerta",
- "text": "Habilite los conjuntos de reglas predeterminados de WAF de Azure Front Door. Los conjuntos de reglas predeterminados detectan y bloquean los ataques comunes.",
+ "text": "Habilite los conjuntos de reglas predeterminadas de WAF de Azure Front Door. Los conjuntos de reglas predeterminados detectan y bloquean ataques comunes.",
"waf": "Seguridad"
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
"id": "A01.31",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
"service": "Front Door",
"severity": "Alto",
"subcategory": "Puerta",
- "text": "Habilite el conjunto de reglas de protección contra bots de Azure Front Door WAF. Las reglas de bots detectan bots buenos y malos.",
+ "text": "Habilite el conjunto de reglas de protección contra bots de WAF de Azure Front Door. Las reglas de bots detectan bots buenos y malos.",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
"id": "A01.32",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
"service": "Front Door",
"severity": "Medio",
"subcategory": "Puerta",
- "text": "Use la versión más reciente del conjunto de reglas de WAF de Azure Front Door. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
+ "text": "Use la versión más reciente del conjunto de reglas de Azure Front Door WAF. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "b9620385-1cde-418f-914b-a84a06982ffc",
"id": "A01.33",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
"service": "Front Door",
"severity": "Medio",
"subcategory": "Puerta",
- "text": "Agregue limitación de velocidad al WAF de Azure Front Door. La limitación de velocidad bloquea a los clientes que envían accidental o intencionadamente grandes cantidades de tráfico en un corto período de tiempo.",
+ "text": "Agregue la limitación de velocidad al WAF de Azure Front Door. La limitación de velocidad bloquea a los clientes que envían accidental o intencionalmente grandes cantidades de tráfico en un corto período de tiempo.",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
"id": "A01.34",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
@@ -414,7 +414,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
"id": "A01.35",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
@@ -425,7 +425,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "00acd8a9-6975-414f-8491-2be6309893b8",
"id": "A01.36",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
@@ -437,7 +437,7 @@
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
"guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
"id": "A01.37",
@@ -445,12 +445,12 @@
"service": "App Gateway",
"severity": "Alto",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Habilitación del conjunto de reglas de protección contra bots de WAF de Azure Application Gateway Las reglas de bots detectan bots buenos y malos.",
+ "text": "Habilite el conjunto de reglas de protección contra bots de WAF de Azure Application Gateway. Las reglas de bots detectan bots buenos y malos.",
"waf": "Seguridad"
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
"id": "A01.38",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
@@ -462,19 +462,19 @@
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
"id": "A01.39",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
"service": "App Gateway",
"severity": "Alto",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Ajuste el WAF de Azure Application Gateway para la carga de trabajo. Reduzca las detecciones de falsos positivos.",
+ "text": "Ajuste el WAF de Azure Application Gateway en modo de detección para la carga de trabajo. Reduzca las detecciones de falsos positivos.",
"waf": "Seguridad"
},
{
"ammp": true,
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
"id": "A01.40",
@@ -482,33 +482,33 @@
"service": "App Gateway",
"severity": "Alto",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Implemente la directiva de WAF para Application Gateway en modo de \"prevención\".",
+ "text": "Implemente la directiva de WAF para Application Gateway en modo \"Prevención\".",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
"id": "A01.41",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
"service": "App Gateway",
"severity": "Medio",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Agregue limitación de velocidad al WAF de Azure Application Gateway. La limitación de velocidad bloquea a los clientes que envían accidental o intencionadamente grandes cantidades de tráfico en un corto período de tiempo.",
+ "text": "Agregue la limitación de velocidad al WAF de Azure Application Gateway. La limitación de velocidad bloquea a los clientes que envían accidental o intencionalmente grandes cantidades de tráfico en un corto período de tiempo.",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
"id": "A01.42",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
"service": "App Gateway",
"severity": "Medio",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Use un umbral alto para los límites de frecuencia de WAF de Azure Application Gateway. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
+ "text": "Use un umbral alto para los límites de velocidad de WAF de Azure Application Gateway. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "99937189-ff78-492a-b9ca-18d828d82b37",
"id": "A01.43",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
@@ -519,7 +519,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
"id": "A01.44",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
@@ -530,7 +530,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
"id": "A01.45",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
@@ -541,7 +541,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
"id": "A01.46",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
@@ -552,7 +552,7 @@
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
"id": "A01.47",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
@@ -563,7 +563,7 @@
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "92664c60-47e3-4591-8b1b-8d557656e686",
"id": "A01.48",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
@@ -574,7 +574,7 @@
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "845f5f91-9c21-4674-a725-5ce890850e20",
"id": "A01.49",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
@@ -585,7 +585,7 @@
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
"id": "A01.50",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
@@ -596,18 +596,18 @@
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
"id": "A01.51",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
"service": "App Gateway",
"severity": "Medio",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Utilice directivas de WAF en lugar de la configuración de WAF heredada.",
+ "text": "Utilice las políticas de WAF en lugar de la configuración de WAF heredada.",
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
"id": "A01.52",
"link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
@@ -618,18 +618,18 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
"id": "A01.53",
"link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
"service": "Front Door",
"severity": "Medio",
"subcategory": "Puerta",
- "text": "Asegúrese de que los orígenes solo toman tráfico de la instancia de Azure Front Door.",
+ "text": "Asegúrese de que los orígenes solo reciben tráfico de la instancia de Azure Front Door.",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
"id": "A01.54",
"link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
@@ -640,7 +640,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
"id": "A01.55",
"link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
@@ -651,7 +651,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
"id": "A01.56",
"link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
@@ -662,7 +662,7 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
"id": "A01.57",
"link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
@@ -673,29 +673,29 @@
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
"id": "A01.58",
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
"service": "App Gateway",
"severity": "Alto",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Habilite el drenaje de conexiones durante las actualizaciones de servicio planificadas para evitar la pérdida de conexión a los miembros existentes del grupo de back-end",
+ "text": "Habilite el drenaje de conexiones durante las actualizaciones de servicio planeadas para evitar la pérdida de conexión con los miembros existentes del grupo de back-end",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
"id": "A01.59",
"link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
"service": "App Gateway",
"severity": "Bajo",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Crear páginas de error personalizadas para mostrar una experiencia de usuario personalizada",
+ "text": "Cree páginas de error personalizadas para mostrar una experiencia de usuario personalizada",
"waf": "Operaciones"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
"id": "A01.60",
"link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
@@ -706,29 +706,29 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
"id": "A01.61",
"link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"service": "App Gateway",
"severity": "Medio",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Configure Front Door para optimizar el enrutamiento del tráfico web global y el rendimiento del usuario final de primer nivel, así como la confiabilidad a través de una rápida conmutación por error global",
+ "text": "Configure Front Door para optimizar el enrutamiento del tráfico web global y el rendimiento y la confiabilidad del usuario final de primer nivel a través de una rápida conmutación por error global",
"waf": "Rendimiento"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "29dcc19f-a8fa-4c35-8281-290577538793",
"id": "A01.62",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "App Gateway",
"severity": "Medio",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Usar el equilibrio de carga de la capa de transporte",
+ "text": "Uso del equilibrio de carga de la capa de transporte",
"waf": "Rendimiento"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
"id": "A01.63",
"link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
@@ -739,18 +739,18 @@
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
"id": "A01.64",
"link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
"service": "App Gateway",
"severity": "Medio",
"subcategory": "Puerta de enlace de aplicaciones",
- "text": "Centralice la administración de certificados SSL para reducir la sobrecarga de cifrado y descifrado de una granja de servidores back-end",
+ "text": "Centralice la administración de certificados SSL para reducir la sobrecarga de cifrado y descifrado de una granja de servidores backend",
"waf": "Seguridad"
},
{
- "category": "Topología y conectividad de red",
+ "category": "Topología de red y conectividad",
"guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
"id": "A01.65",
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
@@ -764,7 +764,7 @@
"metadata": {
"name": "Azure Application Delivery Networking",
"state": "GA",
- "timestamp": "March 15, 2024",
+ "timestamp": "August 08, 2024",
"waf": "all"
},
"severities": [
@@ -780,7 +780,7 @@
],
"status": [
{
- "description": "Esta comprobación aún no se ha examinado",
+ "description": "Este control aún no se ha examinado",
"name": "No verificado"
},
{
diff --git a/checklists/network_appdelivery_checklist.ja.json b/checklists/network_appdelivery_checklist.ja.json
index 825e1ba93..b075632f2 100644
--- a/checklists/network_appdelivery_checklist.ja.json
+++ b/checklists/network_appdelivery_checklist.ja.json
@@ -1,34 +1,34 @@
{
"categories": [
{
- "name": "ネットワークトポロジと接続性"
+ "name": "ネットワーク トポロジと接続性"
}
],
"items": [
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
"id": "A01.01",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "Azure Front Door でカスタマー マネージド TLS 証明書を使用する場合は、\"最新\" の証明書バージョンを使用します。証明書の手動更新によって引き起こされる停止のリスクを軽減",
+ "text": "Azure Front Door でカスタマー マネージド TLS 証明書を使用する場合は、\"最新\" の証明書バージョンを使用します。証明書の手動更新による停止のリスクを軽減",
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf",
"id": "A01.02",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
"severity": "中程度",
- "subcategory": "アプリ配信",
- "text": "内部向けアプリ (corp) と外部向けアプリ (online) の両方のランディング ゾーン内でアプリ配信を実行します。",
+ "subcategory": "アプリの配信",
+ "text": "ランディング ゾーン内で、内部向けアプリ (corp) と外部向けアプリ (online) の両方のアプリ配信を実行します。",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
"guid": "553585a6-abe0-11ed-afa1-0242ac120002",
"id": "A01.03",
@@ -41,7 +41,7 @@
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
"guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
"id": "A01.04",
@@ -49,11 +49,11 @@
"service": "Load Balancer",
"severity": "中程度",
"subcategory": "ロードバランサー",
- "text": "Azure Load Balancer に Standard SKU を使用していることを確認する",
+ "text": "Azure Load Balancers に Standard SKU を使用していることを確認します",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "9432621a-8397-4654-a882-5bc856b7ef83",
"id": "A01.05",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
@@ -64,7 +64,7 @@
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
"guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
"id": "A01.06",
@@ -72,37 +72,37 @@
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Application Gateway v2 は、IP プレフィックスが /24 以上のサブネットにデプロイする必要があります",
+ "text": "Application Gateways v2 は、IP プレフィックスが /24 以上のサブネットにデプロイする必要があります",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
- "description": "リバースプロキシ全般、特にWAFの管理は、ネットワークよりもアプリケーションに近いため、アプリと同じサブスクリプションに属します。Application Gateway と WAF を接続サブスクリプションに一元化することは、1 つのチームによって管理されている場合は問題ない場合があります。",
+ "category": "ネットワーク トポロジと接続性",
+ "description": "リバースプロキシの管理全般、特にWAFの管理は、ネットワーキングよりもアプリケーションに近いため、アプリと同じサブスクリプションに属します。Application Gateway と WAF を接続サブスクリプションに一元化することは、1 つのチームによって管理されている場合は問題ない可能性があります。",
"guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
"id": "A01.07",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "ランディング ゾーン仮想ネットワーク内およびそれらがセキュリティで保護しているアプリと共に、受信 HTTP(S) 接続のプロキシに使用される Azure Application Gateway v2 またはパートナーの NVA をデプロイします。",
+ "text": "ランディング ゾーン仮想ネットワーク内の受信 HTTP(S) 接続のプロキシに使用される Azure Application Gateway v2 またはパートナー NVA と、それらがセキュリティ保護しているアプリをデプロイします。",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
"id": "A01.08",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して DDoS ネットワークまたは IP 保護プランを使用します。",
+ "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して、DDoS ネットワークまたは IP 保護プランを使用します。",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
"guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
"id": "A01.09",
@@ -110,12 +110,12 @@
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "最小数のインスタンスが 2 つになる自動スケーリングを構成します。",
+ "text": "自動スケールは、最小インスタンス数が 2 になるように構成します。",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "確実"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
"guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
"id": "A01.10",
@@ -128,32 +128,32 @@
"waf": "確実"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
"id": "A01.11",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "Azure Front Door と WAF ポリシーを使用して、複数の Azure リージョンにまたがるグローバル HTTP/S アプリを配信し、保護します。",
+ "text": "Azure Front Door と WAF ポリシーを使用して、複数の Azure リージョンにまたがるグローバル HTTP/S アプリを提供し、保護します。",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "3f29812b-2363-4cef-b179-b599de0d5973",
"id": "A01.12",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"service": "Front Door",
"severity": "中程度",
- "subcategory": "アプリ配信",
+ "subcategory": "アプリの配信",
"text": "Front Door と Application Gateway を使用して HTTP/S アプリを保護する場合は、Front Door で WAF ポリシーを使用します。Application Gateway をロックダウンして、Front Door からのトラフィックのみを受信します。",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
"id": "A01.13",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
@@ -165,32 +165,32 @@
"waf": "確実"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
"id": "A01.14",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"severity": "低い",
- "subcategory": "アプリ配信",
- "text": "ユーザーが内部アプリケーションへのアクセスのみを必要とする場合、Microsoft Entra ID アプリケーション プロキシは Azure Virtual Desktop (AVD) の代替として検討されていますか?",
+ "subcategory": "アプリの配信",
+ "text": "ユーザーが内部アプリケーションへのアクセスのみを必要とする場合、Microsoft Entra ID アプリケーション プロキシは Azure Virtual Desktop (AVD) の代替手段として検討されていますか?",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
"id": "A01.15",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"severity": "中程度",
- "subcategory": "アプリ配信",
- "text": "ネットワーク内の着信接続用に開かれているファイアウォール ポートの数を減らすには、Microsoft Entra ID アプリケーション プロキシを使用して、リモート ユーザーに内部アプリケーションへの安全で認証されたアクセスを提供することを検討してください。",
+ "subcategory": "アプリの配信",
+ "text": "ネットワーク内の着信接続用に開かれるファイアウォール ポートの数を減らすには、Microsoft Entra ID アプリケーション プロキシを使用して、リモート ユーザーに内部アプリケーションへの安全で認証されたアクセスを提供することを検討してください。",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "ae248989-b306-4591-9186-de482e3f0f0e",
"id": "A01.16",
@@ -198,24 +198,24 @@
"service": "Front Door",
"severity": "高い",
"subcategory": "フロントドア",
- "text": "Front Door の WAF ポリシーを \"防止\" モードでデプロイします。",
+ "text": "Front Door の WAF ポリシーを \"防止\" モードでデプロイし、Web アプリケーション ファイアウォールがトラフィックを許可または拒否するための適切なアクションを実行するようにします。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
"id": "A01.17",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
"service": "Front Door",
"severity": "高い",
"subcategory": "フロントドア",
- "text": "Azure Traffic Manager と Azure Front Door の組み合わせは避けてください。",
+ "text": "Azure Traffic Manager と Azure Front Door を組み合わせることは避けてください。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
"id": "A01.18",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
@@ -226,7 +226,7 @@
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
"guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
"id": "A01.19",
@@ -234,22 +234,22 @@
"service": "Front Door",
"severity": "低い",
"subcategory": "フロントドア",
- "text": "Azure Front Door 配信元グループに配信元が 1 つしかない場合は、正常性プローブを無効にします。",
+ "text": "Azure Front Door の配信元グループに配信元が 1 つしかない場合は、正常性プローブを無効にします。",
"waf": "パフォーマンス"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
"id": "A01.20",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "Azure Front Door に適した正常性プローブ エンドポイントを選択します。アプリケーションのすべての依存関係をチェックする正常性エンドポイントを構築することを検討してください。",
+ "text": "Azure Front Door の適切な正常性プローブ エンドポイントを選択します。アプリケーションのすべての依存関係をチェックする正常性エンドポイントの構築を検討してください。",
"waf": "確実"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
"guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
"id": "A01.21",
@@ -262,7 +262,7 @@
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
"guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
"id": "A01.22",
@@ -270,12 +270,12 @@
"service": "Load Balancer",
"severity": "高い",
"subcategory": "ロードバランサー",
- "text": "Load Balancer の送信規則の代わりに Azure NAT Gateway を使用して、SNAT のスケーラビリティを向上させる",
+ "text": "Load Balancer のアウトバウンド規則の代わりに Azure NAT Gateway を使用して SNAT のスケーラビリティを向上させる",
"waf": "確実"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
"guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
"id": "A01.23",
@@ -287,42 +287,42 @@
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
"id": "A01.24",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "Azure Front Door WAF の構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
+ "text": "Azure Front Door WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
"waf": "オペレーションズ"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
"id": "A01.25",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
"service": "Front Door",
"severity": "高い",
"subcategory": "フロントドア",
- "text": "Azure Front Door でエンド ツー エンドの TLS を使用します。クライアントから Front Door への接続、および Front Door から配信元への接続には TLS を使用します。",
+ "text": "Azure Front Door でエンド ツー エンド TLS を使用します。クライアントから Front Door への接続、および Front Door から配信元への接続には TLS を使用します。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
"id": "A01.26",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "Azure Front Door で HTTP から HTTPS へのリダイレクトを使用します。古いクライアントをHTTPSリクエストに自動的にリダイレクトすることでサポートします。",
+ "text": "Azure Front Door で HTTP から HTTPS へのリダイレクトを使用します。古いクライアントを自動的に HTTPS リクエストにリダイレクトすることで、クライアントをサポートします。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
"id": "A01.27",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
@@ -334,110 +334,110 @@
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
"id": "A01.28",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
"service": "Front Door",
"severity": "高い",
"subcategory": "フロントドア",
- "text": "ワークロードに合わせて Azure Front Door WAF を調整します。誤検知を減らします。",
+ "text": "ワークロードに合わせて Azure Front Door WAF を調整するには、検出モードで WAF を構成して誤検知の検出を減らして修正します。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
"id": "A01.29",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "Front Door",
"severity": "高い",
"subcategory": "フロントドア",
- "text": "Azure Front Door WAF ポリシーで要求本文検査機能を有効にします。",
+ "text": "Azure Front Door WAF ポリシーで有効になっている要求本文の検査機能を有効にします。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
"id": "A01.30",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
"service": "Front Door",
"severity": "高い",
"subcategory": "フロントドア",
- "text": "Azure Front Door WAF の既定の規則セットを有効にします。既定のルール セットは、一般的な攻撃を検出してブロックします。",
+ "text": "Azure Front Door WAF の既定のルール セットを有効にします。デフォルトのルールセットは、一般的な攻撃を検出してブロックします。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
"id": "A01.31",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
"service": "Front Door",
"severity": "高い",
"subcategory": "フロントドア",
- "text": "Azure Front Door WAF ボット保護ルール セットを有効にします。ボットルールは、良いボットと悪いボットを検出します。",
+ "text": "Azure Front Door WAF ボット保護ルール セットを有効にします。ボット ルールは、良いボットと悪いボットを検出します。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
"id": "A01.32",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "最新の Azure Front Door WAF ルール セット バージョンを使用します。ルール セットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
+ "text": "最新の Azure Front Door WAF ルール セット バージョンを使用します。ルールセットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "b9620385-1cde-418f-914b-a84a06982ffc",
"id": "A01.33",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "Azure Front Door WAF にレート制限を追加します。レート制限は、クライアントが短期間に大量のトラフィックを誤ってまたは意図的に送信することをブロックします。",
+ "text": "Azure Front Door WAF にレート制限を追加します。レート制限は、クライアントが誤ってまたは意図的に短時間に大量のトラフィックを送信するのをブロックします。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
"id": "A01.34",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "Azure Front Door WAF のレート制限には、高いしきい値を使用します。高いレート制限しきい値は、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多数の要求に対する保護を提供します。",
+ "text": "Azure Front Door WAF のレート制限には高いしきい値を使用します。レート制限のしきい値を高くすると、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多くのリクエストに対する保護を提供します。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
"id": "A01.35",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
"service": "Front Door",
"severity": "低い",
"subcategory": "フロントドア",
- "text": "すべての地域からのトラフィックが想定されていない場合は、地域フィルタを使用して、想定外の国からのトラフィックをブロックします。",
+ "text": "すべての地理的地域からのトラフィックを想定していない場合は、geo フィルタを使用して、想定外の国からのトラフィックをブロックします。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "00acd8a9-6975-414f-8491-2be6309893b8",
"id": "A01.36",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "Azure Front Door WAF を使用してトラフィックをジオフィルター処理するときに、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致させることができない場合に、正当な要求を誤ってブロックしないようにします。",
+ "text": "Azure Front Door WAF を使用してトラフィックを geo フィルタリングする場合は、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致できない場合に、正当な要求を誤ってブロックしないようにします。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
"guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
"id": "A01.37",
@@ -445,36 +445,36 @@
"service": "App Gateway",
"severity": "高い",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Azure Application Gateway WAF ボット保護ルール セットを有効にする ボット ルールは、良いボットと悪いボットを検出します。",
+ "text": "Azure Application Gateway WAF ボット保護ルール セットを有効にします。ボット ルールは、良いボットと悪いボットを検出します。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
"id": "A01.38",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "App Gateway",
"severity": "高い",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Azure Application Gateway WAF ポリシーで有効になっている要求本文検査機能を有効にします。",
+ "text": "Azure Application Gateway WAF ポリシーで有効になっている要求本文の検査機能を有効にします。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
"id": "A01.39",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
"service": "App Gateway",
"severity": "高い",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "ワークロードに合わせて Azure Application Gateway WAF を調整します。誤検知を減らします。",
+ "text": "ワークロードの検出モードで Azure Application Gateway WAF を調整します。誤検出を減らします。",
"waf": "安全"
},
{
"ammp": true,
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
"id": "A01.40",
@@ -486,73 +486,73 @@
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
"id": "A01.41",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Azure Application Gateway WAF にレート制限を追加します。レート制限は、クライアントが短期間に大量のトラフィックを誤ってまたは意図的に送信することをブロックします。",
+ "text": "Azure Application Gateway WAF にレート制限を追加します。レート制限は、クライアントが誤ってまたは意図的に短時間に大量のトラフィックを送信するのをブロックします。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
"id": "A01.42",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Azure Application Gateway の WAF レート制限には高いしきい値を使用します。高いレート制限しきい値は、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多数の要求に対する保護を提供します。",
+ "text": "Azure Application Gateway WAF のレート制限には高いしきい値を使用します。レート制限のしきい値を高くすると、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多くのリクエストに対する保護を提供します。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "99937189-ff78-492a-b9ca-18d828d82b37",
"id": "A01.43",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
"service": "App Gateway",
"severity": "低い",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "すべての地域からのトラフィックが想定されていない場合は、地域フィルタを使用して、想定外の国からのトラフィックをブロックします。",
+ "text": "すべての地理的地域からのトラフィックを想定していない場合は、geo フィルタを使用して、想定外の国からのトラフィックをブロックします。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
"id": "A01.44",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Azure Application Gateway WAF でトラフィックを geo フィルタリングするときに、不明 (ZZ) の場所を指定します。IP アドレスを地理的に一致させることができない場合に、正当な要求を誤ってブロックしないようにします。",
+ "text": "Azure Application Gateway WAF を使用してトラフィックを geo フィルタリングする場合は、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致できない場合に、正当な要求を誤ってブロックしないようにします。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
"id": "A01.45",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "最新バージョンの Azure Application Gateway WAF ルール セットを使用します。ルール セットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
+ "text": "最新の Azure Application Gateway WAF ルール セット バージョンを使用します。ルールセットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
"id": "A01.46",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "診断設定を追加して、Azure Application Gateway の WAF ログを保存します。",
+ "text": "診断設定を追加して、Azure Application Gateway WAF ログを保存します。",
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
"id": "A01.47",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
@@ -563,7 +563,7 @@
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "92664c60-47e3-4591-8b1b-8d557656e686",
"id": "A01.48",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
@@ -574,7 +574,7 @@
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "845f5f91-9c21-4674-a725-5ce890850e20",
"id": "A01.49",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
@@ -585,18 +585,18 @@
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
"id": "A01.50",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Azure Application Gateway の WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
+ "text": "Azure Application Gateway WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
"id": "A01.51",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
@@ -607,40 +607,40 @@
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
"id": "A01.52",
"link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "バックエンドの受信トラフィックをフィルター処理して、Application Gateway サブネットからの接続 (NSG など) のみを受け入れるようにします。",
+ "text": "バックエンドの受信トラフィックをフィルター処理して、Application Gateway サブネット (NSG など) からの接続のみを受け入れるようにします。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
"id": "A01.53",
"link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
"service": "Front Door",
"severity": "中程度",
"subcategory": "フロントドア",
- "text": "配信元が Azure Front Door インスタンスからのトラフィックのみを受け取るようにします。",
+ "text": "配信元が Azure Front Door インスタンスからのトラフィックのみを受け取ることを確認します。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
"id": "A01.54",
"link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
"service": "App Gateway",
"severity": "高い",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "バックエンド・サーバーへのトラフィックを暗号化する必要があります。",
+ "text": "バックエンド サーバーへのトラフィックを暗号化する必要があります。",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
"id": "A01.55",
"link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
@@ -651,29 +651,29 @@
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
"id": "A01.56",
"link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "HTTPをHTTPSにリダイレクトする",
+ "text": "HTTP を HTTPS にリダイレクトする",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
"id": "A01.57",
"link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "ゲートウェイ管理の Cookie を使用して、ユーザー セッションから同じサーバーにトラフィックを送信して処理する",
+ "text": "ゲートウェイで管理される Cookie を使用して、ユーザーセッションからのトラフィックを同じサーバーに転送して処理する",
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
"id": "A01.58",
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
@@ -684,7 +684,7 @@
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
"id": "A01.59",
"link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
@@ -695,29 +695,29 @@
"waf": "オペレーションズ"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
"id": "A01.60",
"link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "HTTPリクエストとレスポンスヘッダーを編集して、クライアントとサーバー間のルーティングと情報交換を容易にします",
+ "text": "HTTP 要求と応答ヘッダーを編集して、クライアントとサーバー間のルーティングと情報交換を容易にします",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
"id": "A01.61",
"link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Front Door を構成して、グローバルな Web トラフィック ルーティングとトップレベルのエンド ユーザーのパフォーマンスを最適化し、迅速なグローバル フェールオーバーを通じて信頼性を確保します",
+ "text": "Front Door を構成して、グローバル Web トラフィックのルーティングと最上位のエンドユーザーのパフォーマンス、および迅速なグローバル フェイルオーバーによる信頼性を最適化する",
"waf": "パフォーマンス"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "29dcc19f-a8fa-4c35-8281-290577538793",
"id": "A01.62",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
@@ -728,7 +728,7 @@
"waf": "パフォーマンス"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
"id": "A01.63",
"link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
@@ -739,32 +739,32 @@
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
"id": "A01.64",
"link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
"service": "App Gateway",
"severity": "中程度",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "SSL証明書管理を一元化して、バックエンドサーバーファームからの暗号化と復号化のオーバーヘッドを削減",
+ "text": "SSL証明書管理を一元化して、バックエンドサーバーファームからの暗号化と復号化のオーバーヘッドを削減します",
"waf": "安全"
},
{
- "category": "ネットワークトポロジと接続性",
+ "category": "ネットワーク トポロジと接続性",
"guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
"id": "A01.65",
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
"service": "App Gateway",
"severity": "低い",
"subcategory": "アプリケーション・ゲートウェイ",
- "text": "Application Gateway を使用して WebSocket と HTTP/2 プロトコルをネイティブにサポートする",
+ "text": "Application Gateway を使用して WebSocket プロトコルと HTTP/2 プロトコルをネイティブにサポートする",
"waf": "安全"
}
],
"metadata": {
"name": "Azure Application Delivery Networking",
"state": "GA",
- "timestamp": "March 15, 2024",
+ "timestamp": "August 08, 2024",
"waf": "all"
},
"severities": [
@@ -780,7 +780,7 @@
],
"status": [
{
- "description": "このチェックはまだ検討されていません",
+ "description": "このチェックはまだ見ていません",
"name": "未確認"
},
{
@@ -788,12 +788,12 @@
"name": "開ける"
},
{
- "description": "このチェックは検証済みで、これ以上のアクションアイテムは関連付けられていません",
+ "description": "このチェックは検証済みであり、これ以上のアクション アイテムは関連付けられていません",
"name": "達成"
},
{
- "description": "推奨事項は理解されているが、現在の要件では不要",
- "name": "必要なし"
+ "description": "推奨事項は理解されているが、現在の要件では必要ではない",
+ "name": "必須ではありません"
},
{
"description": "現在のデザインには適用されません",
diff --git a/checklists/network_appdelivery_checklist.ko.json b/checklists/network_appdelivery_checklist.ko.json
index 78aeb20b1..94c51c874 100644
--- a/checklists/network_appdelivery_checklist.ko.json
+++ b/checklists/network_appdelivery_checklist.ko.json
@@ -1,12 +1,12 @@
{
"categories": [
{
- "name": "네트워크 토폴로지 및 연결"
+ "name": "네트워크 토폴로지 및 연결성"
}
],
"items": [
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
"id": "A01.01",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
@@ -17,18 +17,18 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf",
"id": "A01.02",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
"severity": "보통",
"subcategory": "앱 제공",
- "text": "랜딩 존 내에서 내부 연결(corp) 및 외부 연결 앱(온라인) 모두에 대해 앱 배달을 수행합니다.",
+ "text": "내부 연결(corp) 및 외부 연결 앱(온라인) 모두에 대해 landing zone 내에서 앱 배달을 수행합니다.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
"guid": "553585a6-abe0-11ed-afa1-0242ac120002",
"id": "A01.03",
@@ -41,7 +41,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
"guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
"id": "A01.04",
@@ -53,7 +53,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "9432621a-8397-4654-a882-5bc856b7ef83",
"id": "A01.05",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
@@ -64,7 +64,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
"guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
"id": "A01.06",
@@ -72,12 +72,12 @@
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "Application Gateway v2는 IP 접두사가 /24보다 크거나 같은 서브넷에 배포해야 합니다.",
+ "text": "Application Gateways v2는 IP 접두사가 /24보다 크거나 같은 서브넷에 배포해야 합니다.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"description": "일반적으로 역방향 프록시 및 특히 WAF의 관리는 네트워킹보다 애플리케이션에 더 가깝기 때문에 앱과 동일한 구독에 속합니다. 연결 구독에서 Application Gateway 및 WAF를 중앙 집중화하는 것은 단일 팀에서 관리하는 경우 괜찮을 수 있습니다.",
"guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
"id": "A01.07",
@@ -85,12 +85,12 @@
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "랜딩 영역 가상 네트워크 내에서 그리고 보안 중인 앱을 사용하여 인바운드 HTTP(S) 연결을 프록시하는 데 사용되는 Azure Application Gateway v2 또는 파트너 NVA를 배포합니다.",
+ "text": "랜딩 존 가상 네트워크 내에서 그리고 보안 중인 앱을 사용하여 인바운드 HTTP(S) 연결을 프록시하는 데 사용되는 Azure Application Gateway v2 또는 파트너 NVA를 배포합니다.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
"id": "A01.08",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
@@ -102,7 +102,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
"guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
"id": "A01.09",
@@ -110,12 +110,12 @@
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "최소 인스턴스 수를 2개로 자동 크기 조정을 구성합니다.",
+ "text": "최소 2개의 인스턴스로 자동 크기 조정을 구성합니다.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "신뢰도"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
"guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
"id": "A01.10",
@@ -123,12 +123,12 @@
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "가용성 영역에 Application Gateway 배포",
+ "text": "가용성 영역에 Application Gateway 배포Deploy Application Gateway across Availability Zones",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "신뢰도"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
"id": "A01.11",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
@@ -140,7 +140,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "3f29812b-2363-4cef-b179-b599de0d5973",
"id": "A01.12",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
@@ -153,7 +153,7 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
"id": "A01.13",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
@@ -165,19 +165,19 @@
"waf": "신뢰도"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
"id": "A01.14",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"severity": "낮다",
"subcategory": "앱 제공",
- "text": "사용자가 내부 애플리케이션에만 액세스해야 하는 경우 Microsoft Entra ID 애플리케이션 프록시가 AVD(Azure Virtual Desktop)의 대안으로 고려되었나요?",
+ "text": "사용자가 내부 애플리케이션에만 액세스해야 하는 경우 Microsoft Entra ID 애플리케이션 프록시를 AVD(Azure Virtual Desktop)의 대안으로 고려했나요?",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
"id": "A01.15",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
@@ -190,7 +190,7 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "ae248989-b306-4591-9186-de482e3f0f0e",
"id": "A01.16",
@@ -198,12 +198,12 @@
"service": "Front Door",
"severity": "높다",
"subcategory": "정문",
- "text": "'방지' 모드에서 Front Door에 대한 WAF 정책을 배포합니다.",
+ "text": "Web Application Firewall이 트래픽을 허용하거나 거부하기 위해 적절한 조치를 취하도록 Front Door에 대한 WAF 정책을 '방지' 모드'에 배포합니다.",
"waf": "안전"
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
"id": "A01.17",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
@@ -215,18 +215,18 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
"id": "A01.18",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
"service": "Front Door",
"severity": "높다",
"subcategory": "정문",
- "text": "Azure Front Door 및 원본에서 동일한 도메인 이름을 사용합니다. 호스트 이름이 일치하지 않으면 미묘한 버그가 발생할 수 있습니다.",
+ "text": "Azure Front Door 및 원본에서 동일한 도메인 이름을 사용합니다. 일치하지 않는 호스트 이름은 미묘한 버그를 유발할 수 있습니다.",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
"guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
"id": "A01.19",
@@ -238,18 +238,18 @@
"waf": "공연"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
"id": "A01.20",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
"service": "Front Door",
"severity": "보통",
"subcategory": "정문",
- "text": "Azure Front Door에 대한 양호한 상태 프로브 엔드포인트를 선택합니다. 애플리케이션의 모든 종속성을 확인하는 상태 엔드포인트를 빌드하는 것이 좋습니다.",
+ "text": "Azure Front Door에 대한 양호한 상태 프로브 엔드포인트를 선택합니다. 애플리케이션의 모든 종속성을 확인하는 상태 엔드포인트를 구축하는 것이 좋습니다.",
"waf": "신뢰도"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
"guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
"id": "A01.21",
@@ -262,7 +262,7 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
"guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
"id": "A01.22",
@@ -275,7 +275,7 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
"guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
"id": "A01.23",
@@ -287,7 +287,7 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
"id": "A01.24",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
@@ -299,7 +299,7 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
"id": "A01.25",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
@@ -310,43 +310,43 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
"id": "A01.26",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
"service": "Front Door",
"severity": "보통",
"subcategory": "정문",
- "text": "Azure Front Door에서 HTTP에서 HTTPS로 리디렉션을 사용합니다. 이전 클라이언트를 HTTPS 요청으로 자동 리디렉션하여 지원합니다.",
+ "text": "Azure Front Door에서 HTTP를 HTTPS로 리디렉션을 사용합니다. 이전 클라이언트를 HTTPS 요청으로 자동으로 리디렉션하여 지원합니다.",
"waf": "안전"
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
"id": "A01.27",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
"service": "Front Door",
"severity": "높다",
"subcategory": "정문",
- "text": "Azure Front Door WAF를 사용하도록 설정합니다. 다양한 공격으로부터 애플리케이션을 보호합니다.",
+ "text": "Azure Front Door WAF를 사용하도록 설정합니다. 다양한 공격으로부터 응용 프로그램을 보호합니다.",
"waf": "안전"
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
"id": "A01.28",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
"service": "Front Door",
"severity": "높다",
"subcategory": "정문",
- "text": "워크로드에 맞게 Azure Front Door WAF를 튜닝합니다. 가양성 탐지를 줄입니다.",
+ "text": "검색 모드에서 WAF를 구성하여 가양성 검색을 줄이고 수정하여 워크로드에 맞게 Azure Front Door WAF를 조정합니다.",
"waf": "안전"
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
"id": "A01.29",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
@@ -358,7 +358,7 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
"id": "A01.30",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
@@ -370,7 +370,7 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
"id": "A01.31",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
@@ -381,7 +381,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
"id": "A01.32",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
@@ -392,7 +392,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "b9620385-1cde-418f-914b-a84a06982ffc",
"id": "A01.33",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
@@ -403,41 +403,41 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
"id": "A01.34",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
"service": "Front Door",
"severity": "보통",
"subcategory": "정문",
- "text": "Azure Front Door WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호 기능을 제공합니다. ",
+ "text": "Azure Front Door WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호를 제공합니다. ",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
"id": "A01.35",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
"service": "Front Door",
"severity": "낮다",
"subcategory": "정문",
- "text": "모든 지역에서 트래픽이 발생하지 않을 것으로 예상되는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
+ "text": "모든 지역에서 트래픽이 발생할 것으로 예상되지 않는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "00acd8a9-6975-414f-8491-2be6309893b8",
"id": "A01.36",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
"service": "Front Door",
"severity": "보통",
"subcategory": "정문",
- "text": "Azure Front Door WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 않도록 합니다.",
+ "text": "Azure Front Door WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 마세요.",
"waf": "안전"
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
"guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
"id": "A01.37",
@@ -445,12 +445,12 @@
"service": "App Gateway",
"severity": "높다",
"subcategory": "앱 게이트웨이",
- "text": "Azure Application Gateway WAF 봇 보호 규칙 집합 사용Enable the Azure Application Gateway WAF bot protection rule set 봇 규칙은 좋은 봇과 나쁜 봇을 검색합니다.",
+ "text": "Azure Application Gateway WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.",
"waf": "안전"
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
"id": "A01.38",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
@@ -462,19 +462,19 @@
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
"id": "A01.39",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
"service": "App Gateway",
"severity": "높다",
"subcategory": "앱 게이트웨이",
- "text": "워크로드에 대한 Azure Application Gateway WAF를 조정합니다. 가양성 탐지를 줄입니다.",
+ "text": "워크로드에 대한 검색 모드에서 Azure Application Gateway WAF를 조정합니다. 거짓 긍정 탐지를 줄입니다.",
"waf": "안전"
},
{
"ammp": true,
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
"id": "A01.40",
@@ -486,7 +486,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
"id": "A01.41",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
@@ -497,40 +497,40 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
"id": "A01.42",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "Azure Application Gateway WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호 기능을 제공합니다. ",
+ "text": "Azure Application Gateway WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호를 제공합니다. ",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "99937189-ff78-492a-b9ca-18d828d82b37",
"id": "A01.43",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
"service": "App Gateway",
"severity": "낮다",
"subcategory": "앱 게이트웨이",
- "text": "모든 지역에서 트래픽이 발생하지 않을 것으로 예상되는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
+ "text": "모든 지역에서 트래픽이 발생할 것으로 예상되지 않는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
"id": "A01.44",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "Azure Application Gateway WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 않도록 합니다.",
+ "text": "Azure Application Gateway WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 마세요.",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
"id": "A01.45",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
@@ -541,7 +541,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
"id": "A01.46",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
@@ -552,7 +552,7 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
"id": "A01.47",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
@@ -563,7 +563,7 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "92664c60-47e3-4591-8b1b-8d557656e686",
"id": "A01.48",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
@@ -574,7 +574,7 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "845f5f91-9c21-4674-a725-5ce890850e20",
"id": "A01.49",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
@@ -585,7 +585,7 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
"id": "A01.50",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
@@ -596,7 +596,7 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
"id": "A01.51",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
@@ -607,18 +607,18 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
"id": "A01.52",
"link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "Application Gateway 서브넷의 연결(예: NSG 사용)만 허용하도록 백 엔드에서 인바운드 트래픽을 필터링합니다.",
+ "text": "예를 들어 NSG를 사용하여 Application Gateway 서브넷의 연결만 허용하도록 백 엔드에서 인바운드 트래픽을 필터링합니다.",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
"id": "A01.53",
"link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
@@ -629,18 +629,18 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
"id": "A01.54",
"link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
"service": "App Gateway",
"severity": "높다",
"subcategory": "앱 게이트웨이",
- "text": "백 엔드 서버에 대한 트래픽을 암호화해야 합니다.",
+ "text": "백엔드 서버에 대한 트래픽을 암호화해야 합니다.",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
"id": "A01.55",
"link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
@@ -651,7 +651,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
"id": "A01.56",
"link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
@@ -662,7 +662,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
"id": "A01.57",
"link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
@@ -673,7 +673,7 @@
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
"id": "A01.58",
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
@@ -684,62 +684,62 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
"id": "A01.59",
"link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
"service": "App Gateway",
"severity": "낮다",
"subcategory": "앱 게이트웨이",
- "text": "사용자 지정 오류 페이지를 만들어 개인화된 사용자 환경 표시",
+ "text": "사용자 지정 오류 페이지를 만들어 개인화된 사용자 환경을 표시합니다.",
"waf": "작업"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
"id": "A01.60",
"link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "HTTP 요청 및 응답 헤더를 편집하여 클라이언트와 서버 간의 라우팅 및 정보 교환을 보다 쉽게 할 수 있습니다.",
+ "text": "클라이언트와 서버 간의 더 쉬운 라우팅 및 정보 교환을 위해 HTTP 요청 및 응답 헤더를 편집합니다.",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
"id": "A01.61",
"link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "빠른 글로벌 장애 조치(failover)를 통해 글로벌 웹 트래픽 라우팅 및 최상위 계층 최종 사용자 성능 및 안정성을 최적화하도록 Front Door 구성",
+ "text": "Front Door를 구성하여 글로벌 웹 트래픽 라우팅, 최상위 최종 사용자 성능 및 빠른 글로벌 장애 조치(failover)를 통해 안정성을 최적화합니다.",
"waf": "공연"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "29dcc19f-a8fa-4c35-8281-290577538793",
"id": "A01.62",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "전송 계층 부하 분산 사용Use transport layer load balancing",
+ "text": "전송 계층 부하 분산 사용",
"waf": "공연"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
"id": "A01.63",
"link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
"service": "App Gateway",
"severity": "보통",
"subcategory": "앱 게이트웨이",
- "text": "단일 게이트웨이에서 여러 웹 응용 프로그램에 대한 호스트 또는 도메인 이름을 기반으로 라우팅 구성Configure routing based on host or domain name for multiple web applications on a single gateway",
+ "text": "단일 게이트웨이에서 여러 웹 응용 프로그램에 대한 호스트 또는 도메인 이름을 기반으로 라우팅을 구성합니다.",
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
"id": "A01.64",
"link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
@@ -750,7 +750,7 @@
"waf": "안전"
},
{
- "category": "네트워크 토폴로지 및 연결",
+ "category": "네트워크 토폴로지 및 연결성",
"guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
"id": "A01.65",
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
@@ -764,7 +764,7 @@
"metadata": {
"name": "Azure Application Delivery Networking",
"state": "GA",
- "timestamp": "March 15, 2024",
+ "timestamp": "August 08, 2024",
"waf": "all"
},
"severities": [
@@ -792,7 +792,7 @@
"name": "성취"
},
{
- "description": "권장 사항은 이해되었지만 현재 요구 사항에 필요하지 않음",
+ "description": "권장 사항을 이해하지만 현재 요구 사항에 필요하지 않음",
"name": "필요 없음"
},
{
diff --git a/checklists/network_appdelivery_checklist.pt.json b/checklists/network_appdelivery_checklist.pt.json
index 78c0f3099..c305ace3b 100644
--- a/checklists/network_appdelivery_checklist.pt.json
+++ b/checklists/network_appdelivery_checklist.pt.json
@@ -1,159 +1,159 @@
{
"categories": [
{
- "name": "Topologia de rede e conectividade"
+ "name": "Topologia e conectividade de rede"
}
],
"items": [
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
"id": "A01.01",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Se você usar certificados TLS gerenciados pelo cliente com o Azure Front Door, use a versão de certificado 'Mais recente'. Reduzir o risco de paralisações causadas pela renovação manual de certificados",
+ "subcategory": "Porta da frente",
+ "text": "Se você usar certificados TLS gerenciados pelo cliente com o Azure Front Door, use a versão do certificado 'Mais recente'. Reduza o risco de interrupções causadas pela renovação manual de certificados",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "b71ca41b-3a80-48f3-a6cd-22cdf197c1cf",
"id": "A01.02",
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
"severity": "Média",
"subcategory": "Entrega de aplicativos",
- "text": "Execute a entrega de aplicativos dentro das zonas de aterrissagem para aplicativos internos (corp) e externos (online).",
+ "text": "Execute a entrega de aplicativos em zonas de destino para aplicativos internos (corporativos) e externos (online).",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
"guid": "553585a6-abe0-11ed-afa1-0242ac120002",
"id": "A01.03",
"link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Verifique se você está usando o SKU do Application Gateway v2",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Verifique se você está usando o SKU do Gateway de Aplicativo v2",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
"guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
"id": "A01.04",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "Load Balancer",
"severity": "Média",
- "subcategory": "Balanceador de Carga",
- "text": "Verifique se você está usando a SKU padrão para seus Balanceadores de Carga do Azure",
+ "subcategory": "Balanceador de carga",
+ "text": "Verifique se você está usando o SKU Standard para seus Azure Load Balancers",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "9432621a-8397-4654-a882-5bc856b7ef83",
"id": "A01.05",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
"service": "Load Balancer",
"severity": "Média",
- "subcategory": "Balanceador de Carga",
- "text": "Verifique se os endereços IP de front-end dos Load Balancers são redundantes por zona (a menos que você precise de frontends zonais).",
+ "subcategory": "Balanceador de carga",
+ "text": "Verifique se os endereços IP de front-end dos Load Balancers têm redundância de zona (a menos que você precise de front-ends zonais).",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
"guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
"id": "A01.06",
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Seus Application Gateways v2 devem ser implantados em sub-redes com prefixos IP iguais ou maiores que /24",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Seus Gateways de Aplicativo v2 devem ser implantados em sub-redes com prefixos IP iguais ou maiores que /24",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
- "description": "A administração de proxies reversos em geral e do WAF em particular está mais próxima do aplicativo do que da rede, portanto, eles pertencem à mesma assinatura que o aplicativo. Centralizar o Application Gateway e o WAF na assinatura de conectividade pode ser OK se for gerenciado por uma única equipe.",
+ "category": "Topologia e conectividade de rede",
+ "description": "A administração de proxies reversos em geral e WAF em particular está mais próxima do aplicativo do que da rede, portanto, eles pertencem à mesma assinatura que o aplicativo. Centralizar o Gateway de Aplicativo e o WAF na assinatura de conectividade pode ser OK se ele for gerenciado por uma única equipe.",
"guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
"id": "A01.07",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Implante o Gateway de Aplicativo do Azure v2 ou NVAs de parceiros usados para fazer proxy de conexões HTTP(S) de entrada na rede virtual da zona de aterrissagem e com os aplicativos que eles estão protegendo.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Implante o Gateway de Aplicativo do Azure v2 ou NVAs de parceiros usados para proxy de conexões HTTP(S) de entrada na rede virtual da zona de destino e com os aplicativos que eles estão protegendo.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
"id": "A01.08",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Use uma rede DDoS ou planos de proteção IP para todos os endereços IP públicos nas zonas de aterrissagem do aplicativo.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Use uma rede DDoS ou planos de proteção de IP para todos os endereços IP públicos em zonas de destino do aplicativo.",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
"guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
"id": "A01.09",
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Configure o dimensionamento automático com uma quantidade mínima de duas instâncias.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Configure o dimensionamento automático com uma quantidade mínima de instâncias de duas.",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Fiabilidade"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
"guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
"id": "A01.10",
"link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Implantar o Application Gateway em zonas de disponibilidade",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Implantar o Gateway de Aplicativo em Zonas de Disponibilidade",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Fiabilidade"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
"id": "A01.11",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Use o Azure Front Door com políticas WAF para fornecer e ajudar a proteger aplicativos HTTP/S globais que abrangem várias regiões do Azure.",
+ "subcategory": "Porta da frente",
+ "text": "Use o Azure Front Door com políticas do WAF para fornecer e ajudar a proteger aplicativos HTTP/S globais que abrangem várias regiões do Azure.",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "3f29812b-2363-4cef-b179-b599de0d5973",
"id": "A01.12",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"service": "Front Door",
"severity": "Média",
"subcategory": "Entrega de aplicativos",
- "text": "Ao usar o Front Door e o Application Gateway para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Front Door. Bloqueie o Application Gateway para receber tráfego somente do Front Door.",
+ "text": "Ao usar o Front Door e o Gateway de Aplicativo para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Front Door. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Front Door.",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
"id": "A01.13",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
@@ -165,606 +165,606 @@
"waf": "Fiabilidade"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
"id": "A01.14",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"severity": "Baixo",
"subcategory": "Entrega de aplicativos",
- "text": "Se os usuários precisarem apenas de acesso a aplicativos internos, o Proxy de Aplicativo de ID do Microsoft Entra foi considerado uma alternativa à Área de Trabalho Virtual (AVD) do Azure?",
+ "text": "Se os usuários precisarem apenas de acesso a aplicativos internos, o Proxy de Aplicativo de ID do Microsoft Entra foi considerado como uma alternativa à AVD (Área de Trabalho Virtual) do Azure?",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
"id": "A01.15",
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"severity": "Média",
"subcategory": "Entrega de aplicativos",
- "text": "Para reduzir o número de portas de firewall abertas para conexões de entrada em sua rede, considere o uso do Microsoft Entra ID Application Proxy para dar aos usuários remotos acesso seguro e autenticado a aplicativos internos.",
+ "text": "Para reduzir o número de portas de firewall abertas para conexões de entrada em sua rede, considere usar o Proxy de Aplicativo de ID do Microsoft Entra para fornecer aos usuários remotos acesso seguro e autenticado a aplicativos internos.",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "ae248989-b306-4591-9186-de482e3f0f0e",
"id": "A01.16",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
- "text": "Implante sua política de WAF para Front Door no modo 'Prevenção'.",
+ "subcategory": "Porta da frente",
+ "text": "Implante sua política de WAF para o Front Door no modo 'Prevenção' para que o Firewall de Aplicativo Web tome as medidas apropriadas para permitir ou negar o tráfego.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
"id": "A01.17",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
+ "subcategory": "Porta da frente",
"text": "Evite combinar o Gerenciador de Tráfego do Azure e o Azure Front Door.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
"id": "A01.18",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
+ "subcategory": "Porta da frente",
"text": "Use o mesmo nome de domínio no Azure Front Door e sua origem. Nomes de host incompatíveis podem causar bugs sutis.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
"guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
"id": "A01.19",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
"service": "Front Door",
"severity": "Baixo",
- "subcategory": "Porta da Frente",
- "text": "Desabilite os testes de integridade quando houver apenas uma origem em um grupo de origem do Azure Front Door.",
+ "subcategory": "Porta da frente",
+ "text": "Desabilite as investigações de integridade quando houver apenas uma origem em um grupo de origens do Azure Front Door.",
"waf": "Desempenho"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
"id": "A01.20",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Selecione bons pontos de extremidade de teste de integridade para o Azure Front Door. Considere a criação de pontos de extremidade de integridade que verifiquem todas as dependências do seu aplicativo.",
+ "subcategory": "Porta da frente",
+ "text": "Selecione pontos de extremidade de investigação de integridade boa para o Azure Front Door. Considere a criação de pontos de extremidade de integridade que verifiquem todas as dependências do aplicativo.",
"waf": "Fiabilidade"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
"guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
"id": "A01.21",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
"service": "Front Door",
"severity": "Baixo",
- "subcategory": "Porta da Frente",
- "text": "Use testes de integridade do HEAD com o Azure Front Door para reduzir o tráfego que o Front Door envia para seu aplicativo.",
+ "subcategory": "Porta da frente",
+ "text": "Use investigações de integridade HEAD com o Azure Front Door para reduzir o tráfego que o Front Door envia para seu aplicativo.",
"waf": "Desempenho"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
"guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
"id": "A01.22",
"link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
"service": "Load Balancer",
"severity": "Alto",
- "subcategory": "Balanceador de Carga",
- "text": "Usar o Gateway NAT do Azure em vez das regras de saída do Load Balancer para melhor escalabilidade do SNAT",
+ "subcategory": "Balanceador de carga",
+ "text": "Usar o Gateway NAT do Azure em vez das regras de saída do Load Balancer para melhorar a escalabilidade SNAT",
"waf": "Fiabilidade"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
"guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
"id": "A01.23",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
- "text": "Use certificados TLS gerenciados com o Azure Front Door. Reduza o custo operacional e o risco de paralisações devido a renovações de certificados.",
+ "subcategory": "Porta da frente",
+ "text": "Use certificados TLS gerenciados com o Azure Front Door. Reduza o custo operacional e o risco de interrupções devido a renovações de certificados.",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
"id": "A01.24",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Defina sua configuração do WAF do Azure Front Door como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
+ "subcategory": "Porta da frente",
+ "text": "Defina a configuração do WAF do Azure Front Door como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
"waf": "Operações"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
"id": "A01.25",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
+ "subcategory": "Porta da frente",
"text": "Use o TLS de ponta a ponta com o Azure Front Door. Use o TLS para conexões de seus clientes com o Front Door e do Front Door com sua origem.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
"id": "A01.26",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Use o redirecionamento HTTP para HTTPS com o Azure Front Door. Ofereça suporte a clientes mais antigos redirecionando-os para uma solicitação HTTPS automaticamente.",
+ "subcategory": "Porta da frente",
+ "text": "Use o redirecionamento de HTTP para HTTPS com o Azure Front Door. Ofereça suporte a clientes mais antigos redirecionando-os para uma solicitação HTTPS automaticamente.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
"id": "A01.27",
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
- "text": "Habilite o WAF do Azure Front Door. Proteja seu aplicativo contra uma série de ataques.",
+ "subcategory": "Porta da frente",
+ "text": "Habilite o WAF do Azure Front Door. Proteja seu aplicativo contra uma variedade de ataques.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
"id": "A01.28",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
- "text": "Ajuste o WAF do Azure Front Door para sua carga de trabalho. Reduza as detecções de falsos positivos.",
+ "subcategory": "Porta da frente",
+ "text": "Ajuste o WAF do Azure Front Door para sua carga de trabalho configurando o WAF no modo de detecção para reduzir e corrigir detecções de falsos positivos.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
"id": "A01.29",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
- "text": "Habilite o recurso de inspeção do corpo de solicitação habilitado na política WAF do Azure Front Door.",
+ "subcategory": "Porta da frente",
+ "text": "Habilite o recurso de inspeção do corpo da solicitação habilitado na política do WAF do Azure Front Door.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
"id": "A01.30",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
+ "subcategory": "Porta da frente",
"text": "Habilite os conjuntos de regras padrão do WAF do Azure Front Door. Os conjuntos de regras padrão detectam e bloqueiam ataques comuns.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
"id": "A01.31",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
"service": "Front Door",
"severity": "Alto",
- "subcategory": "Porta da Frente",
- "text": "Habilite o conjunto de regras de proteção de bot do WAF do Azure Front Door. As regras de bot detectam bots bons e ruins.",
+ "subcategory": "Porta da frente",
+ "text": "Habilite o conjunto de regras de proteção contra bot do WAF do Azure Front Door. As regras de bot detectam bots bons e ruins.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
"id": "A01.32",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Use a versão mais recente do conjunto de regras do WAF do Azure Front Door. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário atual de ameaças.",
+ "subcategory": "Porta da frente",
+ "text": "Use a versão mais recente do conjunto de regras do WAF do Azure Front Door. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário de ameaças atual.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "b9620385-1cde-418f-914b-a84a06982ffc",
"id": "A01.33",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Adicione o limite de taxa ao WAF do Azure Front Door. A limitação de taxa bloqueia clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+ "subcategory": "Porta da frente",
+ "text": "Adicione a limitação de taxa ao WAF do Azure Front Door. A limitação de taxa bloqueia os clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
"id": "A01.34",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Use um limite alto para os limites de taxa do WAF do Azure Front Door. Limites de limite de taxa alta evitam o bloqueio de tráfego legítimo, ao mesmo tempo em que fornecem proteção contra um número extremamente alto de solicitações que podem sobrecarregar sua infraestrutura. ",
+ "subcategory": "Porta da frente",
+ "text": "Use um limite alto para os limites de taxa do WAF do Azure Front Door. Os limites de limite de taxa altos evitam o bloqueio do tráfego legítimo, ao mesmo tempo em que fornecem proteção contra números extremamente altos de solicitações que podem sobrecarregar sua infraestrutura. ",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
"id": "A01.35",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
"service": "Front Door",
"severity": "Baixo",
- "subcategory": "Porta da Frente",
- "text": "Se você não está esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
+ "subcategory": "Porta da frente",
+ "text": "Se você não estiver esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "00acd8a9-6975-414f-8491-2be6309893b8",
"id": "A01.36",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
+ "subcategory": "Porta da frente",
"text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Azure Front Door. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
"guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
"id": "A01.37",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
"service": "App Gateway",
"severity": "Alto",
- "subcategory": "Gateway de aplicativo",
- "text": "Habilitar o conjunto de regras de proteção de bot WAF do Gateway de Aplicativo do Azure As regras de bot detectam bots bons e ruins.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Habilite o conjunto de regras de proteção contra bot do WAF do Gateway de Aplicativo do Azure. As regras de bot detectam bots bons e ruins.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
"id": "A01.38",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "App Gateway",
"severity": "Alto",
- "subcategory": "Gateway de aplicativo",
- "text": "Habilite o recurso de inspeção do corpo de solicitação habilitado na política WAF do Gateway de Aplicativo do Azure.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Habilite o recurso de inspeção do corpo da solicitação habilitado na política do WAF do Gateway de Aplicativo do Azure.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
"id": "A01.39",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
"service": "App Gateway",
"severity": "Alto",
- "subcategory": "Gateway de aplicativo",
- "text": "Ajuste o WAF do Gateway de Aplicativo do Azure para sua carga de trabalho. Reduza as detecções de falsos positivos.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Ajuste o WAF do Gateway de Aplicativo do Azure no modo de detecção para sua carga de trabalho. Reduza as detecções de falsos positivos.",
"waf": "Segurança"
},
{
"ammp": true,
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
"guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
"id": "A01.40",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
"service": "App Gateway",
"severity": "Alto",
- "subcategory": "Gateway de aplicativo",
- "text": "Implante sua política de WAF para o Application Gateway no modo 'Prevenção'.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Implante sua política de WAF para Gateway de Aplicativo no modo 'Prevenção'.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
"id": "A01.41",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Adicione o limite de taxa ao WAF do Gateway de Aplicativo do Azure. A limitação de taxa bloqueia clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Adicione a limitação de taxa ao WAF do Gateway de Aplicativo do Azure. A limitação de taxa bloqueia os clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
"id": "A01.42",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Use um limite alto para os limites de taxa do WAF do Gateway de Aplicativo do Azure. Limites de limite de taxa alta evitam o bloqueio de tráfego legítimo, ao mesmo tempo em que fornecem proteção contra um número extremamente alto de solicitações que podem sobrecarregar sua infraestrutura. ",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Use um limite alto para os limites de taxa do WAF do Gateway de Aplicativo do Azure. Os limites de limite de taxa altos evitam o bloqueio do tráfego legítimo, ao mesmo tempo em que fornecem proteção contra números extremamente altos de solicitações que podem sobrecarregar sua infraestrutura. ",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "99937189-ff78-492a-b9ca-18d828d82b37",
"id": "A01.43",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
"service": "App Gateway",
"severity": "Baixo",
- "subcategory": "Gateway de aplicativo",
- "text": "Se você não está esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Se você não estiver esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
"id": "A01.44",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
+ "subcategory": "Gateway de Aplicativo",
"text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Gateway de Aplicativo do Azure. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
"id": "A01.45",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Use a versão mais recente do conjunto de regras do WAF do Gateway de Aplicativo do Azure. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário atual de ameaças.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Use a versão mais recente do conjunto de regras do WAF do Gateway de Aplicativo do Azure. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário de ameaças atual.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
"id": "A01.46",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Adicione configurações de diagnóstico para salvar seus logs WAF do Gateway de Aplicativo do Azure.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Adicione configurações de diagnóstico para salvar os logs do WAF do Gateway de Aplicativo do Azure.",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
"id": "A01.47",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Adicione configurações de diagnóstico para salvar seus logs do WAF do Azure Front Door.",
+ "subcategory": "Porta da frente",
+ "text": "Adicione configurações de diagnóstico para salvar os logs do WAF do Azure Front Door.",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "92664c60-47e3-4591-8b1b-8d557656e686",
"id": "A01.48",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
+ "subcategory": "Gateway de Aplicativo",
"text": "Envie logs do WAF do Gateway de Aplicativo do Azure para o Microsoft Sentinel.",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "845f5f91-9c21-4674-a725-5ce890850e20",
"id": "A01.49",
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
+ "subcategory": "Porta da frente",
"text": "Envie logs do WAF do Azure Front Door para o Microsoft Sentinel.",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
"id": "A01.50",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Defina sua configuração do WAF do Gateway de Aplicativo do Azure como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Defina a configuração do WAF do Gateway de Aplicativo do Azure como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
"id": "A01.51",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Use políticas de WAF em vez da configuração de WAF herdada.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Use as Políticas do WAF em vez da configuração herdada do WAF.",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
"id": "A01.52",
"link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Filtre o tráfego de entrada nos back-ends para que eles só aceitem conexões da sub-rede do Application Gateway, por exemplo, com NSGs.",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Filtre o tráfego de entrada nos back-ends para que eles aceitem apenas conexões da sub-rede do Gateway de Aplicativo, por exemplo, com NSGs.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
"id": "A01.53",
"link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
"service": "Front Door",
"severity": "Média",
- "subcategory": "Porta da Frente",
- "text": "Certifique-se de que suas origens recebam apenas o tráfego de sua instância do Azure Front Door.",
+ "subcategory": "Porta da frente",
+ "text": "Verifique se suas origens recebem apenas o tráfego da instância do Azure Front Door.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
"id": "A01.54",
"link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
"service": "App Gateway",
"severity": "Alto",
- "subcategory": "Gateway de aplicativo",
+ "subcategory": "Gateway de Aplicativo",
"text": "Você deve criptografar o tráfego para os servidores de back-end.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
"id": "A01.55",
"link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
"service": "App Gateway",
"severity": "Alto",
- "subcategory": "Gateway de aplicativo",
+ "subcategory": "Gateway de Aplicativo",
"text": "Você deve usar um Web Application Firewall.",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
"id": "A01.56",
"link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
+ "subcategory": "Gateway de Aplicativo",
"text": "Redirecionar HTTP para HTTPS",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
"id": "A01.57",
"link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Usar cookies gerenciados por gateway para direcionar o tráfego de uma sessão de usuário para o mesmo servidor para processamento",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Use cookies gerenciados por gateway para direcionar o tráfego de uma sessão de usuário para o mesmo servidor para processamento",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
"id": "A01.58",
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
"service": "App Gateway",
"severity": "Alto",
- "subcategory": "Gateway de aplicativo",
- "text": "Habilite a drenagem de conexão durante as atualizações de serviço planejadas para evitar a perda de conexão com membrs existentes do pool de back-end",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Habilitar a drenagem de conexão durante atualizações de serviço planejadas para evitar a perda de conexão para membros existentes do pool de back-end",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
"id": "A01.59",
"link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
"service": "App Gateway",
"severity": "Baixo",
- "subcategory": "Gateway de aplicativo",
- "text": "Criar páginas de erro personalizadas para exibir uma experiência de usuário personalizada",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Crie páginas de erro personalizadas para exibir uma experiência de usuário personalizada",
"waf": "Operações"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
"id": "A01.60",
"link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
+ "subcategory": "Gateway de Aplicativo",
"text": "Edite solicitações HTTP e cabeçalhos de resposta para facilitar o roteamento e a troca de informações entre o cliente e o servidor",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
"id": "A01.61",
"link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Configure o Front Door para otimizar o roteamento de tráfego global da Web e o desempenho do usuário final de nível superior e a confiabilidade por meio de failover global rápido",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Configure o Front Door para otimizar o roteamento de tráfego da Web global e o desempenho e a confiabilidade do usuário final de nível superior por meio de failover global rápido",
"waf": "Desempenho"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "29dcc19f-a8fa-4c35-8281-290577538793",
"id": "A01.62",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Usar balanceamento de carga da camada de transporte",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Usar o balanceamento de carga da camada de transporte",
"waf": "Desempenho"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
"id": "A01.63",
"link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Configurar o roteamento com base no host ou nome de domínio para vários aplicativos Web em um único gateway",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Configurar o roteamento com base no host ou no nome de domínio para vários aplicativos Web em um único gateway",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
"id": "A01.64",
"link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
"service": "App Gateway",
"severity": "Média",
- "subcategory": "Gateway de aplicativo",
- "text": "Centralize o gerenciamento de certificados SSL para reduzir a sobrecarga de criptografia e descriptografia de um farm de servidores back-end",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Centralize o gerenciamento de certificados SSL para reduzir a sobrecarga de criptografia e descriptografia de um farm de servidores de back-end",
"waf": "Segurança"
},
{
- "category": "Topologia de rede e conectividade",
+ "category": "Topologia e conectividade de rede",
"guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
"id": "A01.65",
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
"service": "App Gateway",
"severity": "Baixo",
- "subcategory": "Gateway de aplicativo",
- "text": "Usar o Application Gateway para suporte nativo para protocolos WebSocket e HTTP/2",
+ "subcategory": "Gateway de Aplicativo",
+ "text": "Usar o Gateway de Aplicativo para obter suporte nativo para protocolos WebSocket e HTTP/2",
"waf": "Segurança"
}
],
"metadata": {
"name": "Azure Application Delivery Networking",
"state": "GA",
- "timestamp": "March 15, 2024",
+ "timestamp": "August 08, 2024",
"waf": "all"
},
"severities": [
@@ -788,7 +788,7 @@
"name": "Abrir"
},
{
- "description": "Essa verificação foi verificada e não há outros itens de ação associados a ela",
+ "description": "Essa verificação foi verificada e não há mais itens de ação associados a ela",
"name": "Cumprido"
},
{
@@ -796,7 +796,7 @@
"name": "Não é necessário"
},
{
- "description": "Não aplicável ao projeto atual",
+ "description": "Não aplicável para o projeto atual",
"name": "N/A"
}
],
diff --git a/checklists/network_appdelivery_checklist.zh-Hant.json b/checklists/network_appdelivery_checklist.zh-Hant.json
index ad6337422..79dccb460 100644
--- a/checklists/network_appdelivery_checklist.zh-Hant.json
+++ b/checklists/network_appdelivery_checklist.zh-Hant.json
@@ -13,7 +13,7 @@
"service": "Front Door",
"severity": "中等",
"subcategory": "前門",
- "text": "如果將客戶管理的 TLS 證書用於 Azure Front Door,請使用“最新”證書版本。降低手動續訂證書導致的中斷風險",
+ "text": "如果將客戶管理的 TLS 證書用於 Azure Front Door,請使用“最新”證書版本。降低手動證書續訂導致的中斷風險",
"waf": "操作"
},
{
@@ -23,7 +23,7 @@
"link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
"severity": "中等",
"subcategory": "應用交付",
- "text": "在面向內部 (corp) 和面向外部的應用 (online) 的登陸區域內執行應用交付。",
+ "text": "在登陸區域內為面向內部 (corp) 和面向外部的應用 (online) 執行應用交付。",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
@@ -35,7 +35,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "確保使用應用程式閘道 v2 SKU",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
@@ -49,7 +49,7 @@
"service": "Load Balancer",
"severity": "中等",
"subcategory": "負載均衡器",
- "text": "確保將標準 SKU 用於 Azure 負載均衡器",
+ "text": "請確保對 Azure 負載均衡器使用標準 SKU",
"waf": "安全"
},
{
@@ -60,7 +60,7 @@
"service": "Load Balancer",
"severity": "中等",
"subcategory": "負載均衡器",
- "text": "確保負載均衡器前端IP位址是區域冗餘的(除非需要區域性前端)。",
+ "text": "確保負載均衡器前端IP位址是區域冗餘的(除非需要區域前端)。",
"waf": "安全"
},
{
@@ -71,21 +71,21 @@
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "應用程式閘道 v2 應部署在IP前綴等於或大於 /24 的子網中",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
"category": "網路拓撲和連接",
- "description": "一般而言,反向代理的管理,特別是 WAF 的管理更接近應用程式而不是網路,因此它們與應用程式屬於同一訂閱。如果應用程式閘道和 WAF 由單個團隊管理,則在連接訂閱中集中應用程式閘道和 WAF 可能是可以的。",
+ "description": "一般而言,反向代理(尤其是 WAF)的管理更接近應用程式,而不是網路,因此它們與應用程式屬於同一訂閱。如果應用程式閘道和 WAF 由一個團隊管理,則在連接訂閱中集中管理應用程式閘道和 WAF 可能是可以的。",
"guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
"id": "A01.07",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
- "text": "部署 Azure 應用程式閘道 v2 或合作夥伴 NVA,用於在登陸區域虛擬網路中代理入站 HTTP(S) 連接,並使用它們所保護的應用。",
+ "subcategory": "應用閘道",
+ "text": "部署 Azure 應用程式閘道 v2 或合作夥伴 NVA,用於在登陸區域虛擬網路中代理入站 HTTP(S) 連接,並與其保護的應用一起使用。",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
@@ -96,7 +96,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
@@ -109,8 +109,8 @@
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
- "text": "使用至少兩個實例數配置自動縮放。",
+ "subcategory": "應用閘道",
+ "text": "配置自動縮放,最小實例數為 2。",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "可靠性"
},
@@ -122,7 +122,7 @@
"link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "跨可用性區域部署應用程式閘道",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "可靠性"
@@ -135,7 +135,7 @@
"service": "Front Door",
"severity": "中等",
"subcategory": "前門",
- "text": "將 Azure Front Door 與 WAF 策略配合使用,以交付和幫助保護跨多個 Azure 區域的全域 HTTP/S 應用。",
+ "text": "將 Azure Front Door 與 WAF 策略結合使用,以交付並幫助保護跨多個 Azure 區域的全球 HTTP/S 應用。",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
@@ -160,7 +160,7 @@
"service": "Traffic Manager",
"severity": "高",
"subcategory": "流量管理員",
- "text": "使用流量管理器提供跨 HTTP/S 以外的協定的全域應用。",
+ "text": "使用流量管理器交付跨 HTTP/S 以外的協定的全域應用。",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "可靠性"
},
@@ -172,7 +172,7 @@
"service": "Entra",
"severity": "低",
"subcategory": "應用交付",
- "text": "如果使用者只需要訪問內部應用程式,是否考慮將 Microsoft Entra ID 應用程式代理作為 Azure 虛擬桌面 (AVD) 的替代方法?",
+ "text": "如果使用者只需要存取內部應用程式,Microsoft Entra ID 應用程式代理是否被視為 Azure 虛擬桌面 (AVD) 的替代方案?",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "安全"
},
@@ -184,7 +184,7 @@
"service": "Entra",
"severity": "中等",
"subcategory": "應用交付",
- "text": "若要減少為網路中的傳入連接打開的防火牆埠數,請考慮使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式的安全且經過身份驗證的訪問。",
+ "text": "若要減少為網路中的傳入連接打開的防火牆埠數,請考慮使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式的安全和經過身份驗證的訪問。",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "安全"
},
@@ -198,7 +198,7 @@
"service": "Front Door",
"severity": "高",
"subcategory": "前門",
- "text": "在「預防」模式下部署 Front Door 的 WAF 策略。",
+ "text": "在「預防」模式下部署 Front Door 的 WAF 策略,以便 Web 應用程式防火牆採取適當的措施來允許或拒絕流量。",
"waf": "安全"
},
{
@@ -210,7 +210,7 @@
"service": "Front Door",
"severity": "高",
"subcategory": "前門",
- "text": "避免將 Azure 流量管理器和 Azure Front Door 結合使用。",
+ "text": "避免結合使用 Azure 流量管理器和 Azure Front Door。",
"waf": "安全"
},
{
@@ -245,7 +245,7 @@
"service": "Front Door",
"severity": "中等",
"subcategory": "前門",
- "text": "為 Azure Front Door 選擇良好的運行狀況探測終結點。請考慮構建運行狀況終結點,以檢查應用程式的所有依賴項。",
+ "text": "為 Azure Front Door 選擇良好的運行狀況探測終結點。請考慮構建用於檢查應用程式的所有依賴項的運行狀況終結點。",
"waf": "可靠性"
},
{
@@ -270,7 +270,7 @@
"service": "Load Balancer",
"severity": "高",
"subcategory": "負載均衡器",
- "text": "使用 Azure NAT 閘道而不是負載均衡器出站規則,以獲得更好的 SNAT 可伸縮性",
+ "text": "使用 Azure NAT 閘道而不是負載均衡器出站規則來提高 SNAT 可伸縮性",
"waf": "可靠性"
},
{
@@ -283,7 +283,7 @@
"service": "Front Door",
"severity": "高",
"subcategory": "前門",
- "text": "將託管 TLS 證書與 Azure Front Door 配合使用。降低運營成本和因證書續訂而導致的中斷風險。",
+ "text": "將託管 TLS 證書與 Azure Front Door 配合使用。降低運營成本和因證書續訂而導致的停機風險。",
"waf": "操作"
},
{
@@ -306,7 +306,7 @@
"service": "Front Door",
"severity": "高",
"subcategory": "前門",
- "text": "將端到端 TLS 與 Azure Front Door 配合使用。使用 TLS 進行從用戶端到 Front Door 的連接,以及從 Front Door 到源的連接。",
+ "text": "將端到端 TLS 與 Azure Front Door 配合使用。使用 TLS 建立從用戶端到 Front Door 的連接,以及從 Front Door 到源的連接。",
"waf": "安全"
},
{
@@ -317,7 +317,7 @@
"service": "Front Door",
"severity": "中等",
"subcategory": "前門",
- "text": "將 HTTP 到 HTTPS 重定向與 Azure Front Door 配合使用。通過自動將較舊的用戶端重定向到 HTTPS 請求來支援它們。",
+ "text": "將 HTTP 到 HTTPS 重定向與 Azure Front Door 配合使用。通過自動將舊用戶端重定向到 HTTPS 請求來支持它們。",
"waf": "安全"
},
{
@@ -341,7 +341,7 @@
"service": "Front Door",
"severity": "高",
"subcategory": "前門",
- "text": "針對工作負載優化 Azure Front Door WAF。減少誤報檢測。",
+ "text": "通過在檢測模式下配置 WAF,為工作負載優化 Azure Front Door WAF,以減少和修復誤報檢測。",
"waf": "安全"
},
{
@@ -377,7 +377,7 @@
"service": "Front Door",
"severity": "高",
"subcategory": "前門",
- "text": "啟用 Azure Front Door WAF 機器人保護規則集。機器人規則檢測好的和壞的機器人。",
+ "text": "啟用 Azure Front Door WAF 機器人保護規則集。機器人規則可檢測好的和壞的機器人。",
"waf": "安全"
},
{
@@ -399,7 +399,7 @@
"service": "Front Door",
"severity": "中等",
"subcategory": "前門",
- "text": "向 Azure Front Door WAF 添加速率限制。速率限制會阻止客戶端在短時間內意外或有意發送大量流量。",
+ "text": "向 Azure Front Door WAF 添加速率限制。速率限制可阻止客戶端在短時間內意外或有意發送大量流量。",
"waf": "安全"
},
{
@@ -410,7 +410,7 @@
"service": "Front Door",
"severity": "中等",
"subcategory": "前門",
- "text": "對 Azure Front Door WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可針對可能使基礎結構不堪重負的大量請求提供保護。",
+ "text": "對 Azure Front Door WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可防止可能使基礎結構不堪重負的極大量請求。",
"waf": "安全"
},
{
@@ -421,7 +421,7 @@
"service": "Front Door",
"severity": "低",
"subcategory": "前門",
- "text": "如果您不希望收到來自所有地理區域的流量,請使用地理篩選器來阻止來自非預期國家/地區的流量。",
+ "text": "如果您不希望來自所有地理區域的流量,請使用地理篩檢程式來阻止來自非預期國家/地區的流量。",
"waf": "安全"
},
{
@@ -432,7 +432,7 @@
"service": "Front Door",
"severity": "中等",
"subcategory": "前門",
- "text": "使用 Azure Front Door WAF 對流量進行地理篩選時,請指定未知 (ZZ) 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
+ "text": "使用 Azure Front Door WAF 對流量進行地理篩選時,指定未知 (ZZ) 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
"waf": "安全"
},
{
@@ -444,8 +444,8 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
"service": "App Gateway",
"severity": "高",
- "subcategory": "應用程式閘道",
- "text": "啟用 Azure 應用程式閘道 WAF 機器人保護規則集 機器人規則可檢測好機器人和壞機器人。",
+ "subcategory": "應用閘道",
+ "text": "啟用 Azure 應用程式閘道 WAF 機器人保護規則集。機器人規則可檢測好的和壞的機器人。",
"waf": "安全"
},
{
@@ -456,8 +456,8 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "App Gateway",
"severity": "高",
- "subcategory": "應用程式閘道",
- "text": "啟用 Azure 應用程式閘道 WAF 策略中啟用的請求正文檢查功能。",
+ "subcategory": "應用閘道",
+ "text": "啟用在 Azure 應用程式閘道 WAF 策略中啟用的請求正文檢查功能。",
"waf": "安全"
},
{
@@ -468,8 +468,8 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
"service": "App Gateway",
"severity": "高",
- "subcategory": "應用程式閘道",
- "text": "針對工作負載優化 Azure 應用程式閘道 WAF。減少誤報檢測。",
+ "subcategory": "應用閘道",
+ "text": "在檢測模式下針對工作負載優化 Azure 應用程式閘道 WAF。減少誤報檢測。",
"waf": "安全"
},
{
@@ -481,8 +481,8 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
"service": "App Gateway",
"severity": "高",
- "subcategory": "應用程式閘道",
- "text": "在「防護」模式下部署應用程式閘道的 WAF 策略。",
+ "subcategory": "應用閘道",
+ "text": "在「預防」模式下部署應用程式閘道的 WAF 策略。",
"waf": "安全"
},
{
@@ -492,8 +492,8 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
- "text": "向 Azure 應用程式閘道 WAF 添加速率限制。速率限制會阻止客戶端在短時間內意外或有意發送大量流量。",
+ "subcategory": "應用閘道",
+ "text": "向 Azure 應用程式閘道 WAF 添加速率限制。速率限制可阻止客戶端在短時間內意外或有意發送大量流量。",
"waf": "安全"
},
{
@@ -503,8 +503,8 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
- "text": "對 Azure 應用程式閘道 WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可針對可能使基礎結構不堪重負的大量請求提供保護。",
+ "subcategory": "應用閘道",
+ "text": "對 Azure 應用程式閘道 WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可防止可能使基礎結構不堪重負的極大量請求。",
"waf": "安全"
},
{
@@ -514,8 +514,8 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
"service": "App Gateway",
"severity": "低",
- "subcategory": "應用程式閘道",
- "text": "如果您不希望收到來自所有地理區域的流量,請使用地理篩選器來阻止來自非預期國家/地區的流量。",
+ "subcategory": "應用閘道",
+ "text": "如果您不希望來自所有地理區域的流量,請使用地理篩檢程式來阻止來自非預期國家/地區的流量。",
"waf": "安全"
},
{
@@ -525,8 +525,8 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
- "text": "使用 Azure 應用程式閘道 WAF 對流量進行地理篩選時,請指定未知 (ZZ) 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
+ "subcategory": "應用閘道",
+ "text": "使用 Azure 應用程式閘道 WAF 對流量進行地理篩選時,指定未知 (ZZ) 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
"waf": "安全"
},
{
@@ -536,7 +536,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "使用最新的 Azure 應用程式閘道 WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。",
"waf": "安全"
},
@@ -547,7 +547,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "添加診斷設置以保存 Azure 應用程式閘道 WAF 紀錄。",
"waf": "操作"
},
@@ -569,7 +569,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "將 Azure 應用程式閘道 WAF 紀錄發送到 Microsoft Sentinel。",
"waf": "操作"
},
@@ -591,7 +591,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "將 Azure 應用程式閘道 WAF 設定定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
"waf": "操作"
},
@@ -602,7 +602,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "使用 WAF 策略而不是舊版 WAF 配置。",
"waf": "操作"
},
@@ -613,8 +613,8 @@
"link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
- "text": "篩選後端中的入站流量,以便它們僅接受來自應用程式閘道子網的連接,例如使用NSG。",
+ "subcategory": "應用閘道",
+ "text": "篩選後端中的入站流量,以便它們僅接受來自應用程式閘道子網的連接,例如與 NSG 的連接。",
"waf": "安全"
},
{
@@ -625,7 +625,7 @@
"service": "Front Door",
"severity": "中等",
"subcategory": "前門",
- "text": "確保源僅從 Azure Front Door 實例獲取流量。",
+ "text": "確保源僅接收來自 Azure Front Door 實例的流量。",
"waf": "安全"
},
{
@@ -635,8 +635,8 @@
"link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
"service": "App Gateway",
"severity": "高",
- "subcategory": "應用程式閘道",
- "text": "您應該對發往後端伺服器的流量進行加密。",
+ "subcategory": "應用閘道",
+ "text": "您應該對流向後端伺服器的流量進行加密。",
"waf": "安全"
},
{
@@ -646,7 +646,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
"service": "App Gateway",
"severity": "高",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "您應該使用 Web 應用程式防火牆。",
"waf": "安全"
},
@@ -657,7 +657,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "將 HTTP 重定向到 HTTPS",
"waf": "安全"
},
@@ -668,7 +668,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "使用閘道管理的 Cookie 將流量從使用者工作階段定向到同一伺服器進行處理",
"waf": "操作"
},
@@ -679,8 +679,8 @@
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
"service": "App Gateway",
"severity": "高",
- "subcategory": "應用程式閘道",
- "text": "在計劃的服務更新期間啟用連接耗盡,以防止與後端池的現有 membr 的連接丟失",
+ "subcategory": "應用閘道",
+ "text": "在計劃的服務更新期間啟用連接耗盡,以防止與後端池的現有成員的連接丟失",
"waf": "安全"
},
{
@@ -690,7 +690,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
"service": "App Gateway",
"severity": "低",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "創建自訂錯誤頁面以顯示個人化的用戶體驗",
"waf": "操作"
},
@@ -701,7 +701,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "編輯 HTTP 請求和回應標頭,以便更輕鬆地在用戶端和伺服器之間進行路由和資訊交換",
"waf": "安全"
},
@@ -712,8 +712,8 @@
"link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
- "text": "配置 Front Door,通過快速全域故障轉移優化全球 Web 流量路由和頂級最終使用者性能和可靠性",
+ "subcategory": "應用閘道",
+ "text": "配置 Front Door 以優化全球 Web 流量路由和頂級最終使用者性能,並通過快速全域故障轉移實現可靠性",
"waf": "性能"
},
{
@@ -723,8 +723,8 @@
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
- "text": "使用傳輸層負載平衡",
+ "subcategory": "應用閘道",
+ "text": "使用傳輸層負載均衡",
"waf": "性能"
},
{
@@ -734,7 +734,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "根據主機名或域名為單個閘道上的多個 Web 應用程式配置路由",
"waf": "安全"
},
@@ -745,7 +745,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
"service": "App Gateway",
"severity": "中等",
- "subcategory": "應用程式閘道",
+ "subcategory": "應用閘道",
"text": "集中管理 SSL 證書,以減少後端伺服器場的加密和解密開銷",
"waf": "安全"
},
@@ -756,15 +756,15 @@
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
"service": "App Gateway",
"severity": "低",
- "subcategory": "應用程式閘道",
- "text": "使用應用程式閘道對 WebSocket 和 HTTP/2 協定提供本機支援",
+ "subcategory": "應用閘道",
+ "text": "使用應用程式閘道獲得對 WebSocket 和 HTTP/2 協定的本機支援",
"waf": "安全"
}
],
"metadata": {
"name": "Azure Application Delivery Networking",
"state": "GA",
- "timestamp": "March 15, 2024",
+ "timestamp": "August 08, 2024",
"waf": "all"
},
"severities": [
@@ -784,11 +784,11 @@
"name": "未驗證"
},
{
- "description": "有一個與此檢查關聯的措施項",
+ "description": "有一個與此檢查關聯的操作項",
"name": "打開"
},
{
- "description": "此檢查已通過驗證,並且沒有與之關聯的進一步操作項",
+ "description": "此檢查已經過驗證,並且沒有與之關聯的其他操作項",
"name": "實現"
},
{
@@ -797,7 +797,7 @@
},
{
"description": "不適用於當前設計",
- "name": "不適用"
+ "name": "N/A"
}
],
"waf": [
diff --git a/checklists/waf_checklist.en.json b/checklists/waf_checklist.en.json
index 0f13e838a..acb339bc5 100644
--- a/checklists/waf_checklist.en.json
+++ b/checklists/waf_checklist.en.json
@@ -1,2134 +1,1687 @@
{
"items": [
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
- "severity": "High",
- "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
- "severity": "High",
- "text": "Protect logic apps from region failures with zone redundancy and availability zones",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Implement an error handling policy at the global level",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
- "severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Ensure all APIs policies include a element.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
- "severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+ "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+ "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "service": "APIM",
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "Device Update Review",
- "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
- "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
- "service": "Device Update for IoT Hub",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "service": "APIM",
"severity": "High",
- "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
- "waf": "Reliability"
+ "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "Device Update Review",
- "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
- "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
- "service": "Device Update for IoT Hub",
- "severity": "High",
- "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Enable Application Insights for more detailed telemetry",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "Device Update Review",
- "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Device Update for IoT Hub",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "service": "APIM",
"severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "text": "Configure alerts on the most critical metrics",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Devices/deviceUpdateServices",
- "checklist": "Device Update Review",
- "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Device Update for IoT Hub",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "service": "APIM",
"severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
- "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
- "service": "Logic Apps",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "service": "APIM",
"severity": "High",
- "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
+ "text": "Protect incoming requests to APIs (data plane) with Azure AD",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
- "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "Logic Apps",
- "severity": "High",
- "text": "Protect logic apps from region failures with zone redundancy and availability zones",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
- "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Logic Apps",
- "severity": "High",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Create appropriate groups to control the visibility of the products",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
- "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
- "service": "Logic Apps",
- "severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+ "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Use Backends feature to eliminate redundant API backend configurations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
- "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
- "service": "Logic Apps",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "service": "APIM",
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "text": "Use Named Values to store common values that can be used in policies",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "service": "APIM",
"severity": "Medium",
- "text": "Follow reliability support recommendations in Azure Bot Service",
+ "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+ "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "service": "APIM",
"severity": "Medium",
- "text": "Deploying bots with local data residency and regional compliance",
+ "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
- "severity": "Medium",
- "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+ "service": "APIM",
+ "severity": "High",
+ "text": "Ensure there is an automated backup routine",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+ "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+ "service": "APIM",
"severity": "Medium",
- "text": "FTA Resiliency Playbook",
+ "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
- "service": "CosmosDB",
- "severity": "High",
- "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
- "service": "CosmosDB",
- "severity": "Medium",
- "text": "Run multiple replicas of the database (>1 ) in Prod",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+ "service": "APIM",
+ "severity": "Low",
+ "text": "If you need to log at high performance levels, consider Event Hubs policy",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
- "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+ "service": "APIM",
"severity": "Medium",
- "text": "Leverage Multi-Region Writes",
- "waf": "Reliability"
+ "text": "Apply throttling policies to control the number of requests per second",
+ "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Span Cosmos account across two or more regions with multi-region writes",
- "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
- "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+ "service": "APIM",
"severity": "Medium",
- "text": "Distribute your data globally",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
- "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
- "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
- "service": "CosmosDB",
- "severity": "High",
- "text": "Choose from several well-defined consistency models",
- "waf": "Reliability"
+ "text": "Configure autoscaling to scale out the number of instances when the load increases",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
- "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
- "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+ "service": "APIM",
"severity": "Medium",
- "text": "Enable Service managed failover",
- "waf": "Reliability"
+ "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
- "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
- "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+ "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+ "service": "APIM",
"severity": "Medium",
- "text": "Enable Automatic Backups",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "text": "Use the premium tier for production workloads.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
- "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
- "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
- "service": "CosmosDB",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+ "service": "APIM",
"severity": "Medium",
- "text": "Perform Periodic Backups",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.documentdb/databaseAccounts",
- "checklist": "CosmosDB Review Checklist",
- "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
- "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
- "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
- "service": "CosmosDB",
- "severity": "Medium",
- "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
- "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+ "service": "APIM",
+ "severity": "High",
+ "text": "Be aware of APIM's limits",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+ "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+ "service": "APIM",
"severity": "High",
- "text": "Enable 2 replicas to have 99.9% availability for read operations",
+ "text": "Ensure that the self-hosted gateway deployments are resilient.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+ "service": "APIM",
"severity": "Medium",
- "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
- "service": "Cognitive Search",
- "severity": "High",
- "text": "Leverage Availability Zones by enabling read and/or write replicas",
- "waf": "Reliability"
+ "text": "Use Azure Front Door in front of APIM for multi-region deployment",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+ "service": "APIM",
"severity": "Medium",
- "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
- "waf": "Reliability"
+ "text": "Deploy the service within a Virtual Network (VNet)",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+ "service": "APIM",
"severity": "Medium",
- "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
- "waf": "Reliability"
+ "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+ "service": "APIM",
"severity": "Medium",
- "text": "Use Azure Traffic Manager to coordinate requests",
- "waf": "Reliability"
+ "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+ "service": "APIM",
"severity": "High",
- "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
- "waf": "Reliability"
+ "text": "Disable Public Network Access",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
- "service": "Cognitive Services",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+ "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+ "service": "APIM",
"severity": "Medium",
- "text": "Leverage FTA HandBook for Cognitive Services",
- "waf": "Reliability"
+ "text": "Simplify management with PowerShell automation scripts",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Cognitive Services",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+ "service": "APIM",
"severity": "Medium",
- "text": "Backup Your Prompts",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Cognitive Services",
- "severity": "High",
- "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
- "waf": "Reliability"
+ "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
- "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
- "service": "Cognitive Services",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+ "service": "APIM",
"severity": "Medium",
- "text": "Backup Your ChatGPT conversations",
- "waf": "Reliability"
+ "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
- "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
- "service": "Cognitive Services",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+ "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+ "service": "APIM",
"severity": "Medium",
- "text": "CI/CD for custom speech",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Cognitive Services Review Checklist",
- "guid": "3687a046-7a1f-4893-9bda-43324f248116",
- "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
- "service": "Cognitive Services",
- "severity": "Low",
- "text": "Move a knowledge base using export-import",
- "waf": "Reliability"
+ "text": "Implement DevOps and CI/CD in your workflow",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "Container Apps Review",
- "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
- "service": "Container Apps",
- "severity": "High",
- "text": "Leverage Availability Zones if regionally applicable",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Secure APIs using client certificate authentication",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "Container Apps Review",
- "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
- "service": "Container Apps",
- "severity": "High",
- "text": "Use more than one replica and enable Zone Redundancy.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Secure backend services using client certificate authentication",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "Container Apps Review",
- "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
- "service": "Container Apps",
- "severity": "High",
- "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+ "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.App/containerApps",
- "checklist": "Container Apps Review",
- "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
- "service": "Container Apps",
- "severity": "High",
- "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
- "waf": "Reliability"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+ "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+ "service": "APIM",
+ "severity": "Medium",
+ "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+ "service": "APIM",
"severity": "High",
- "text": "Select the right Function hosting plan based on your business & SLO requirements",
- "waf": "Reliability"
+ "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+ "service": "APIM",
"severity": "High",
- "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
- "waf": "Reliability"
+ "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+ "service": "APIM",
"severity": "Medium",
- "text": "Consider a Cross-Region DR strategy for critical workloads",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Azure Functions",
- "severity": "High",
- "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
- "waf": "Reliability"
+ "text": "Use managed identities to authenticate to other Azure resources whenever possible",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+ "service": "APIM",
"severity": "High",
- "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
- "waf": "Reliability"
+ "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
+ "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
- "waf": "Operations"
+ "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
- "waf": "Operations"
+ "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
- "training": "https://github.com/Azure/sap-automation",
- "waf": "Operations"
+ "text": "Use more than 1 app instance for your apps",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+ "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+ "text": "Set up autoscaling in Spring Cloud Gateway",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "SAP",
- "severity": "High",
- "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
+ "severity": "Low",
+ "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
"severity": "Medium",
- "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+ "service": "AVS",
"severity": "High",
- "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
- "waf": "Reliability"
+ "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "SAP",
- "severity": "Low",
- "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "75089c20-990d-4927-b105-885576f76fc2",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
- "service": "SAP",
- "severity": "Medium",
- "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
- "service": "SAP",
- "severity": "Low",
- "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
- "severity": "High",
- "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+ "service": "AVS",
"severity": "High",
- "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Reliability"
+ "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
- "service": "SAP",
- "severity": "High",
- "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Has an RBAC model been created for use within VMware vSphere",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
- "severity": "High",
- "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+ "service": "AVS",
"severity": "High",
- "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+ "service": "AVS",
"severity": "High",
- "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "Reliability"
+ "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+ "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+ "service": "AVS",
"severity": "High",
- "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "Reliability"
+ "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+ "service": "AVS",
"severity": "High",
- "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
- "service": "SAP",
- "severity": "High",
- "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
- "service": "SAP",
- "severity": "High",
- "text": "Make sure the Floating IP is enabled on the Load balancer",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+ "service": "AVS",
"severity": "High",
- "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Reliability"
+ "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+ "service": "AVS",
"severity": "High",
- "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
- "waf": "Reliability"
+ "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+ "service": "AVS",
"severity": "High",
- "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Reliability"
+ "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+ "service": "AVS",
"severity": "Medium",
- "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
- "severity": "High",
- "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "High",
- "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "High",
- "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
- "waf": "Reliability"
+ "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+ "service": "AVS",
"severity": "High",
- "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
- "service": "SAP",
- "severity": "Medium",
- "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "text": "Limit use of CloudAdmin account to emergency access only",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+ "service": "AVS",
"severity": "Medium",
- "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
- "waf": "Reliability"
+ "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+ "service": "AVS",
"severity": "Medium",
- "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
- "severity": "High",
- "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
- "service": "SAP",
- "severity": "High",
- "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
- "service": "SAP",
- "severity": "High",
- "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
- "waf": "Reliability"
+ "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+ "service": "AVS",
"severity": "High",
- "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
- "waf": "Reliability"
+ "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+ "service": "AVS",
"severity": "Medium",
- "text": "Automate SAP System Start-Stop to manage costs.",
- "waf": "Cost"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "Low",
- "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
- "waf": "Cost"
+ "text": "Is East-West traffic filtering implemented within NSX-T",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "Low",
- "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
- "waf": "Cost"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+ "service": "AVS",
"severity": "High",
- "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+ "service": "AVS",
"severity": "Medium",
- "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "334fdf91-c234-4182-a652-75269440b4be",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
+ "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+ "service": "AVS",
"severity": "Medium",
- "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
- "service": "SAP",
- "severity": "Medium",
- "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
- "service": "SAP",
- "severity": "Medium",
- "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5ac94222-3e13-4810-9230-81a941741583",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
+ "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
- "service": "SAP",
- "severity": "Medium",
- "text": "Implement SSO to SAP HANA",
- "waf": "Security"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d88408f3-7273-44c8-96ba-280214590146",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+ "service": "AVS",
"severity": "Medium",
- "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
- "waf": "Security"
+ "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+ "service": "AVS",
"severity": "Medium",
- "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
- "waf": "Security"
+ "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+ "service": "AVS",
"severity": "Medium",
- "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
- "waf": "Security"
+ "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
+ "waf": "Cost"
},
{
- "checklist": "SAP Checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement SSO to SAP BTP",
+ "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure all required resource reside within the same Azure availability zone(s)",
+ "waf": "Performance"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+ "service": "AVS",
"severity": "Medium",
- "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
+ "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+ "service": "AVS",
"severity": "Medium",
- "text": "enforce existing Management Group policies to SAP Subscriptions",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
- "waf": "Operations"
+ "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+ "service": "AVS",
"severity": "High",
- "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+ "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "High",
- "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
- "severity": "High",
- "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
- "severity": "Low",
- "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
- "waf": "Operations"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+ "service": "AVS",
"severity": "High",
- "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
- "waf": "Operations"
+ "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+ "service": "AVS",
"severity": "High",
- "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
- "waf": "Operations"
+ "text": "Are data processing implications (service provider / service consumer model) clear and documented",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+ "service": "AVS",
"severity": "Medium",
- "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "Operations"
+ "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+ "service": "AVS",
"severity": "High",
- "text": "Help protect your HANA database by using the Azure Backup service.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Reliability"
+ "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
- "severity": "Medium",
- "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+ "service": "AVS",
"severity": "High",
- "text": "Ensure time-zone matches between the operating system and the SAP system.",
+ "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
- "severity": "Medium",
- "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Reliability"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
- "severity": "Low",
- "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
- "waf": "Cost"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
- "severity": "Low",
- "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
- "severity": "High",
- "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+ "service": "AVS",
"severity": "Medium",
- "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
+ "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
- "severity": "High",
- "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+ "service": "AVS",
"severity": "Medium",
- "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+ "service": "AVS",
"severity": "Medium",
- "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
- "waf": "Security"
+ "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+ "service": "AVS",
"severity": "Medium",
- "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
- "waf": "Operations"
+ "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
- "severity": "Low",
- "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
"waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+ "service": "AVS",
"severity": "Medium",
- "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.",
- "waf": "Performance"
+ "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
- "severity": "Low",
- "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+ "service": "AVS",
"severity": "Medium",
- "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
- "waf": "Performance"
+ "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+ "service": "AVS",
"severity": "Medium",
- "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
- "waf": "Performance"
+ "text": "Deploy your backup solution outside of vSan, on Azure native components",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
- "severity": "High",
- "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "waf": "Operations"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
- "waf": "Security"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
- "severity": "Medium",
- "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For manual deployments, all configuration and deployments must be documented",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
- "severity": "Medium",
- "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
- "waf": "Reliability"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
- "severity": "High",
- "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "Performance"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
- "severity": "Medium",
- "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
- "severity": "Medium",
- "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For automated deployments, request or reserve quota prior to starting the deployment",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
- "severity": "Medium",
- "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "High",
- "text": "Public IP assignment to VM running SAP Workload is not recommended.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
- "severity": "High",
- "text": "Consider reserving IP address on DR side when configuring ASR",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "High",
- "text": "Avoid using overlapping IP address ranges for production and DR sites.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
- "severity": "Medium",
- "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
"waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
- "severity": "Medium",
- "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+ "service": "AVS",
+ "severity": "Low",
+ "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+ "service": "AVS",
"severity": "Medium",
- "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
- "waf": "Security"
+ "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
- "waf": "Security"
+ "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+ "service": "AVS",
"severity": "Medium",
- "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Security"
+ "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Security"
+ "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
+ "waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+ "service": "AVS",
"severity": "Medium",
- "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
"waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+ "service": "AVS",
"severity": "Medium",
- "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
- "waf": "Security"
+ "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
+ "waf": "Operations"
},
{
- "checklist": "SAP Checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
- "severity": "High",
- "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "High",
+ "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
- "severity": "Medium",
- "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Security"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "High",
+ "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+ "service": "AVS",
"severity": "Medium",
- "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "High",
- "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
"waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+ "service": "AVS",
"severity": "Medium",
- "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+ "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
"waf": "Performance"
},
{
- "checklist": "SAP Checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "High",
- "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "High",
- "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Cost"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
- "severity": "High",
- "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Performance"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "AVS",
+ "severity": "Medium",
+ "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "AVS",
"severity": "Medium",
- "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
- "waf": "Security"
+ "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "AVS",
"severity": "High",
- "text": "Review SAP HANA database backups for Azure VMs.",
- "waf": "Cost"
+ "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review Site Recovery built-in monitoring, where used for SAP.",
- "waf": "Cost"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "AVS",
+ "severity": "High",
+ "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "AVS",
"severity": "High",
- "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
- "waf": "Operations"
+ "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review Oracle Database in Azure Linux VM backup strategies.",
- "waf": "Operations"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "AVS",
+ "severity": "High",
+ "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
- "waf": "Operations"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
+ "severity": "High",
+ "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review the use of Automated Backup v2 for Azure VMs.",
- "waf": "Operations"
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
+ "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
+ "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Disable Azure Container Registry image export",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
+ "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
+ "service": "ACR",
"severity": "High",
- "text": "Enabling Write accelerator for M series when using premium disks(V1)",
- "waf": "Operations"
+ "text": "Enable Azure Policies for Azure Container Registry",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
- "severity": "Medium",
- "text": "Test availability zone latency.",
- "waf": "Performance"
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
+ "guid": "d345293c-7639-4637-a551-c5c04e401955",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Sign and Verify containers with notation (Notary v2)",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
+ "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
+ "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
+ "service": "ACR",
"severity": "Medium",
- "text": "Activate SAP EarlyWatch Alert for all SAP components.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
- "waf": "Performance"
+ "text": "Encrypt registry with a customer managed key",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
- "training": "https://me.sap.com/notes/0002879613",
- "waf": "Performance"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review SQL Server performance monitoring using CCMS.",
- "waf": "Performance"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
- "service": "SAP",
- "severity": "Medium",
- "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "Performance"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
- "service": "SAP",
- "severity": "Medium",
- "text": "Review SAP HANA studio alerts.",
- "waf": "Performance"
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
+ "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Use Managed Identities to connect instead of Service Principals",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
- "service": "SAP",
- "severity": "Medium",
- "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
- "waf": "Performance"
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
+ "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Disable local authentication for management plane access",
+ "waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
- "severity": "Medium",
- "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
+ "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable anonymous pull/push access",
+ "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
+ "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
+ "service": "ACR",
"severity": "Medium",
- "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+ "text": "Disable Anonymous pull access",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "Low",
- "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
+ "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
+ "service": "ACR",
+ "severity": "High",
+ "text": "Disable repository-scoped access tokens",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
+ "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
+ "service": "ACR",
"severity": "High",
- "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
- "training": "https://me.sap.com/notes/3019299/E",
+ "text": "Deploy images from a trusted environment",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "High",
- "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
+ "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
+ "service": "ACR",
+ "severity": "Medium",
+ "text": "Disable Azure ARM audience tokens for authentication",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
+ "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
+ "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
+ "service": "ACR",
"severity": "Medium",
- "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+ "text": "Enable diagnostics logging",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "SAP",
- "severity": "High",
- "text": "Use Azure Key Vault to store your secrets and credentials",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
+ "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+ "service": "ACR",
+ "severity": "Medium",
+ "text": "Control inbound network access with Private Link",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Disable public network access if inbound network access is secured using Private Link",
+ "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
+ "service": "ACR",
"severity": "Medium",
- "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+ "text": "Disable Public Network access",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Only the ACR Premium SKU supports Private Link access",
+ "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
+ "service": "ACR",
"severity": "Medium",
- "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
- "service": "SAP",
- "severity": "High",
- "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
+ "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+ "service": "ACR",
+ "severity": "Low",
+ "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "High",
- "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
+ "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
+ "service": "ACR",
+ "severity": "Medium",
+ "text": "Deploy validated container images",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure Container Registry Security Review",
+ "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
+ "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
+ "service": "ACR",
"severity": "High",
- "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "text": "Use up-to-date platforms, languages, protocols and frameworks",
"waf": "Security"
},
{
- "checklist": "SAP Checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Low",
- "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
- "waf": "Security"
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
+ "severity": "Medium",
+ "text": "Follow reliability support recommendations in Azure Bot Service",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
- "service": "SAP",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
"severity": "Medium",
- "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
+ "text": "Deploying bots with local data residency and regional compliance",
+ "waf": "Reliability"
},
{
- "checklist": "SAP Checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
- "service": "SAP",
- "severity": "High",
- "text": "Use an Azure Key Vault per application per environment per region.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
- "service": "SAP",
- "severity": "High",
- "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
- "service": "SAP",
- "severity": "High",
- "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
- "service": "SAP",
- "severity": "High",
- "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "service": "SAP",
- "severity": "Low",
- "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
- "service": "SAP",
- "severity": "Low",
- "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "High",
- "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Low",
- "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
- "waf": "Security"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
- "service": "SAP",
- "severity": "Medium",
- "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "Azure Spring Apps permits two deployments for every app, only one of which receives production traffic. You can achieve zero downtime with blue green deployment strategies. Blue green deployment is only available in Standard and Enterprise tiers. You could automate deployment using CI/CD with ADO/GitHub actions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "Azure Spring Apps instances could be created in multiple regions for your applications and traffic could be routed by Traffic Manager/Front Door.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "In supported region, Azure Spring Apps can be deployed as zone redundant, which means that instances are automatically distributed across availability zones. This feature is only available in Standard and Enterprise tiers.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "Use more than 1 app instance for your apps",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "Monitor Azure Spring Apps with logs, metrics and tracing. Integrate ASA with application insights and track failures and create workbooks.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "Set up autoscaling in Spring Cloud Gateway",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
- "severity": "Low",
- "text": "Enable autoscale for the apps with Standard consumption & dedicated plan.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
- "severity": "Medium",
- "text": "Use Enterprise plan for commercial support of spring boot for mission critical apps. With other tiers you get OSS support.",
- "waf": "Reliability"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
- "severity": "Medium",
- "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
- "waf": "Reliability"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
- "severity": "Medium",
- "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
- "waf": "Reliability"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
- "severity": "Medium",
- "text": "Custom brand assets should be hosted on a CDN",
- "waf": "Performance"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
- "severity": "Low",
- "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
- "waf": "Reliability"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Medium",
- "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
- "waf": "Reliability"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Medium",
- "text": "Don't replicate! Replication can create issues with directory synchronization",
- "waf": "Reliability"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Medium",
- "text": "Have active-active for multi-regions",
- "waf": "Reliability"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
- "severity": "Medium",
- "text": "Add Azure AD Domain service stamps to additional regions and locations",
- "waf": "Reliability"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
"severity": "Medium",
- "text": "Use Replica Sets for DR",
+ "text": "Azure Bot Service runs in active-active mode for both global and regional services. When an outage occurs, you don't need to detect errors or manage the service. Azure Bot Service automatically performs auto failover and auto recovery in a multi-region geographical architecture. For the EU bot regional service, Azure Bot Service provides two full regions inside Europe with active/active replication to ensure redundancy. For the global bot service, all available regions/geographies can be served as the global footprint.",
"waf": "Reliability"
},
{
@@ -2228,455 +1781,164 @@
"waf": "Security"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
- "service": "APIM",
- "severity": "Medium",
- "text": "Implement an error handling policy at the global level",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
- "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
- "service": "APIM",
- "severity": "Medium",
- "text": "Ensure all APIs policies include a element.",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
- "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
- "service": "APIM",
- "severity": "Medium",
- "text": "Use Policy Fragments to avoid repeating same policies definitions across multiple APIs",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
- "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
- "service": "APIM",
- "severity": "Medium",
- "text": "If you are planning to monetize your APIs, review the 'monetization support' article for best practices",
- "waf": "Operations"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
+ "severity": "High",
+ "text": "Select the right Function hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
- "service": "APIM",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
"severity": "High",
- "text": "Enable Diagnostics Settings to export logs to Azure Monitor",
- "waf": "Operations"
+ "text": "Leverage Availability Zones where regionally applicable (not available for Consumption tier)",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
- "service": "APIM",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Azure Functions",
"severity": "Medium",
- "text": "Enable Application Insights for more detailed telemetry",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
- "service": "APIM",
- "severity": "High",
- "text": "Configure alerts on the most critical metrics",
- "waf": "Operations"
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
- "service": "APIM",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Azure Functions",
"severity": "High",
- "text": "Ensure that custom SSL certificates are stored an Azure Key Vault so they can be securely accessed and updated",
- "waf": "Security"
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
- "service": "APIM",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Azure Functions",
"severity": "High",
- "text": "Protect incoming requests to APIs (data plane) with Azure AD",
- "waf": "Security"
+ "text": "Ensure 'Always On' is enabled for all Function Apps running on App Service Plan",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
- "service": "APIM",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Azure Functions",
"severity": "Medium",
- "text": "Use Microsoft Entra ID to authenticate users in the Developer Portal",
- "waf": "Security"
+ "text": "Pair a Function App to its own storage account. Try not to re-use storage accounts for Function Apps unless they are tightly coupled",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
- "service": "APIM",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "Azure Functions",
"severity": "Medium",
- "text": "Create appropriate groups to control the visibility of the products",
- "waf": "Security"
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Function App code",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "06862505-2d9a-4874-9491-2837b00a3475",
- "link": "https://learn.microsoft.com/azure/api-management/backends",
- "service": "APIM",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "21c30d25-ffb7-4f6a-b9ea-b3fec328f787",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-cog_svcs_v1.docx",
+ "service": "Cognitive Services",
"severity": "Medium",
- "text": "Use Backends feature to eliminate redundant API backend configurations",
- "waf": "Operations"
+ "text": "Leverage FTA HandBook for Cognitive Services",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
- "service": "APIM",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "78c34698-16b2-4763-aefe-1b9b599de0d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Cognitive Services",
"severity": "Medium",
- "text": "Use Named Values to store common values that can be used in policies",
- "waf": "Operations"
+ "text": "Backup Your Prompts",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
- "service": "APIM",
- "severity": "Medium",
- "text": "For DR, leverage the premium tier with deployments scaled across two or more regions for 99.99% SLA",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "750ab2ab-039d-4a6d-95d7-c892adb107d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Cognitive Services",
+ "severity": "High",
+ "text": "Business Continuity and Disaster Recovery (BCDR) considerations with Azure OpenAI Service",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
- "link": "https://learn.microsoft.com/azure/api-management/high-availability",
- "service": "APIM",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "325af625-ca44-4e46-a5e2-223ace8bb123",
+ "link": "https://github.com/abacaj/chatgpt-backup#backup-your-chatgpt-conversations",
+ "service": "Cognitive Services",
"severity": "Medium",
- "text": "Deploy at least one unit in two or more availability zones for an increased SLA of 99.99%",
+ "text": "Backup Your ChatGPT conversations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
- "service": "APIM",
- "severity": "High",
- "text": "Ensure there is an automated backup routine",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "07ca5f17-f154-4e3a-a369-2829e7e31618",
+ "link": "https://learn.microsoft.com/azure/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment",
+ "service": "Cognitive Services",
+ "severity": "Medium",
+ "text": "CI/CD for custom speech",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
- "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
- "service": "APIM",
- "severity": "Medium",
- "text": "Use Policies to add a fail-over backend URL and caching to reduce failing calls.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Cognitive Services Review Checklist",
+ "guid": "3687a046-7a1f-4893-9bda-43324f248116",
+ "link": "https://learn.microsoft.com/azure/ai-services/qnamaker/tutorials/export-knowledge-base",
+ "service": "Cognitive Services",
+ "severity": "Low",
+ "text": "Move a knowledge base using export-import",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Services",
"severity": "Low",
- "text": "If you need to log at high performance levels, consider Event Hubs policy",
- "waf": "Operations"
+ "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
- "service": "APIM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "Medium",
- "text": "Apply throttling policies to control the number of requests per second",
- "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
- "waf": "Performance"
+ "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
- "service": "APIM",
- "severity": "Medium",
- "text": "Configure autoscaling to scale out the number of instances when the load increases",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
- "service": "APIM",
- "severity": "Medium",
- "text": "Deploy self-hosted gateways where Azure doesn't have a region close to the backend APIs.",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
- "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
- "service": "APIM",
- "severity": "Medium",
- "text": "Use the premium tier for production workloads.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
- "service": "APIM",
- "severity": "Medium",
- "text": "In multi-region model, use Policies to route the requests to regional backends based on availability or latency.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
- "service": "APIM",
- "severity": "High",
- "text": "Be aware of APIM's limits",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
- "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
- "service": "APIM",
- "severity": "High",
- "text": "Ensure that the self-hosted gateway deployments are resilient.",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "7519e385-a88b-4d34-966b-6269d686e890",
- "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
- "service": "APIM",
- "severity": "Medium",
- "text": "Use Azure Front Door in front of APIM for multi-region deployment",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
- "service": "APIM",
- "severity": "Medium",
- "text": "Deploy the service within a Virtual Network (VNet)",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
- "service": "APIM",
- "severity": "Medium",
- "text": "Deploy network security groups (NSG) to your subnets to restrict or monitor traffic to/from APIM.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
- "service": "APIM",
- "severity": "Medium",
- "text": "Deploy Private Endpoints to filter incoming traffic when APIM is not deployed to a VNet.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
- "service": "APIM",
- "severity": "High",
- "text": "Disable Public Network Access",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
- "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
- "service": "APIM",
- "severity": "Medium",
- "text": "Simplify management with PowerShell automation scripts",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
- "service": "APIM",
- "severity": "Medium",
- "text": "Configure APIM via Infrastructure-as-code. Review DevOps best practices from the Cloud Adaption Framework APIM Landing Zone Accelerator",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
- "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
- "service": "APIM",
- "severity": "Medium",
- "text": "Promote usage of Visual Studio Code APIM extension for faster API development",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
- "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
- "service": "APIM",
- "severity": "Medium",
- "text": "Implement DevOps and CI/CD in your workflow",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "b6439493-426a-45f3-9697-cf65baee208d",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
- "service": "APIM",
- "severity": "Medium",
- "text": "Secure APIs using client certificate authentication",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2a67d143-1033-4c0a-8732-680896478f08",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
- "service": "APIM",
- "severity": "Medium",
- "text": "Secure backend services using client certificate authentication",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
- "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
- "service": "APIM",
- "severity": "Medium",
- "text": "Review 'Recommendations to mitigate OWASP API Security Top 10 threats' article and check what is applicable to your APIs",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
- "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
- "service": "APIM",
- "severity": "Medium",
- "text": "Use Authorizations feature to simplify management of OAuth 2.0 token for your backend APIs",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
- "service": "APIM",
- "severity": "High",
- "text": "Use the latest TLS version when encrypting information in transit. Disable outdated and unnecessary protocols and ciphers when possible.",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8af3d94-1d2b-4070-846f-849197524258",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
- "service": "APIM",
- "severity": "High",
- "text": "Ensure that secrets (Named values) are stored an Azure Key Vault so they can be securely accessed and updated",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "791abd8b-7706-4e31-9569-afefde724be3",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
- "service": "APIM",
- "severity": "Medium",
- "text": "Use managed identities to authenticate to other Azure resources whenever possible",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
- "service": "APIM",
- "severity": "High",
- "text": "Use web application firewall (WAF) by deploying Application Gateway in front of APIM",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Services",
- "severity": "Low",
- "text": "Refer to baseline highly available zone-redundant web application architecture for best practices",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Services",
- "severity": "Medium",
- "text": "Use Premium and Standard tiers. These tiers support staging slots and automated backups.",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Services",
- "severity": "High",
- "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
- "waf": "Reliability"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Services",
+ "severity": "High",
+ "text": "Leverage Availability Zones where regionally applicable (requires Premium v2 or v3 tier)",
+ "waf": "Reliability"
},
{
"arm-service": "microsoft.web/sites",
@@ -3069,1310 +2331,2059 @@
"waf": "Security"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
- "severity": "Medium",
- "text": "Leverage Flexible Server",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Consider the 'Azure security baseline for storage'",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Consider using private endpoints for Azure Storage",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Ensure older storage accounts are not using 'classic deployment model'",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Enable Microsoft Defender for all of your storage accounts",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Enable 'soft delete' for blobs",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Disable 'soft delete' for blobs",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Enable 'soft delete' for containers",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Disable 'soft delete' for containers",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Enable resource locks on storage accounts",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Consider immutable blobs",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Require HTTPS, i.e. disable port 80 on the storage account",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "AAD tokens should be favored over shared access signatures, wherever possible",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Least privilege in IaM permissions",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Consider configuring an SAS expiration policy",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Consider linking SAS to a stored access policy",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Strive for short validity periods for ad-hoc SAS",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Apply a narrow scope to a SAS",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Consider scoping SAS to a specific client IP address, wherever possible",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Azure Storage",
+ "severity": "Low",
+ "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Avoid overly broad CORS policies",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Determine which/if platform encryption should be used.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Determine which/if client-side encryption should be used.",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Leverage a storagev2 account type for better performance and reliability",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Azure Storage",
+ "severity": "High",
+ "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "For write operation after failover, use customer-Managed Failover ",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Understand Microsoft-Managed Failover details",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Storage Review Checklist",
+ "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
+ "service": "Azure Storage",
+ "severity": "Medium",
+ "text": "Enable Soft Delete",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
+ "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+ "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+ "service": "Event Hubs",
+ "severity": "Low",
+ "text": "Use customer-managed key option in data at rest encryption when required",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
+ "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
+ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Avoid using root account when it is not necessary",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
+ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
+ "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+ "service": "Event Hubs",
+ "severity": "High",
+ "text": "Use least privilege data plane RBAC",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
+ "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
+ "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
+ "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Leverage FTA Resillency HandBook",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
+ "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+ "service": "Event Hubs",
+ "severity": "High",
+ "text": "Leverage Availability Zones if regionally applicable",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+ "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Use the Premium or Dedicated SKUs for predicable performance",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
+ "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+ "service": "Event Hubs",
+ "severity": "High",
+ "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
+ "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "For Business Critical Applications, use Active Active configuration",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+ "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+ "service": "Event Hubs",
+ "severity": "Medium",
+ "text": "Design Resilient Event Hubs",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
+ "waf": "Operations"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+ "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Ensure you are using Application Gateway v2 SKU",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+ "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Load Balancer",
+ "severity": "Medium",
+ "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+ "service": "Load Balancer",
+ "severity": "Medium",
+ "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+ "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
+ "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+ "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Configure autoscaling with a minimum amount of instances of two.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+ "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+ "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Deploy Application Gateway across Availability Zones",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Security"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/trafficManagerProfiles",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Traffic Manager",
+ "severity": "High",
+ "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Reliability"
+ },
+ {
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
+ "severity": "Low",
+ "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "waf": "Security"
+ },
+ {
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
+ "severity": "Medium",
+ "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Security"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Deploy your WAF policy for Front Door in 'Prevention' mode' so that Web Application Firewall takes appropriate action to allow or deny traffic.",
+ "waf": "Security"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "Front Door",
"severity": "High",
- "text": "Leverage Availability Zones where regionally applicable",
- "waf": "Reliability"
+ "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
- "severity": "Medium",
- "text": "Leverage Data-in replication for cross-region DR scenarios",
- "waf": "Reliability"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
- "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
- "service": "Azure Data Explorer",
- "text": "Leverage External Tables and Continuous data export overview to reduce costs",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+ "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "Front Door",
+ "severity": "Low",
+ "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
- "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
- "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
- "service": "Azure Data Explorer",
- "text": "To share data, explore Leader-follower cluster configuration",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
- "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
- "service": "Azure Data Explorer",
- "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+ "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "Front Door",
+ "severity": "Low",
+ "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
- "service": "Azure Data Explorer",
- "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
+ "ammp": true,
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+ "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "Load Balancer",
+ "severity": "High",
+ "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
- "service": "Azure Data Explorer",
- "text": "Ingest data into each cluster in parallel",
- "waf": "Reliability"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+ "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
- "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
- "service": "Azure Data Explorer",
- "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
- "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
- "service": "Azure Data Explorer",
- "text": "For critical applications, create Active-Active configuration in two paired regions",
- "waf": "Reliability"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
- "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
- "service": "Azure Data Explorer",
- "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
- "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
- "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
- "service": "Azure Data Explorer",
- "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
- "waf": "Reliability"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
- "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
- "text": "Wrap DevOps and source control around all your code",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
- "waf": "Reliability"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Tune the Azure Front Door WAF for your workload by configuring the WAF in Detection mode to reduce and fix false positive detections.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
- "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
- "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
- "waf": "Reliability"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Kusto/clusters",
- "checklist": "Azure Data Explorer Review Checklist",
- "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
- "link": "https://learn.microsoft.com/azure/data-explorer/devops",
- "service": "Azure Data Explorer",
- "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "Reliability"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+ "service": "Front Door",
+ "severity": "High",
+ "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
- "service": "Redis",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+ "service": "Front Door",
"severity": "High",
- "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
- "waf": "Reliability"
+ "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
- "service": "Redis",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
- "waf": "Reliability"
+ "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
- "service": "Redis",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
- "waf": "Reliability"
+ "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
- "service": "Redis",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
- "waf": "Reliability"
+ "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ",
- "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
- "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+ "service": "Front Door",
"severity": "Low",
- "text": "Use customer-managed key option in data at rest encryption when required",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hubs namespaces permit clients to send and receive data with TLS 1.0 and above. To enforce stricter security measures, you can configure your Event Hubs namespace to require that clients send and receive data with a newer version of TLS. If an Event Hubs namespace requires a minimum version of TLS, then any requests made with an older version will fail. ",
- "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
- "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+ "service": "Front Door",
"severity": "Medium",
- "text": "Enforce a minimum required version of Transport Layer Security (TLS) for requests ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has manage permissions for the entire namespace. It�s recommended that you treat this rule like an administrative root account and don�t use it in your application. Using AAD as an authentication provider with RBAC is recommended. ",
- "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
- "service": "Event Hubs",
- "severity": "Medium",
- "text": "Avoid using root account when it is not necessary",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+ "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+ "service": "App Gateway",
+ "severity": "High",
+ "text": "Enable the Azure Application Gateway WAF bot protection rule set. The bot rules detect good and bad bots.",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ",
- "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
- "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
- "service": "Event Hubs",
- "severity": "Medium",
- "text": "When possible, your application should be using a managed identity to authenticate to Azure Event Hub. If not, consider having the storage credential (SAS, service principal credential) in Azure Key Vault or an equivalent service",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "App Gateway",
+ "severity": "High",
+ "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "When creating permissions, provide fine-grained control over a client's access to Azure Event Hub. Permissions in Azure Event Hub can and should be scoped to the individual resource level e.g. consumer group, event hub entity, event hub namespaces, etc.",
- "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
- "service": "Event Hubs",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+ "service": "App Gateway",
"severity": "High",
- "text": "Use least privilege data plane RBAC",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "text": "Tune the Azure Application Gateway WAF in detection mode for your workload. Reduce false positive detections.",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub resource logs include operational logs, virtual network and Kafka logs. Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in Event Hubs.",
- "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
- "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
- "service": "Event Hubs",
- "severity": "Medium",
- "text": "Enable logging for security investigation. Use Azure Monitor to captured metrics and logs such as resource logs, runtime audit logs and Kafka logs",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "App Gateway",
+ "severity": "High",
+ "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub by default has a public IP address and is Internet-reachable. Private endpoints allow traffic between your virtual network and Azure Event Hub traverses over the Microsoft backbone network. In addition to that, you should disable public endpoints if those are not used. ",
- "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
- "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "Consider using private endpoints to access Azure Event Hub and disable public network access when applicable.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "With IP firewall, you can restrict public endpoint further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation. ",
- "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "Consider only allowing access to Azure Event Hub namespace from specific IP addresses or ranges",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
"waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
- "service": "Event Hubs",
- "severity": "Medium",
- "text": "Leverage FTA Resillency HandBook",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+ "service": "App Gateway",
+ "severity": "Low",
+ "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": " This will be turned on automatically for a new EH namespace created from the portal with Premium, Dedicated, or Standard SKUs in a zone-enabled region. Both the EH metadata and the event data itself are replicated across zones",
- "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
- "service": "Event Hubs",
- "severity": "High",
- "text": "Leverage Availability Zones if regionally applicable",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
- "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "Use the Premium or Dedicated SKUs for predicable performance",
- "waf": "Reliability"
+ "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "The built-in geo-disaster recovery feature, when enabled, ensures that the entire configuration of anamespace (Event Hubs, Consumer Groups and settings) is continuously replicated from a primary namespace to a secondary namespace, and it allows a once-only failover move from the primary to the secondary at any time. Active/Passive feature is designed to make it easier to recover from and abandon a failed Azure region without having to change application configurations",
- "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
- "service": "Event Hubs",
- "severity": "High",
- "text": "Plan for Geo Disaster Recovery using Active Passive configuration",
- "waf": "Reliability"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Should be used for DR configurations where an outage or loss of event data in the downed region cannot be tolerated. For these cases, follow the replication guidance and do not use the built-in geo-disaster recovery capability (active/passive). With Active/Active, Maintain multiple Event Hubs in different regions and namespaces, and events will be replicated between the hubs",
- "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "Front Door",
"severity": "Medium",
- "text": "For Business Critical Applications, use Active Active configuration",
- "waf": "Reliability"
+ "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
- "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
- "service": "Event Hubs",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "Design Resilient Event Hubs",
- "waf": "Reliability"
+ "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
- "service": "AVS",
- "severity": "High",
- "text": "Ensure ADDS domain controller(s) are deployed in the identity subscription in native Azure",
- "waf": "Security"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "Front Door",
+ "severity": "Medium",
+ "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "75089c20-990d-4927-b105-885576f76fc2",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "Ensure ADDS sites and services is configured to keep authentication requests from Azure-based resources (including Azure VMware Solution) local to Azure",
- "waf": "Security"
+ "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
- "service": "AVS",
- "severity": "High",
- "text": "Ensure that vCenter is connected to ADDS to enable authentication based on 'named user accounts'",
- "waf": "Security"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Use WAF Policies instead of the legacy WAF configuration.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "Ensure that the connection from vCenter to ADDS is using a secure protocol (LDAPS)",
+ "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
- "service": "AVS",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+ "service": "Front Door",
"severity": "Medium",
- "text": "CloudAdmin account in vCenter IdP is used only as an emergency account (break-glass)",
+ "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+ "service": "App Gateway",
"severity": "High",
- "text": "Ensure that NSX-Manager is integrated with an external Identity provider (LDAPS)",
+ "text": "You should encrypt traffic to the backend servers.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
- "service": "AVS",
- "severity": "Medium",
- "text": "Has an RBAC model been created for use within VMware vSphere",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+ "service": "App Gateway",
+ "severity": "High",
+ "text": "You should use a Web Application Firewall.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "RBAC permissions should be granted on ADDS groups and not on specific users",
+ "text": "Redirect HTTP to HTTPS",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
- "service": "AVS",
- "severity": "High",
- "text": "RBAC permissions on the Azure VMware Solution resource in Azure are 'locked down' to a limited set of owners only",
- "waf": "Security"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+ "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+ "service": "App Gateway",
"severity": "High",
- "text": "Ensure all custom roles are scoped with CloudAdmin permitted authorizations",
+ "text": "Enable connection draining during planned service updates to prevent connection loss to existing members of the backend pool",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
- "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
- "service": "AVS",
- "severity": "High",
- "text": "Is the correct Azure VMware Solution connectivity model selected for the customer use case at hand",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
- "service": "AVS",
- "severity": "High",
- "text": "Ensure ExpressRoute or VPN connections from on-premises to Azure are monitored using 'connection monitor'",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+ "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+ "service": "App Gateway",
+ "severity": "Low",
+ "text": "Create custom error pages to display a personalized user experience",
"waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+ "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "Ensure a connection monitor is created from an Azure native resource to an Azure VMware Solution virtual machine to monitor the Azure VMware Solution back-end ExpressRoute connection",
- "waf": "Operations"
+ "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
- "service": "AVS",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "App Gateway",
"severity": "Medium",
- "text": "Ensure a connection monitor is created from an on-premises resource to an Azure VMware Solution virtual machine to monitor end-2-end connectivity",
- "waf": "Operations"
+ "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
- "service": "AVS",
- "severity": "High",
- "text": "When route server is used, ensure no more then 1000 routes are propagated from route server to ExR gateway to on-premises (ARS limit).",
- "waf": "Operations"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Use transport layer load balancing",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
- "service": "AVS",
- "severity": "High",
- "text": "Is Privileged Identity Management implemented for roles managing the Azure VMware Solution resource in the Azure Portal (no standing permissions allowed)",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+ "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
- "service": "AVS",
- "severity": "High",
- "text": "Privileged Identity Management audit reporting should be implemented for the Azure VMware Solution PIM roles",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+ "service": "App Gateway",
+ "severity": "Medium",
+ "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
- "service": "AVS",
- "severity": "Medium",
- "text": "If using Privileged Identity Management is being used, ensure that a valid Entra ID enabled account is created with a valid SMTP record for Azure VMware Solution Automatic Host replacement notifications. (standing permissions required)",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+ "service": "App Gateway",
+ "severity": "Low",
+ "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+ "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+ "service": "Logic Apps",
"severity": "High",
- "text": "Limit use of CloudAdmin account to emergency access only",
- "waf": "Security"
+ "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
- "service": "AVS",
- "severity": "Medium",
- "text": "Create custom RBAC roles in vCenter to implement a least-privilege model inside vCenter",
- "waf": "Security"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+ "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "Logic Apps",
+ "severity": "High",
+ "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
- "service": "AVS",
- "severity": "Medium",
- "text": "Is a process defined to regularly rotate cloudadmin (vCenter) and admin (NSX) credentials",
- "waf": "Security"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+ "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Logic Apps",
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+ "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+ "service": "Logic Apps",
"severity": "High",
- "text": "Use a centralized identity provider to be used for workloads (VM's) running on Azure VMware Solution",
- "waf": "Security"
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+ "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+ "service": "Logic Apps",
"severity": "Medium",
- "text": "Is East-West traffic filtering implemented within NSX-T",
- "waf": "Security"
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Workloads on Azure VMware Solution are not directly exposed to the internet. Traffic is filtered and inspected by Azure Application Gateway, Azure Firewall or 3rd party solutions",
- "waf": "Security"
+ "text": "Follow Metaprompting guardrails for resonsible AI",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+ "link": "https://github.com/Azure-Samples/AI-Gateway",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Auditing and logging is implemented for inbound internet requests to Azure VMware Solution and Azure VMware Solution based workloads",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
- "service": "AVS",
- "severity": "Medium",
- "text": "Session monitoring is implemented for outbound internet connections from Azure VMware Solution or Azure VMware Solution based workloads to identify suspicious/malicious activity",
- "waf": "Security"
+ "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "334fdf91-c234-4182-a652-75269440b4be",
- "service": "AVS",
- "severity": "Medium",
- "text": "Is DDoS standard protection enabled on ExR/VPN Gateway subnet in Azure",
- "waf": "Security"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Enable monitoring for your AOAI instances",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use a dedicated privileged access workstation (PAW) to manage Azure VMware Solution, vCenter, NSX manager and HCX manager",
- "waf": "Security"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
- "service": "AVS",
- "severity": "Medium",
- "text": "Enable Advanced Threat Detection (Microsoft Defender for Cloud aka ASC) for workloads running on Azure VMware Solution",
- "waf": "Security"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Monitor token usage to prevent service disruptions due to capacity",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Use Azure ARC for Servers to properly govern workloads running on Azure VMware Solution using Azure native technologies (Azure ARC for Azure VMware Solution is not yet available)",
- "waf": "Security"
+ "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+ "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+ "service": "Azure OpenAI",
"severity": "Low",
- "text": "Ensure workloads on Azure VMware Solution use sufficient data encryption during run-time (like in-guest disk encryption and SQL TDE). (vSAN encryption at rest is default)",
- "waf": "Security"
+ "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
- "service": "AVS",
- "severity": "Low",
- "text": "When in-guest encryption is used, store encryption keys in Azure Key vault when possible",
- "waf": "Security"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+ "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5ac94222-3e13-4810-9230-81a941741583",
- "service": "AVS",
- "severity": "Medium",
- "text": "Consider using extended security update support for workloads running on Azure VMware Solution (Azure VMware Solution is eligible for ESU)",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Ensure that the appropriate vSAN Data redundancy method is used (RAID specification)",
- "waf": "Reliability"
+ "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d88408f3-7273-44c8-96ba-280214590146",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "68889535-e327-4897-b31b-67d67be5962a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Ensure that the Failure-to-tolerate policy is in place to meet your vSAN storage needs",
- "waf": "Reliability"
+ "text": "Evaluate usage of Provisioned throughput model ",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Ensure that you have requested enough quota, ensuring you have considered growth and Disaster Recovery requirement",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure that access constraints to ESXi are understood, there are access limits which might affect 3rd party solutions.",
- "waf": "Operations"
+ "text": "Review and implement Azure AI content safety",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure that you have a policy around ESXi host density and efficiency, keeping in mind the lead time for requesting new nodes",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Ensure a good cost management process is in place for Azure VMware Solution - Azure Cost Management can be used",
- "waf": "Cost"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
- "service": "AVS",
- "severity": "Low",
- "text": "Are Azure reserved instances used to optimize cost for using Azure VMware Solution",
- "waf": "Cost"
+ "text": "Improve latency of the system by limiting token sizes, streaming options",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Consider the use of Azure Private-Link when using other Azure Native Services",
- "waf": "Security"
+ "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Ensure all required resource reside within the same Azure availability zone(s)",
+ "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
"waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
- "service": "AVS",
- "severity": "Medium",
- "text": "Enable Microsoft Defender for Cloud for Azure VMware Solution guest VM workloads",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Use Azure Arc enabled servers to manage your Azure VMware Solution guest VM workloads",
- "waf": "Security"
+ "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Enable Diagnostic and metric logging on Azure VMware Solution",
- "waf": "Operations"
+ "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Deploy the Log Analytics Agents to Azure VMware Solution guest VM workloads",
- "waf": "Operations"
+ "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure you have a documented and implemented backup policy and solution for Azure VMware Solution VM workloads",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
+ "severity": "Low",
+ "text": "Deploy multiple OAI instances across regions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use Microsoft Defender for Cloud for compliance monitoring of workloads running on Azure VMware Solution",
- "waf": "Security"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Implement retry & healthchecks with Gateway pattern like APIM",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Are the applicable compliance baselines added to Microsoft Defender for Cloud",
- "waf": "Security"
+ "text": "Ensure having adequate quotas of TPM & RPM for the workload",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
- "service": "AVS",
- "severity": "High",
- "text": "Was data residency evaluated when selecting Azure regions to use for Azure VMware Solution deployment",
- "waf": "Security"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+ "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
- "service": "AVS",
- "severity": "High",
- "text": "Are data processing implications (service provider / service consumer model) clear and documented",
- "waf": "Security"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Deploy separate fine tuned models across regions if finetuning is employed",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "547c1747-dc56-4068-a714-435cd19dd244",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+ "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Consider using CMK (Customer Managed Key) for vSAN only if needed for compliance reason(s).",
- "waf": "Security"
+ "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Create dashboards to enable core Azure VMware Solution monitoring insights",
- "waf": "Operations"
+ "text": "Azure AI search service tiers should be choosen to have a SLA ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
- "service": "AVS",
- "severity": "High",
- "text": "Create warning alerts for critical thresholds for automatic alerting on Azure VMware Solution performance (CPU >80%, Avg Memory >80%, vSAN >70%)",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+ "link": "https://learn.microsoft.com/purview/purview",
+ "service": "Azure OpenAI",
+ "severity": "Low",
+ "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Ensure critical alert is created to monitor if vSAN consumption is below 75% as this is a support threshold from VMware",
- "waf": "Operations"
+ "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+ "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Ensure alerts are configured for Azure Service Health alerts and notifications",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
- "service": "AVS",
- "severity": "Medium",
- "text": "Configure Azure VMware Solution logging to be send to an Azure Storage account or Azure EventHub for processing",
- "waf": "Operations"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
- "service": "AVS",
- "severity": "Low",
- "text": "If deep insight in VMware vSphere is required: Is vRealize Operations and/or vRealize Network Insights used in the solution?",
- "waf": "Operations"
+ "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Ensure the vSAN storage policy for VM's is NOT the default storage policy as this policy applies thick provisioning",
- "waf": "Operations"
+ "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Ensure vSphere content libraries are not placed on vSAN as vSAN is a finite resource",
- "waf": "Operations"
+ "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure data repositories for the backup solution are stored outside of vSAN storage. Either in Azure native or on a disk pool-backed datastore",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+ "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are hybrid managed using Azure Arc for Servers (Arc for Azure VMware Solution is in preview)",
- "waf": "Operations"
+ "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are monitored using Azure Log Analytics and Azure Monitor",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Implement Prompt shields and groundedness detection using Content Safety ",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
- "service": "AVS",
- "severity": "Medium",
- "text": "Include workloads running on Azure VMware Solution in existing update management tooling or in Azure Update Management",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+ "link": "https://learn.microsoft.com/azure/compliance/",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Use Azure Policy to onboard Azure VMware Solution workloads in the Azure Management, Monitoring and Security solutions",
- "waf": "Operations"
+ "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure workloads running on Azure VMware Solution are onboarded to Microsoft Defender for Cloud",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Ensure backups are not stored on vSAN as vSAN is a finite resource",
- "waf": "Reliability"
+ "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Have all DR solutions been considered and a solution that is best for your business been decided upon? [SRM/JetStream/Zerto/Veeam/...]",
- "waf": "Reliability"
+ "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use Azure Site Recovery when the Disaster Recovery technology is native Azure IaaS",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Use Automated recovery plans with either of the Disaster solutions, avoid manual tasks as much as possible",
- "waf": "Reliability"
+ "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8255461e-2aee-4345-9aec-8339248b262d",
- "service": "AVS",
- "severity": "Medium",
- "text": "Use the geopolitical region pair as the secondary disaster recovery environment",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Configure private endpoint for AI services to restrict service access within your network",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "Use 2 different address spaces between the regions, for example: 10.0.0.0/16 and 192.168.0.0/16 for the different regions",
- "waf": "Reliability"
+ "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
- "service": "AVS",
- "severity": "Medium",
- "text": "Will ExpressRoute Global Reach be used for connectivity between the primary and secondary Azure VMware Solution Private Clouds or is routing done through network virtual appliances?",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+ "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Have all Backup solutions been considered and a solution that is best for your business been decided upon? [ MABS/CommVault/Metallic.io/Veeam/�. ]",
- "waf": "Reliability"
+ "text": "Use prompt compression tools like LLMLingua or gprtrim",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
- "service": "AVS",
- "severity": "Medium",
- "text": "Deploy your backup solution in the same region as your Azure VMware Solution private cloud",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Deploy your backup solution outside of vSan, on Azure native components",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
- "service": "AVS",
- "severity": "Low",
- "text": "Is a process in place to request a restore of the VMware components managed by the Azure Platform?",
- "waf": "Reliability"
+ "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
- "service": "AVS",
- "severity": "Low",
- "text": "For manual deployments, all configuration and deployments must be documented",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
- "service": "AVS",
- "severity": "Low",
- "text": "For manual deployments, consider implementing resource locks to prevent accidental actions on your Azure VMware Solution Private Cloud",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "service": "Azure OpenAI",
"severity": "Low",
- "text": "For automated deployments, deploy a minimal private cloud and scale as needed",
- "waf": "Operations"
+ "text": "Azure AI Services are properly tagged for better management",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "service": "Azure OpenAI",
"severity": "Low",
- "text": "For automated deployments, request or reserve quota prior to starting the deployment",
- "waf": "Operations"
+ "text": "Azure AI Service accounts follows organizational naming conventions",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
- "service": "AVS",
- "severity": "Low",
- "text": "For automated deployment, ensure that relevant resource locks are created through the automation or through Azure Policy for proper governance",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Diagnostic logs in Azure AI services resources should be enabled",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
- "service": "AVS",
- "severity": "Low",
- "text": "Implement human understandable names for ExR authorization keys to allow for easy identification of the keys purpose/use",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "255461e2-aee3-4553-afc8-339248b262d6",
- "service": "AVS",
- "severity": "Low",
- "text": "Use Key vault to store secrets and authorization keys when separate Service Principles are used for deploying Azure VMware Solution and ExpressRoute",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
- "service": "AVS",
- "severity": "Low",
- "text": "Define resource dependencies for serializing actions in IaC when many resources need to be deployed in/on Azure VMware Solution as Azure VMware Solution only supports a limited number of parallel operations.",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
- "service": "AVS",
- "severity": "Low",
- "text": "When performing automated configuration of NSX-T segments with a single Tier-1 gateway, use Azure Portal APIs instead of NSX-Manager APIs",
- "waf": "Operations"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+ "link": "https://github.com/openai/tiktoken",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
- "service": "AVS",
- "severity": "Medium",
- "text": "When intending to use automated scale-out, be sure to apply for sufficient Azure VMware Solution quota for the subscriptions running Azure VMware Solution",
- "waf": "Performance"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+ "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
- "service": "AVS",
- "severity": "Medium",
- "text": "When intending to use automated scale-in, be sure to take storage policy requirements into account before performing such action",
- "waf": "Performance"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+ "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
- "service": "AVS",
- "severity": "Medium",
- "text": "Scaling operations always need to be serialized within a single SDDC as only one scale operation can be performed at a time (even when multiple clusters are used)",
- "waf": "Performance"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+ "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Consider and validate scaling operations on 3rd party solutions used in the architecture (supported or not)",
- "waf": "Performance"
+ "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
- "service": "AVS",
- "severity": "Medium",
- "text": "Define and enforce scale in/out maximum limits for your environment in the automations",
- "waf": "Performance"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Implement monitoring rules to monitor automated scaling operations and monitor success and failure to enable appropriate (automated) responses",
- "waf": "Operations"
+ "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "severity": "High",
- "text": "When using MON, be aware of the limits of simulataneously configured VMs (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "166cd072-af9b-4141-a898-a535e737897e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "severity": "High",
- "text": "When using MON, you cannot enable MON on more than 100 Network extensions",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Review the guidance provided on setting up AI search for Reliability",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+ "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "If using a VPN connection for migrations, adjust your MTU size accordingly.",
- "waf": "Performance"
+ "text": "Plan and manage AI Search Vector storage",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e614658d-d457-4e92-9139-b821102cad6e",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "For low connectivity regions connecting into Azure (500Mbps or less), considering deploying the HCX WAN optimization appliance",
- "waf": "Performance"
+ "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
- "service": "AVS",
- "severity": "Medium",
- "text": "Ensure that migrations are started from the on-premises appliance and NOT from the Cloud appliance (do NOT perform a reverse migration)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "service": "Azure OpenAI",
+ "severity": "High",
+ "text": "Evaluate usage of billing models - PAYG vs PTU",
+ "waf": "Cost Optimization"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+ "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Evaluate the quality of prompts and applications when switching between model versions",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "When Azure Netapp Files is used to extend storage for Azure VMware Solution,consider using this as a VMware datastore instead of attaching directly to a VM.",
- "waf": "Reliability"
+ "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Ensure that a dedicated ExpressRoute Gateway is being used for external data storage solutions",
- "waf": "Reliability"
+ "text": "Evaluate your Azure AI Search results based on different search parameters",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "service": "Azure OpenAI",
"severity": "Medium",
- "text": "Ensure that FastPath is enabled on the ExpressRoute Gateway that is being used for external data storage solutions",
- "waf": "Reliability"
+ "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "AVS",
- "severity": "High",
- "text": "If using stretched cluster, ensure that your selected Disaster Recovery solution is supported by the vendor",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "AVS",
- "severity": "High",
- "text": "If using stretched cluster, ensure that the SLA provided will meet your requirements",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Red team your GenAI applications",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "AVS",
- "severity": "High",
- "text": "If using stretched cluster, ensure that both ExpressRoute circuits are connected to your connectivity hub.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+ "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Provide end users with scoring options for LLM responses and track these scores. ",
+ "waf": "Operational Excellence"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "AVS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"severity": "High",
- "text": "If using stretched cluster, ensure that both ExpressRoute circuits have GlobalReach enabled.",
- "waf": "Reliability"
+ "text": "Consider Quota management practices",
+ "waf": "Cost Optimization"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
- "severity": "High",
- "text": "Have site disaster tolerance settings been properly considered and changed for your business if needed.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+ "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "service": "Azure OpenAI",
+ "severity": "Medium",
+ "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
+ "waf": "Operational Excellence"
},
{
"arm-service": "Microsoft.Devices/IotHubs",
@@ -4425,3538 +4436,3486 @@
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "Container Apps Review",
+ "guid": "af416482-663c-4ed6-b195-b44c7068e09c",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#availability-zone-support",
+ "service": "Container Apps",
"severity": "High",
- "text": "Follow Metaprompting guardrails for resonsible AI",
- "waf": "Operational Excellence"
+ "text": "Leverage Availability Zones if regionally applicable",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
- "link": "https://github.com/Azure-Samples/AI-Gateway",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "Container Apps Review",
+ "guid": "95bc80ec-6499-4d14-a7d2-7d296b1d8abc",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#set-up-zone-redundancy-in-your-container-apps-environment",
+ "service": "Container Apps",
"severity": "High",
- "text": "Consider Gateway patterns with APIM or solutions like AI central for better rate limiting, load balancing, authentication and logging",
- "waf": "Operational Excellence"
+ "text": "Use more than one replica and enable Zone Redundancy.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "Container Apps Review",
+ "guid": "ccaa4fc2-fdbc-4432-8bb7-f7e6469e4dc3",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Container Apps",
"severity": "High",
- "text": "Enable monitoring for your AOAI instances",
- "waf": "Operational Excellence"
+ "text": "For cross-region DR, deploy container apps in multiple regions and follow active/active or active/passive application guidance.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.App/containerApps",
+ "checklist": "Container Apps Review",
+ "guid": "2ffada86-c031-4933-bf7d-0c45bc4e5919",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-azure-container-apps?tabs=azure-cli#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Container Apps",
"severity": "High",
- "text": "Create alerts to notify teams of events such as an entry in the activity log created by an action performed on the resource, such as regenerating its subscription keys or a metric threshold such as the number of errors exceeding 10 in an hour",
- "waf": "Operational Excellence"
+ "text": "Use Front Door or Traffic Manager to route traffic to the closest region",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
+ "service": "PostgreSQL",
+ "severity": "Medium",
+ "text": "Leverage Flexible Server",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
+ "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
+ "service": "PostgreSQL",
"severity": "High",
- "text": "Monitor token usage to prevent service disruptions due to capacity",
- "waf": "Operational Excellence"
+ "text": "Leverage Availability Zones where regionally applicable",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.DBforPostgreSQL/servers",
+ "checklist": "PostgreSQL Review Checklist",
+ "guid": "31b67c67-be59-4519-8083-845d587cb391",
+ "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
+ "service": "PostgreSQL",
"severity": "Medium",
- "text": "observe metrics like processed inference tokens, generated completion tokens monitor for rate limit",
- "waf": "Operational Excellence"
+ "text": "Leverage cross-region read replicas for BCDR",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
- "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
"severity": "Low",
- "text": "If the diagnostics are not sufficient for you, consider using a gateway such as Azure API Managements in front of Azure OpenAI to log both incoming prompts and outgoing responses, where permitted",
- "waf": "Operational Excellence"
+ "text": "If required for AKS Windows workloads HostProcess containers can be used",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
- "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Use Infrastructure as code to deploy the Azure OpenAI Service, model deployments, and all related resources",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use KEDA if running event-driven workloads",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4350d092-d234-4292-a752-8537a551c5bf",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Use Microsoft Entra Authentication with Managed Identity instead of API Key",
- "waf": "Security"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use Dapr to ease microservice development",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
"severity": "High",
- "text": "Evaluate the performance/accuracy of the system with a known golden dataset which has the inputs and the correct answers. Leverage capabilities in PromptFlow for Evaluation.",
- "waf": "Operational Excellence"
+ "text": "Use the SLA-backed AKS offering",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "68889535-e327-4897-b31b-67d67be5962a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Evaluate usage of Provisioned throughput model ",
- "waf": "Performance"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use Disruption Budgets in your pod and deployment definitions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
"severity": "High",
- "text": "Review and implement Azure AI content safety",
- "waf": "Operational Excellence"
+ "text": "If using a private registry, configure region replication to store images in multiple regions",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Define and evaluate the throughput of the system based on tokens & response per minute and align with requirements",
- "waf": "Performance"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use an external application such as kubecost to allocate costs to different users",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Improve latency of the system by limiting token sizes, streaming options",
- "waf": "Performance"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use scale down mode to delete/deallocate nodes",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
"severity": "Medium",
- "text": "Estimate elasticity demands to determine synchronous and batch request segregation based on priority. For high priority, use synchronous approach and for low priority, asynchronous batch processing with queue is preferred",
- "waf": "Performance"
+ "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5bda4332-4f24-4811-9331-82ba51752694",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Benchmark token consumption requirements based on estimated demands from consumers. Consider using the Azure OpenAI benchmarking tool to help you validate the throughput if you are using Provisioned Throughput Unit deployments",
- "waf": "Performance"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
"severity": "Medium",
- "text": "If you are using Provisioned Throughput Units (PTUs), consider deploying a token-per-minute (TPM) deployment for overflow requests. Use a gateway to route requests to the TPM deployment when the PTU limits are reached.",
- "waf": "Performance"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Choose the right model for the right task. Pick models with right tradeoff between speed, quality of response and output complexity",
- "waf": "Performance"
+ "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"severity": "Medium",
- "text": "Have a baseline for performance without fine-tuning for knowing whether or not fine-tuning has improved model performance",
- "waf": "Performance"
+ "text": "Separate applications from the control plane with user/system node pools",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"severity": "Low",
- "text": "Deploy multiple OAI instances across regions",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Implement retry & healthchecks with Gateway pattern like APIM",
- "waf": "Reliability"
+ "text": "Add taint to your system nodepool to make it dedicated",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
"severity": "Medium",
- "text": "Ensure having adequate quotas of TPM & RPM for the workload",
- "waf": "Reliability"
+ "text": "Use a private registry for your images, such as ACR",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
- "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
"severity": "Medium",
- "text": "Review the considerations in HAI toolkit guidance and apply those interaction practices for the slution",
- "waf": "Operational Excellence"
+ "text": "Scan your images for vulnerabilities",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Deploy separate fine tuned models across regions if finetuning is employed",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Define app separation requirements (namespace/nodepool/cluster)",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
- "link": "https://learn.microsoft.com/azure/backup/backup-overview",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
"severity": "Medium",
- "text": "Regularly backup and replicate critical data to ensure data availability and recoverability in case of data loss or system failures. Leverage Azure's backup and disaster recovery services to protect your data.",
- "waf": "Reliability"
+ "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
"severity": "High",
- "text": "Azure AI search service tiers should be choosen to have a SLA ",
- "waf": "Reliability"
+ "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "If required add Key Management Service etcd encryption",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
- "link": "https://learn.microsoft.com/purview/purview",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
"severity": "Low",
- "text": "Classify data and sensitivity, labeling with Microsoft Purview before generating the embeddings and make sure to treat the embeddings generated with same sensitivity and classification",
+ "text": "If required consider using Confidential Compute for AKS",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Encrypt data used for RAG with SSE/Disk encryption with optional BYOK",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Consider using Defender for Containers",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
- "link": "https://learn.microsoft.com/azure/search/search-security-overview",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
"severity": "High",
- "text": "Ensure TLS is enforced for data in transit across data sources, AI search used for Retrieval-Augmented Generation (RAG) and LLM communication",
+ "text": "Use managed identities instead of Service Principals",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Use RBAC to manage access to Azure OpenAI services. Assign appropriate permissions to users and restrict access based on their roles and responsibilities",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Integrate authentication with AAD (using the managed integration)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
"severity": "Medium",
- "text": "Implement data encryption, masking or redaction techniques to hide sensitive data or replace it with obfuscated values in non-production environments or when sharing data for testing or troubleshooting purposes",
+ "text": "Limit access to admin kubeconfig (get-credentials --admin)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Integrate authorization with AAD RBAC",
+ "waf": "Security"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
"severity": "High",
- "text": "Utilize Azure Defender to detect and respond to security threats and set up monitoring and alerting mechanisms to identify suspicious activities or breaches. Leverage Azure Sentinel for advanced threat detection and response",
+ "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
- "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
"severity": "Medium",
- "text": "Establish data retention and disposal policies to adhere to compliance regulations. Implement secure deletion methods for data that is no longer required and maintain an audit trail of data retention and disposal activities",
+ "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Implement Prompt shields and groundedness detection using Content Safety ",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "For AKS non-interactive logins use kubelogin (preview)",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
- "link": "https://learn.microsoft.com/azure/compliance/",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Ensure compliance with relevant data protection regulations, such as GDPR or HIPAA, by implementing privacy controls and obtaining necessary consents or permissions for data processing activities.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Disable AKS local accounts",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Educate your employees about data security best practices, the importance of handling data securely, and potential risks associated with data breaches. Encourage them to follow data security protocols diligently.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Configure if required Just-in-time cluster access",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Keep production data separate from development and testing data. Only use real sensitive data in production and utilize anonymized or synthetic data in development and test environments.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Configure if required AAD conditional access for AKS",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "If you have varying levels of data sensitivity, consider creating separate indexes for each level. For instance, you could have one index for general data and another for sensitive data, each governed by different access protocols",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required for Windows AKS workloads configure gMSA ",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "service": "AKS",
"severity": "Medium",
- "text": "Take segregation a step further by placing sensitive datasets in different instances of the service. Each instance can be controlled with its own specific set of RBAC policies",
+ "text": "For finer control consider using a managed Kubelet Identity",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Recognize that embeddings and vectors generated from sensitive information are themselves sensitive. This data should be afforded the same protective measures as the source material",
- "waf": "Security"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "If using AGIC, do not share an AppGW across clusters",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
"severity": "High",
- "text": "Apply RBAC to th data stores having embeddings and vectors and scope access based on role's access requirements",
- "waf": "Security"
+ "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "For Windows workloads use Accelerated Networking",
+ "waf": "Performance"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
"severity": "High",
- "text": "Configure private endpoint for AI services to restrict service access within your network",
+ "text": "Use the standard ALB (as opposed to the basic one)",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "If using Azure CNI, consider using different Subnets for NodePools",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Enforce strict inbound and outbound traffic control with Azure Firewall and UDRs and limit the external integration points",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "High",
- "text": "Implement network segmentation and access controls to restrict access to the LLM application only to authorized users and systems and prevent lateral movement",
- "waf": "Security"
+ "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
- "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Use prompt compression tools like LLMLingua or gprtrim",
- "waf": "Cost Optimization"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "High",
+ "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "High",
- "text": "Ensure that APIs and endpoints used by the LLM application are properly secured with authentication and authorization mechanisms, such as Managed identities, API keys or OAuth, to prevent unauthorized access.",
- "waf": "Security"
+ "text": "If using Azure CNI, check the maximum pods/node (default 30)",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Enforce strong end user authentication mechanisms, such as multi-factor authentication, to prevent unauthorized access to the LLM application and associated network resources",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Implement network monitoring tools to detect and analyze network traffic for any suspicious or malicious activities. Enable logging to capture network events and facilitate forensic analysis in case of security incidents",
- "waf": "Security"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Conduct security audits and penetration testing to identify and address any network security weaknesses or vulnerabilities in the LLM application's network infrastructure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required add your own CNI plugin",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "service": "AKS",
"severity": "Low",
- "text": "Azure AI Services are properly tagged for better management",
- "waf": "Operational Excellence"
+ "text": "If required configure Public IP per node in AKS",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
- "service": "Azure OpenAI",
- "severity": "Low",
- "text": "Azure AI Service accounts follows organizational naming conventions",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Diagnostic logs in Azure AI services resources should be enabled",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/ai-services/authentication",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Key access (local authentication) is recommended to be disabled for security. After disabling key based access, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. ",
- "waf": "Security"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "service": "AKS",
"severity": "High",
- "text": "Store and manage keys securely using Azure Key Vault. Avoid hard-coding or embedding sensitive keys within your LLM application's code and retrieve them securely from Azure Key Vault using managed identities",
+ "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Regularly rotate and expire keys stored in Azure Key Vault to minimize the risk of unauthorized access.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "If using a public API endpoint, restrict the IP addresses that can access it",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "adfe27be-e297-401a-a352-baaab79b088d",
- "link": "https://github.com/openai/tiktoken",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "service": "AKS",
"severity": "High",
- "text": "Use tiktoken to understand token sizes for token optimizations in conversational mode",
- "waf": "Cost Optimization"
+ "text": "Use private clusters if your requirements mandate it",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
- "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Follow secure coding practices to prevent common vulnerabilities such as injection attacks, cross-site scripting (XSS), or security misconfigurations",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
- "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "High",
- "text": "Setup a process to regularly update and patch the LLM libraries and other system components",
+ "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
"waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e29711b1-352b-4eee-879b-588defc4972c",
- "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "High",
- "text": "Adhere to Azure OpenAI or other LLMs terms of use, policies and guidance and allowed use cases",
- "waf": "Operational Excellence"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Understand difference in cost of base models and fine tuned models and token step sizes",
- "waf": "Cost Optimization"
+ "text": "Use Kubernetes network policies to increase intra-cluster security",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "High",
- "text": "Batch requests, where possible, to minimize the per-call overhead which can reduce overall costs. Ensure you optimize batch size",
- "waf": "Cost Optimization"
+ "text": "Use a WAF for web workloads (UIs or APIs)",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "service": "AKS",
"severity": "Medium",
- "text": "Set up a cost tracking system that monitors model usage and use that information to help inform model choices and prompt sizes",
- "waf": "Cost Optimization"
+ "text": "Use DDoS Standard in the AKS Virtual Network",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "166cd072-af9b-4141-a898-a535e737897e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Set a maximum limit on the number of tokens per model response. Optimize the size to ensure it is large enough for a valid response",
- "waf": "Cost Optimization"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required add company HTTP Proxy",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
- "link": "https://learn.microsoft.com/azure/search/search-reliability",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "service": "AKS",
"severity": "Medium",
- "text": "Review the guidance provided on setting up AI search for Reliability",
- "waf": "Operational Excellence"
+ "text": "Consider using a service mesh for advanced microservice communication management",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
- "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Plan and manage AI Search Vector storage",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Apply LLMOps practices to automate the lifecycle management of your GenAI applications",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Check regularly Azure Advisor for recommendations on your cluster",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Evaluate usage of billing models - PAYG vs PTU",
- "waf": "Cost Optimization"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Enable AKS auto-certificate rotation",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
- "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Evaluate the quality of prompts and applications when switching between model versions",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3418db61-2712-4650-9bb4-7a393a080327",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Evaluate, monitor and refine your GenAI apps for features like groundedness, relevance, accuracy, coherence, fluency, �",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "294798b1-578b-4219-a46c-eb5443513592",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Evaluate your Azure AI Search results based on different search parameters",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2744293b-b628-4537-a551-19b08e8f5854",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Look at fine tuning models as way of increasing accuracy only when you have tried other basic approaches like prompt engineering and RAG with your data",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Use prompt engineering techniques to improve the accuracy of LLM responses",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Consider using AKS command invoke on private clusters",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e737897e-71ca-47da-acfa-962a1594946d",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Red team your GenAI applications",
- "waf": "Security"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "For planned events consider using Node Auto Drain",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
- "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
- "service": "Azure OpenAI",
- "severity": "Medium",
- "text": "Provide end users with scoring options for LLM responses and track these scores. ",
- "waf": "Operational Excellence"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
- "severity": "High",
- "text": "Consider Quota management practices",
- "waf": "Cost Optimization"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Use custom Node RG (aka 'Infra RG') name",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
- "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
+ "service": "AKS",
"severity": "Medium",
- "text": "Use Load balancer solutions like APIM based gateway for balancing load and capacity across services and regions",
- "waf": "Operational Excellence"
+ "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
- "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
- "service": "Purview",
- "severity": "Medium",
- "text": "Leverage FTA Resillency Handbook",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Taint Windows nodes",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
- "severity": "High",
- "text": "Plan for Data Center level outage",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Keep windows containers patch level in sync with host patch level",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
- "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
- "severity": "Medium",
- "text": "Practice Failover for BCDR",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "Via Diagnostic Settings at the cluster level",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
- "severity": "High",
- "text": "Plan a backup strategy and take regular backups",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "If required use nodePool snapshots",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
- "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+ "service": "AKS",
"severity": "Low",
- "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
- "waf": "Reliability"
+ "text": "Consider spot node pools for non time-sensitive workloads",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
- "link": "https://learn.microsoft.com/purview/deployment-best-practices",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Purview accounts architectures and deployment best practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "Consider AKS virtual node for quick bursting",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Collection Architectures and best practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Assest lifecycle best practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+ "service": "AKS",
"severity": "Medium",
- "text": "Follow automation best practices",
- "waf": "Reliability"
+ "text": "Monitor CPU and memory utilization of the nodes",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
- "link": "https://learn.microsoft.com/purview/disaster-recovery",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "Medium",
- "text": "Follow Backup and Migration Best practices",
- "waf": "Reliability"
+ "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+ "service": "AKS",
"severity": "Medium",
- "text": "Follow Purview Glossary Best Practices",
- "waf": "Reliability"
+ "text": "Monitor OS disk queue depth in nodes",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
- "link": "https://learn.microsoft.com/purview/concept-workflow",
- "service": "Purview",
- "severity": "Low",
- "text": "Leverage Workflows ",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+ "service": "AKS",
"severity": "Medium",
- "text": "Follow Purview Security Best Practices",
- "waf": "Reliability"
+ "text": "Subscribe to resource health notifications for your AKS cluster",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Purview Data Lineage Best Practices",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Configure requests and limits in your pod specs",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"severity": "Medium",
- "text": "Follow Best Practices for Scanning Registered Sources",
- "waf": "Reliability"
+ "text": "Enforce resource quotas for namespaces",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
- "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
- "service": "Purview",
- "severity": "Medium",
- "text": "Follow Classification Best Practices in Governance Portal",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Ensure your subscription has enough quota to scale out your nodepools",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
- "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
+ "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Configure Liveness and Readiness probes for all deployments",
+ "waf": "Operations"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
"severity": "Medium",
- "text": "Perform Sensitivity Labelling in the Purview Data Map",
- "waf": "Reliability"
+ "text": "Use the Cluster Autoscaler",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
- "link": "https://learn.microsoft.com/purview/concept-data-share",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+ "service": "AKS",
"severity": "Low",
- "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
- "waf": "Reliability"
+ "text": "Customize node configuration for AKS node pools",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
- "link": "https://learn.microsoft.com/purview/concept-insights",
- "service": "Purview",
- "severity": "Low",
- "text": "Leverage Data Estate Insights",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "Medium",
+ "text": "Use the Horizontal Pod Autoscaler when required",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
- "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
- "service": "Purview",
- "severity": "Low",
- "text": "Use Data stewardship and Catalog adoption",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Consider an appropriate node size, not too large or too small",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
- "link": "https://learn.microsoft.com/purview/concept-insights",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+ "service": "AKS",
"severity": "Low",
- "text": "Use Inventory and Ownership",
- "waf": "Reliability"
+ "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
- "link": "https://learn.microsoft.com/purview/glossary-insights",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+ "service": "AKS",
"severity": "Low",
- "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
- "waf": "Reliability"
- },
- {
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
- "link": "https://learn.microsoft.com/purview/compliance-manager",
- "service": "Purview",
- "severity": "Medium",
- "text": "Generate assessment scores",
- "waf": "Reliability"
+ "text": "Consider subscribing to EventGrid Events for AKS automation",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
- "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
- "service": "Purview",
- "severity": "Medium",
- "text": "Profiling- get summaries of data content",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+ "service": "AKS",
+ "severity": "Low",
+ "text": "For long running operation on an AKS cluster consider event termination",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
- "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
- "service": "Purview",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+ "service": "AKS",
"severity": "Low",
- "text": "Follow Microsoft Purview Data Owner access policies",
- "waf": "Reliability"
+ "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
- "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
- "service": "Purview",
- "severity": "Low",
- "text": "Follow Self-service access policies",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
+ "severity": "High",
+ "text": "Use ephemeral OS disks",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Purview/accounts",
- "checklist": "Microsoft Purview Review Checklist",
- "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
- "link": "https://learn.microsoft.com/purview/concept-policies-devops",
- "service": "Purview",
- "severity": "Low",
- "text": "Follow DevOps policies",
- "waf": "Reliability"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "AKS",
+ "severity": "High",
+ "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
"service": "AKS",
"severity": "Low",
- "text": "If required for AKS Windows workloads HostProcess containers can be used",
- "waf": "Reliability"
+ "text": "For hyper performance storage option use Ultra Disks on AKS",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"service": "AKS",
- "severity": "Low",
- "text": "Use KEDA if running event-driven workloads",
+ "severity": "Medium",
+ "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
"waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
"service": "AKS",
- "severity": "Low",
- "text": "Use Dapr to ease microservice development",
- "waf": "Operations"
+ "severity": "Medium",
+ "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
+ "waf": "Performance"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"service": "AKS",
- "severity": "High",
- "text": "Use the SLA-backed AKS offering",
- "waf": "Reliability"
+ "severity": "Medium",
+ "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
+ "waf": "Performance"
+ },
+ {
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "service": "Azure Monitor",
+ "severity": "Medium",
+ "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "45901365-d38e-443f-abcb-d868266abca2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Azure Backup",
+ "severity": "Medium",
+ "text": "check backup instances with the underlying datasource not found",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Azure Backup",
+ "severity": "Medium",
+ "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "service": "Azure Monitor",
+ "severity": "Medium",
+ "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Azure Monitor",
+ "severity": "Medium",
+ "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "Low",
- "text": "Use Disruption Budgets in your pod and deployment definitions",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
+ "severity": "Medium",
+ "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
- "severity": "High",
- "text": "If using a private registry, configure region replication to store images in multiple regions",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Make sure advisor is configured for VM right sizing ",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
- "service": "AKS",
- "severity": "Low",
- "text": "Use an external application such as kubecost to allocate costs to different users",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "description": "check by searching the Meter Category Licenses in the Cost analysys",
+ "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
"waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
- "service": "AKS",
- "severity": "Low",
- "text": "Use scale down mode to delete/deallocate nodes",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "VM",
+ "severity": "Medium",
+ "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
"waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "VM",
"severity": "Medium",
- "text": "When required use multi-instance partitioning GPU on AKS Clusters",
+ "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
+ "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
"waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
- "service": "AKS",
- "severity": "Low",
- "text": "If running a Dev/Test cluster use NodePool Start/Stop",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
"waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+ "service": "VM",
"severity": "Medium",
- "text": "Use Azure Policy for Kubernetes to ensure cluster compliance",
- "waf": "Security"
+ "text": "Only larger disks can be reserved => 1 TiB -",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "service": "VM",
"severity": "Medium",
- "text": "Separate applications from the control plane with user/system node pools",
- "waf": "Security"
+ "text": "After the right-sizing optimization",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
- "severity": "Low",
- "text": "Add taint to your system nodepool to make it dedicated",
- "waf": "Security"
+ "arm-service": "Microsoft.Sql/servers",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Azure SQL",
+ "severity": "Medium",
+ "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
- "service": "AKS",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "VM",
"severity": "Medium",
- "text": "Use a private registry for your images, such as ACR",
- "waf": "Security"
+ "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "VM",
"severity": "Medium",
- "text": "Scan your images for vulnerabilities",
- "waf": "Security"
+ "text": "Consider using a VMSS to match demand rather than flat sizing",
+ "waf": "Cost"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
"service": "AKS",
- "severity": "High",
- "text": "Define app separation requirements (namespace/nodepool/cluster)",
- "waf": "Security"
+ "severity": "Medium",
+ "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
- "service": "AKS",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Azure Backup",
"severity": "Medium",
- "text": "Store your secrets in Azure Key Vault with the CSI Secrets Store driver",
- "waf": "Security"
+ "text": "Move recovery points to vault-archive where applicable (Validate)",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
- "service": "AKS",
- "severity": "High",
- "text": "If using Service Principals for the cluster, refresh credentials periodically (like quarterly)",
- "waf": "Security"
+ "arm-service": "Microsoft.Databricks/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+ "service": "Databricks",
+ "severity": "Medium",
+ "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+ "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+ "service": "Azure Functions",
"severity": "Medium",
- "text": "If required add Key Management Service etcd encryption",
- "waf": "Security"
+ "text": "Functions - Reuse connections",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
- "service": "AKS",
- "severity": "Low",
- "text": "If required consider using Confidential Compute for AKS",
- "waf": "Security"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+ "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "service": "Azure Functions",
+ "severity": "Medium",
+ "text": "Functions - Cache data locally",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Azure Functions",
"severity": "Medium",
- "text": "Consider using Defender for Containers",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
- "service": "AKS",
- "severity": "High",
- "text": "Use managed identities instead of Service Principals",
- "waf": "Security"
+ "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "Azure Functions",
"severity": "Medium",
- "text": "Integrate authentication with AAD (using the managed integration)",
- "waf": "Security"
+ "text": "Functions - Keep your functions warm",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Azure Functions",
"severity": "Medium",
- "text": "Limit access to admin kubeconfig (get-credentials --admin)",
- "waf": "Security"
+ "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+ "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+ "service": "Azure Functions",
"severity": "Medium",
- "text": "Integrate authorization with AAD RBAC",
- "waf": "Security"
+ "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
- "service": "AKS",
- "severity": "High",
- "text": "Use namespaces for restricting RBAC privilege in Kubernetes",
- "waf": "Security"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+ "service": "Azure Functions",
+ "severity": "Medium",
+ "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
- "service": "AKS",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Front Door",
"severity": "Medium",
- "text": "For Pod Identity Access Management use Azure AD Workload Identity (preview)",
- "waf": "Security"
+ "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
- "service": "AKS",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Front Door",
"severity": "Medium",
- "text": "For AKS non-interactive logins use kubelogin (preview)",
- "waf": "Security"
+ "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+ "service": "Storage",
"severity": "Medium",
- "text": "Disable AKS local accounts",
- "waf": "Security"
+ "text": "Consider archiving tiers for less used data",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "Low",
- "text": "Configure if required Just-in-time cluster access",
- "waf": "Security"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "Low",
- "text": "Configure if required AAD conditional access for AKS",
- "waf": "Security"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "Storage",
+ "severity": "Medium",
+ "text": "Consider using standard SSD rather than Premium or Ultra where possible",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
- "service": "AKS",
- "severity": "Low",
- "text": "If required for Windows AKS workloads configure gMSA ",
- "waf": "Security"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "Storage",
+ "severity": "Medium",
+ "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
- "service": "AKS",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "Site Recovery",
"severity": "Medium",
- "text": "For finer control consider using a managed Kubelet Identity",
- "waf": "Security"
+ "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+ "service": "Storage",
"severity": "Medium",
- "text": "If using AGIC, do not share an AppGW across clusters",
- "waf": "Reliability"
+ "text": "Storage accounts: check hot tier and/or GRS necessary",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
- "service": "AKS",
- "severity": "High",
- "text": "Do not use AKS HTTP Routing Add-On, use instead the managed NGINX ingress with the application routing add-on.",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "Synapse",
"severity": "Medium",
- "text": "For Windows workloads use Accelerated Networking",
- "waf": "Performance"
+ "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
- "severity": "High",
- "text": "Use the standard ALB (as opposed to the basic one)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Export cost data to a storage account for additional data analysis.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
- "service": "AKS",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
+ "waf": "Cost"
+ },
+ {
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+ "service": "Synapse",
"severity": "Medium",
- "text": "If using Azure CNI, consider using different Subnets for NodePools",
- "waf": "Security"
+ "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Synapse",
"severity": "Medium",
- "text": "Use Private Endpoints (preferred) or Virtual Network Service Endpoints to access PaaS services from the cluster",
- "waf": "Security"
+ "text": "Create multiple Apache Spark pool definitions of various sizes.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "High",
- "text": "Choose the best CNI network plugin for your requirements (Azure CNI recommended)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "service": "Synapse",
+ "severity": "Medium",
+ "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "High",
- "text": "If using Azure CNI, size your subnet accordingly considering the maximum number of pods per node",
- "waf": "Performance"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "High",
- "text": "If using Azure CNI, check the maximum pods/node (default 30)",
- "waf": "Performance"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Right-sizing all VMs",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "For internal apps organizations often open the whole AKS subnet in their firewalls. This opens network access to the nodes too, and potentially to the pods as well (if using Azure CNI). If LoadBalancer IPs are in a different subnet, only this one needs to be available to the app clients. Another reason is that if the IP addresses in the AKS subnet are a scarce resource, consuming its IP addresses for services will reduce the maximum scalability of the cluster .",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
- "service": "AKS",
- "severity": "Low",
- "text": "If using private-IP LoadBalancer services, use a dedicated subnet (not the AKS subnet)",
- "waf": "Security"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Swap VM sized with normalized and most recent sizes",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "High",
- "text": "Size the service IP address range accordingly (it is going to limit the cluster scalability)",
- "waf": "Reliability"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
- "service": "AKS",
- "severity": "Low",
- "text": "If required add your own CNI plugin",
- "waf": "Security"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "severity": "Medium",
+ "text": "Containerizing an application can improve VM density and save money on scaling it",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
- "service": "AKS",
- "severity": "Low",
- "text": "If required configure Public IP per node in AKS",
- "waf": "Performance"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "severity": "High",
+ "text": "Enable 2 replicas to have 99.9% availability for read operations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
- "service": "AKS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
"severity": "Medium",
- "text": "Use an ingress controller to expose web-based apps instead of exposing them with LoadBalancer-type services",
+ "text": "Enable 3 replicas to have 99.9% availability for read/write operations",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
- "service": "AKS",
- "severity": "Low",
- "text": "Use Azure NAT Gateway as outboundType for scaling egress traffic",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+ "service": "Cognitive Search",
+ "severity": "High",
+ "text": "Leverage Availability Zones by enabling read and/or write replicas",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
- "service": "AKS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+ "service": "Cognitive Search",
"severity": "Medium",
- "text": "Use Dynamic allocations of IPs in order to avoid Azure CNI IP exhaustion",
+ "text": "For regional redudancy, Manually create services in 2 or more regions for Search as it doesn't provide an automated method of replicating search indexes across geographic regions",
"waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
- "service": "AKS",
- "severity": "High",
- "text": "Filter egress traffic with AzFW/NVA if your security requirements mandate it",
- "waf": "Security"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+ "service": "Cognitive Search",
+ "severity": "Medium",
+ "text": "To synchronize data across multiple services either Use indexers for updating content on multiple services or Use REST APIs for pushing content updates on multiple services",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
- "service": "AKS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+ "service": "Cognitive Search",
"severity": "Medium",
- "text": "If using a public API endpoint, restrict the IP addresses that can access it",
- "waf": "Security"
+ "text": "Use Azure Traffic Manager to coordinate requests",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
- "service": "AKS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+ "service": "Cognitive Search",
"severity": "High",
- "text": "Use private clusters if your requirements mandate it",
- "waf": "Security"
+ "text": "Backup and Restore an Azure Cognitive Search Index. Use this sample code to back up index definition and snapshot to a series of Json files",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
- "severity": "Medium",
- "text": "For Windows 2019 and 2022 AKS nodes Calico Network Policies can be used ",
- "waf": "Security"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Using the correct approach to feed a datalake with cold data and having the Kusto query engine at your disposal at the same time, as in the short-term storage",
+ "guid": "ba7da7be-9951-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/data-explorer/kusto/management/data-export/continuous-data-export",
+ "service": "Azure Data Explorer",
+ "text": "Leverage External Tables and Continuous data export overview to reduce costs",
+ "waf": "Reliability"
},
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
- "severity": "High",
- "text": "Enable a Kubernetes Network Policy option (Calico/Azure)",
- "waf": "Security"
+ {
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Azure Data Explorer provides an optional follower capability for a leader cluster to be followed by other follower clusters for read-only access to the leader's data and metadata. Changes in the leader, such as create, append, and drop are automatically synchronized to the follower. While the leaders could span Azure regions, the follower clusters should be hosted in the same region(s) as the leader. If the leader cluster is down or databases or tables are accidentally dropped, the follower clusters will lose access until access is recovered in the leader.",
+ "guid": "56a22586-f490-4641-addd-ea8a377cdeb3",
+ "link": "https://learn.microsoft.com/azure/data-explorer/follower?tabs=csharp",
+ "service": "Azure Data Explorer",
+ "text": "To share data, explore Leader-follower cluster configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "High",
- "text": "Use Kubernetes network policies to increase intra-cluster security",
- "waf": "Security"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "Azure Data Explorer doesn't support automatic protection against the outage of an entire Azure region. This disruption can happen during a natural disaster, like an earthquake. If you require a solution for a disaster recovery situation, do the following steps to ensure business continuity. In these steps, you'll replicate your clusters, management, and data ingestion in two Azure paired regions.",
+ "guid": "861bb2bc-14ae-4a6e-95d8-d9a3adc218e6",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#create-multiple-independent-clusters",
+ "service": "Azure Data Explorer",
+ "text": "To protect against regional failure, create Multiple independent clusters, preferably in two Azure Paired regions",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "High",
- "text": "Use a WAF for web workloads (UIs or APIs)",
- "waf": "Security"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "436b0635-cb45-4e57-a603-324ace8cc123",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution#replicate-management-activities",
+ "service": "Azure Data Explorer",
+ "text": "Replicate all management activities such as creating new tables or managing user roles on each cluster.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
- "service": "AKS",
- "severity": "Medium",
- "text": "Use DDoS Standard in the AKS Virtual Network",
- "waf": "Security"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "18ca6017-0265-4f4b-a46a-393af7f31728",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-create-solution",
+ "service": "Azure Data Explorer",
+ "text": "Ingest data into each cluster in parallel",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
- "service": "AKS",
- "severity": "Low",
- "text": "If required add company HTTP Proxy",
- "waf": "Security"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This configuration is also called 'always-on'. For critical application deployments with no tolerance for outages, you should use multiple Azure Data Explorer clusters across Azure paired regions.",
+ "guid": "58a9c279-9c42-4bb6-9d0c-65556246b338",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-active-configuration",
+ "service": "Azure Data Explorer",
+ "text": "For critical application with no tolerance for outages, create Active-Active-Active (always-on) configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
- "service": "AKS",
- "severity": "Medium",
- "text": "Consider using a service mesh for advanced microservice communication management",
- "waf": "Security"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This configuration is identical to the active-active-active configuration, but only involves two Azure paired regions. Configure dual ingestion, processing, and curation. Users are routed to the nearest region. The cluster SKU must be the same across regions.",
+ "guid": "563a4dc7-4a74-48b6-922a-d190916a6649",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-active-configuration",
+ "service": "Azure Data Explorer",
+ "text": "For critical applications, create Active-Active configuration in two paired regions",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
- "service": "AKS",
- "severity": "High",
- "text": "Configure alerts on the most critical metrics (see Container Insights for recommendations)",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "The Active-Hot configuration is similar to the Active-Active configuration in dual ingest, processing, and curation. While the standby cluster is online for ingestion, process, and curation, it isn't available to query. The standby cluster doesn't need to be in the same SKU as the primary cluster. It can be of a smaller SKU and scale, which may result in it being less performant. In a disaster scenario, users are redirected to the standby cluster, which can optionally be scaled up to increase performance.",
+ "guid": "8fadfe27-7de2-483b-8ac3-52baa9b75708",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#active-hot-standby-configuration",
+ "service": "Azure Data Explorer",
+ "text": "For applications, which required only read during failure, create Active-Hot standby configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
- "service": "AKS",
- "severity": "Low",
- "text": "Check regularly Azure Advisor for recommendations on your cluster",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "This solution offers the least resiliency (highest RPO and RTO), is the lowest in cost and highest in effort. In this configuration, there's no data recovery cluster. Configure continuous export of curated data (unless raw and intermediate data is also required) to a storage account that is configured GRS (Geo Redundant Storage). A data recovery cluster is spun up if there is a disaster recovery scenario. At that time, DDLs, configuration, policies, and processes are applied. Data is ingested from storage with the ingestion property kustoCreationTime to over-ride the ingestion time that defaults to system time.",
+ "guid": "49aa8092-dc8e-4b9d-8bb7-3b26a5a67eba",
+ "link": "https://learn.microsoft.com/azure/data-explorer/business-continuity-overview#on-demand-data-recovery-configuration",
+ "service": "Azure Data Explorer",
+ "text": "For applications, where cost is a concern and can withstand some downtime during failure, create on-demand data recovery cluster configuration",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
- "service": "AKS",
- "severity": "Low",
- "text": "Enable AKS auto-certificate rotation",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "description": "All database objects, policies, and configurations should be persisted in source control so they can be released to the cluster from your release automation tool.",
+ "guid": "5a907e1e-348e-4f25-9c27-d32e8bbac757",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
+ "text": "Wrap DevOps and source control around all your code",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
- "service": "AKS",
- "severity": "High",
- "text": "Have a regular process to upgrade your kubernetes version periodically (quarterly, for example), or use the AKS autoupgrade feature",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "1559ab91-53e8-4908-ae28-b84c33b6b780",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
+ "text": "Design, develop, and implement validation routines to ensure all clusters are in-sync from a data perspective.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-active-directory/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
- "service": "AKS",
- "severity": "High",
- "text": "Use kured for Linux node upgrades in case you are not using node-image upgrade",
- "waf": "Operations"
+ "arm-service": "Microsoft.Kusto/clusters",
+ "checklist": "Azure Data Explorer Review Checklist",
+ "guid": "8b9fe5c4-1049-4d40-9a82-2c3474d00f18",
+ "link": "https://learn.microsoft.com/azure/data-explorer/devops",
+ "service": "Azure Data Explorer",
+ "text": "Be fully cognizant of what it takes to build a cluster from scratch. Leverage Infrastructure as a Code for your deployments",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
- "service": "AKS",
- "severity": "High",
- "text": "Have a regular process to upgrade the cluster node images periodically (weekly, for example)",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
+ "severity": "Medium",
+ "text": "Use long-live revocable token, cache your token and acquire your silently using Microsoft Identity Library",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider gitops to deploy applications or cluster configuration to multiple clusters",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
+ "severity": "Medium",
+ "text": "Make sure that your sign-in user flows are backed up and resilient. Make sure that the code that you use to sign-in your users are backed up and recoverable. Resilient interfaces with external processes",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider using AKS command invoke on private clusters",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
+ "severity": "Medium",
+ "text": "Custom brand assets should be hosted on a CDN",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
"severity": "Low",
- "text": "For planned events consider using Node Auto Drain",
- "waf": "Operations"
+ "text": "Have multiple identiy providers (i.e., login with your microsoft, google, facebook accounts)",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
- "service": "AKS",
- "severity": "High",
- "text": "Develop own governance practices to make sure no changes are performed by operators in the node RG (aka 'infra RG')",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "Medium",
+ "text": "Follow VM rules for high availability on the VM level (premium disks, two or more in a region, in different availability zones)",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "Low",
- "text": "Use custom Node RG (aka 'Infra RG') name",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "Medium",
+ "text": "Don't replicate! Replication can create issues with directory synchronization",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "Medium",
- "text": "Do not use deprecated Kubernetes APIs in your YAML manifests",
- "waf": "Operations"
+ "text": "Have active-active for multi-regions",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
- "service": "AKS",
- "severity": "Low",
- "text": "Taint Windows nodes",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
+ "severity": "Medium",
+ "text": "Add Azure AD Domain service stamps to additional regions and locations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
- "service": "AKS",
- "severity": "Low",
- "text": "Keep windows containers patch level in sync with host patch level",
- "waf": "Operations"
+ "checklist": "Identity Review Checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
+ "severity": "Medium",
+ "text": "Use Replica Sets for DR",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "Via Diagnostic Settings at the cluster level",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
- "severity": "Low",
- "text": "Send master logs (aka API logs) to Azure Monitor or your preferred log management solution",
- "waf": "Operations"
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "43e52f47-22d9-428c-8b1c-d521e54a29a9",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/pass-foundations-playbooks-CosmosDB_v1.docx",
+ "service": "CosmosDB",
+ "severity": "Medium",
+ "text": "FTA Resiliency Playbook",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
- "severity": "Low",
- "text": "If required use nodePool snapshots",
- "waf": "Cost"
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "de39ac0e-7c28-4dc9-9565-7202bff4564b",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+ "service": "CosmosDB",
+ "severity": "High",
+ "text": "Leverage Availablity Zones where regionally applicable and ofcourse if the service offers it",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider spot node pools for non time-sensitive workloads",
- "waf": "Operations"
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "guid": "0d934a34-8b26-43e7-bd60-513a3649906e",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#replica-outages",
+ "service": "CosmosDB",
+ "severity": "Medium",
+ "text": "Run multiple replicas of the database (>1 ) in Prod",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider AKS virtual node for quick bursting",
- "waf": "Operations"
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Multi-region writes capability allows you to take advantage of the provisioned throughput for your databases and containers across the globe",
+ "guid": "bad38ead-53cc-47de-8d8a-aab3571449ab",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#multiple-write-regions",
+ "service": "CosmosDB",
+ "severity": "Medium",
+ "text": "Leverage Multi-Region Writes",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
- "severity": "High",
- "text": "Monitor your cluster metrics with Container Insights (or other tools like Prometheus)",
- "waf": "Operations"
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Span Cosmos account across two or more regions with multi-region writes",
+ "guid": "8153d89f-89dc-47b3-9be2-b1a27f7b9e91",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/high-availability#slas",
+ "service": "CosmosDB",
+ "severity": "Medium",
+ "text": "Distribute your data globally",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Choose from various consistency levels such as Eventual, Consistent Prefix, Session, Bounded Staleness and strong",
+ "guid": "9f8ea848-25ec-4140-bc32-2758e6ee9ac0",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/consistency-levels",
+ "service": "CosmosDB",
"severity": "High",
- "text": "Store and analyze your cluster logs with Container Insights (or other tools like Telegraf/ElasticSearch)",
- "waf": "Operations"
+ "text": "Choose from several well-defined consistency models",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Maintain business continuity during regional outages. Azure Cosmos DB supports service-managed failover during a regional outage. During a regional outage, Azure Cosmos DB continues to maintain its latency, availability, consistency, and throughput SLAs. To help make sure that your entire application is highly available, Azure Cosmos DB offers a manual failover API to simulate a regional outage. By using this API, you can carry out regular business continuity drills.",
+ "guid": "a47e4d1e-bb79-43f9-bf87-69e1032b72fe",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/how-to-manage-database-account#automatic-failover",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "Monitor CPU and memory utilization of the nodes",
- "waf": "Operations"
+ "text": "Enable Service managed failover",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Azure Cosmos DB automatically takes backups of your data at regular intervals. The automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service.",
+ "guid": "3499c9c1-133d-42f7-a4b1-a5bd06ff1a90",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/online-backup-and-restore",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "If using Azure CNI, monitor % of pod IPs consumed per node",
- "waf": "Operations"
+ "text": "Enable Automatic Backups",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "I/O in the OS disk is a critical resource. If the OS in the nodes gets throttled on I/O, this could lead to unpredictable behavior, typically ending up in node being declared NotReady",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour.",
+ "guid": "a6eb33f6-005c-4d92-9286-7655672d6121",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/periodic-backup-restore-introduction",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "Monitor OS disk queue depth in nodes",
- "waf": "Operations"
+ "text": "Perform Periodic Backups",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "arm-service": "microsoft.documentdb/databaseAccounts",
+ "checklist": "CosmosDB Review Checklist",
+ "description": "Continous 7 day retention and 30 day retention backups. Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists.",
+ "guid": "d43918a8-cd28-49be-b6b1-7cb8245461e1",
+ "link": "https://learn.microsoft.com/azure/cosmos-db/continuous-backup-restore-introduction",
+ "service": "CosmosDB",
"severity": "Medium",
- "text": "If not using egress filtering with AzFW/NVA, monitor standard ALB allocated SNAT ports",
- "waf": "Operations"
+ "text": "Continous Backup with point-in-time restore in Azure Cosmos DB",
+ "training": "https://learn.microsoft.com/learn/modules/create-custom-azure-roles-with-rbac/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Subscribe to resource health notifications for your AKS cluster",
+ "text": "Azure Center for SAP solutions (ACSS) is an Azure offering that makes SAP a top-level workload on Azure. ACSS is an end-to-end solution that enables you to create and run SAP systems as a unified workload on Azure and provides a more seamless foundation for innovation. You can take advantage of the management capabilities for both new and existing Azure-based SAP systems.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
"waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "High",
- "text": "Configure requests and limits in your pod specs",
+ "checklist": "SAP Checklist",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Azure supports automating SAP deployments in Linux and Windows. SAP Deployment Automation Framework is an open-source orchestration tool that can deploy, install, and maintain SAP environments.",
+ "training": "https://github.com/Azure/sap-automation",
"waf": "Operations"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "service": "SAP",
"severity": "Medium",
- "text": "Enforce resource quotas for namespaces",
- "waf": "Operations"
+ "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally",
+ "waf": "Reliability"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Test the backup and recovery times to verify that they meet your RTO requirements for restoring all systems simultaneously after a disaster.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "SAP",
"severity": "High",
- "text": "Ensure your subscription has enough quota to scale out your nodepools",
- "waf": "Operations"
+ "text": "You can replicate standard storage between paired regions, but you can't use standard storage to store your databases or virtual hard disks. You can replicate backups only between paired regions that you use. For all your other data, run your replication by using native DBMS features like SQL Server Always On or SAP HANA System Replication. Use a combination of Site Recovery, rsync or robocopy, and other third-party software for the SAP application layer.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f4fd0602-7ab5-46f1-b66a-e9dea9654a65",
- "link": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/",
- "service": "AKS",
- "severity": "High",
- "text": "Configure Liveness and Readiness probes for all deployments",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "When using Azure Availability Zones to achieve high availability, you must consider latency between SAP application servers and database servers. For zones with high latencies, operational procedures need to be in place to ensure that SAP application servers and database servers are running in the same zone at all times.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
- "severity": "Medium",
- "text": "Use the Cluster Autoscaler",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Set up ExpressRoute connections from on-premises to the primary and secondary Azure disaster recovery regions. Also, as an alternative to using ExpressRoute, consider setting up VPN connections from on-premises to the primary and secondary Azure disaster recovery regions.",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "SAP",
"severity": "Low",
- "text": "Customize node configuration for AKS node pools",
- "waf": "Performance"
+ "text": "Replicate key vault contents like certificates, secrets, or keys across regions so you can decrypt data in the DR region.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use the Horizontal Pod Autoscaler when required",
- "waf": "Performance"
+ "text": "Peer the primary and disaster recovery virtual networks. For example, for HANA System Replication, an SAP HANA DB virtual network needs to be peered to the disaster recovery site's SAP HANA DB virtual network.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "Larger nodes will bring higher performance and features such as ephemeral disks and accelerated networking, but they will increase the blast radius and decrease the scaling granularity",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
- "severity": "High",
- "text": "Consider an appropriate node size, not too large or too small",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "If you use Azure NetApp Files storage for your SAP deployments, at a minimum, create two Azure NetApp Files accounts in the Premium tier, in two regions.",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
- "severity": "Low",
- "text": "If more than 5000 nodes are required for scalability then consider using an additional AKS cluster",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Native database replication technology should be used to synchronize the database in a HA pair.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
- "severity": "Low",
- "text": "Consider subscribing to EventGrid Events for AKS automation",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "service": "SAP",
+ "severity": "High",
+ "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's VNet",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
- "severity": "Low",
- "text": "For long running operation on an AKS cluster consider event termination",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
- "severity": "Low",
- "text": "If required consider using Azure Dedicated Hosts for AKS nodes",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "service": "SAP",
"severity": "High",
- "text": "Use ephemeral OS disks",
- "waf": "Performance"
+ "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"severity": "High",
- "text": "For non-ephemeral disks, use high IOPS and larger OS disks for the nodes when running many pods/node since it requires high performance for running multiple pods and will generate huge logs with default AKS log rotation thresholds",
- "waf": "Performance"
+ "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
- "severity": "Low",
- "text": "For hyper performance storage option use Ultra Disks on AKS",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "service": "SAP",
+ "severity": "High",
+ "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
- "severity": "Medium",
- "text": "Avoid keeping state in the cluster, and store data outside (AzStorage, AzSQL, Cosmos, etc)",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "service": "SAP",
+ "severity": "High",
+ "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
- "severity": "Medium",
- "text": "If using AzFiles Standard, consider AzFiles Premium and/or ANF for performance reasons",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
- "severity": "Medium",
- "text": "If using Azure Disks and AZs, consider having nodepools within a zone for LRS disk with VolumeBindingMode:WaitForFirstConsumer for provisioning storage in right zone or use ZRS disk for nodepools spanning multiple zones",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Make sure the Floating IP is enabled on the Load balancer",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "SAP",
"severity": "High",
- "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+ "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Key Vault",
- "severity": "Medium",
- "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
+ "checklist": "SAP Checklist",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "SAP",
+ "severity": "High",
+ "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
- "service": "Key Vault",
- "severity": "Medium",
- "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+ "checklist": "SAP Checklist",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "service": "SAP",
"severity": "Medium",
- "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+ "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
- "service": "Key Vault",
- "severity": "Medium",
- "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "checklist": "SAP Checklist",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "High",
+ "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "High",
- "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
+ "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "Key Vault",
- "severity": "Low",
- "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
+ "checklist": "SAP Checklist",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
- "service": "Key Vault",
- "severity": "Low",
- "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
+ "checklist": "SAP Checklist",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use one of the following services to run SAP central services clusters, depending on the operating system.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
- "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
- "service": "Key Vault",
- "severity": "Low",
- "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "checklist": "SAP Checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Azure doesn't currently support combining ASCS and DB HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Key Vault",
- "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "Medium",
- "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
+ "text": "Deploy both VMs in the high-availability pair in an availability set or in availability zones. These VMs should be the same size and have the same storage configuration.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Apply guidance from the Microsoft cloud security benchmark related to Storage",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider the 'Azure security baseline for storage'",
- "waf": "Security"
+ "text": "Azure supports installing and configuring SAP HANA and ASCS/SCS and ERS instances on the same high availability cluster running on Red Hat Enterprise Linux (RHEL).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Azure Storage by default has a public IP address and is Internet-reachable. Private endpoints allow to securely expose Azure Storage only to those Azure Compute resources that need access, thus eliminating exposure to the public Internet",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "High",
- "text": "Consider using private endpoints for Azure Storage",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Newly created storage accounts are created using the ARM deployment model, so that RBAC, auditing etc. are all enabled. Ensure that there are no old storage accounts with classic deployment model in a subscription",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Azure Storage",
- "severity": "Medium",
- "text": "Ensure older storage accounts are not using 'classic deployment model'",
- "waf": "Security"
+ "text": "Run all production systems on Premium managed SSDs and use Azure NetApp Files or Ultra Disk Storage. At least the OS disk should be on the Premium tier so you can achieve better performance and the best SLA.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Leverage Microsoft Defender to learn about suspicious activity and misconfigurations.",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
"severity": "High",
- "text": "Enable Microsoft Defender for all of your storage accounts",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "The soft-delete mechanism allows to recover accidentally deleted blobs.",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Azure Storage",
- "severity": "Medium",
- "text": "Enable 'soft delete' for blobs",
- "waf": "Security"
+ "text": "You should run SAP HANA on Azure only on the types of storage that are certified by SAP. Note that certain volumes must be run on certain disk configurations, where applicable. These configurations include enabling Write Accelerator and using Premium storage. You also need to ensure that the file system that runs on storage is compatible with the DBMS that runs on the machine.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
- "severity": "Medium",
- "text": "Disable 'soft delete' for blobs",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Consider configuring high availability depending on the type of storage you use for your SAP workloads. Some storage services available in Azure are not supported by Azure Site Recovery, so your high availability configuration may differ.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Soft delete for containers enables you to recover a container after it has been deleted, for example recover from an accidental delete operation.",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"severity": "High",
- "text": "Enable 'soft delete' for containers",
- "waf": "Security"
+ "text": "Different native Azure storage services (like Azure Files, Azure NetApp Files, Azure Shared Disk) may not be available in all regions. So to have similar SAP setup on the DR region after failover, ensure the respective storage service is offered in DR site.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider selectively disabling 'soft delete' for certain blob containers, for example if the application must ensure that deleted information is immediately deleted, e.g. for confidentiality, privacy or compliance reasons. ",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
"severity": "Medium",
- "text": "Disable 'soft delete' for containers",
- "waf": "Security"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Prevents accidental deletion of a storage account, by forcing the user to first remove the deletion lock, prior to deletion",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Enable resource locks on storage accounts",
- "waf": "Security"
+ "text": "Automate SAP System Start-Stop to manage costs.",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider 'legal hold' or 'time-based retention' policies for blobs, so that is is impossible to delete the blob, the container, or the storage account. Please note that 'impossible' actually means 'impossible'; once a storage account contains an immutable blob, the only way to 'get rid' of that storage account is by cancelling the Azure subscription.",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Consider immutable blobs",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "In the case of using Azure Premium Storage with SAP HANA, Azure Standard SSD storage can be used to select a cost-conscious storage solution. However, please note that choosing Standard SSD or Standard HDD Azure storage will affect the SLA of the individual VMs. Also, for systems with lower I/O throughput and low latency, such as non-production environments, lower series VMs can be used.",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Consider disabling unprotected HTTP/80 access to the storage account, so that all data transfers are encrypted, integrity protected, and the server is authenticated. ",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Require HTTPS, i.e. disable port 80 on the storage account",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "As a lower-cost alternative configuration (multipurpose), you can choose a low-performance SKU for your non-production HANA database server VMs. However, it is important to note that some VM types, such as E-series, are not HANA certified (SAP HANA Hardware Directory) or cannot achieve storage latency of less than 1ms.",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "When configuring a custom domain (hostname) on a storage account, check whether you need TLS/HTTPS; if so, you might have to put Azure CDN in front of your storage account.",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
"severity": "High",
- "text": "When enforcing HTTPS (disabling HTTP), check that you do not use custom domains (CNAME) for the storage account.",
+ "text": "Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of credential loss.",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"severity": "Medium",
- "text": "Limit shared access signature (SAS) tokens to HTTPS connections only",
+ "text": "Enforce Principal propagation for forwarding the identity from SAP cloud application to SAP on-premises (Including IaaS) through cloud connector",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "AAD tokens should be favored over shared access signatures, wherever possible",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Use Azure Active Directory (Azure AD) tokens for blob access",
+ "checklist": "SAP Checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Implement SSO to SAP SaaS applications like SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics and SAP C4C with Azure AD using SAML.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "When assigning a role to a user, group, or application, grant that security principal only those permissions that are necessary for them to perform their tasks. Limiting access to resources helps prevent both unintentional and malicious misuse of your data.",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"severity": "Medium",
- "text": "Least privilege in IaM permissions",
+ "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. A user delegation SAS is analogous to a service SAS in terms of its scope and function, but offers security benefits over the service SAS. ",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Azure Storage",
- "severity": "High",
- "text": "When using SAS, prefer 'user delegation SAS' over storage-account-key based SAS.",
+ "checklist": "SAP Checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Implement SSO to SAP NetWeaver-based web applications like SAP Fiori and SAP Web GUI by using SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Storage account keys ('shared keys') have very little audit capabilities. While it can be monitored on who/when fetched a copy of the keys, once the keys are in the hands of multiple people, it is impossible to attribute usage to a specific user. Solely relying on AAD authentication makes it easier to tie storage access to a user. ",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Consider disabling storage account keys, so that only AAD access (and user delegation SAS) is supported.",
+ "checklist": "SAP Checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Use Activity Log data to identify 'when', 'who', 'what' and 'how' the security of your storage account is being viewed or changed (i.e. storage account keys, access policies, etc.).",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Consider using Azure Monitor to audit control plane operations on the storage account",
+ "checklist": "SAP Checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A key expiration policy enables you to set a reminder for the rotation of the account access keys. The reminder is displayed if the specified interval has elapsed and the keys have not yet been rotated.",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
"severity": "Medium",
- "text": "When using storage account keys, consider enabling a 'key expiration policy'",
+ "text": "For SSO for SAP GUI and web browser access, implement SNC / Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning.",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider configuring an SAS expiration policy",
+ "text": "Implement SSO by using OAuth for SAP NetWeaver to allow third-party or custom applications to access SAP NetWeaver OData services.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. ",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider linking SAS to a stored access policy",
+ "text": "Implement SSO to SAP HANA",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider configuring your application's source code repository to detect checked-in connection strings and storage account keys.",
+ "text": "Consider Azure AD an identity provider for SAP systems hosted on RISE. For more information, see Integrating the Service with Azure AD.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Ideally, your application should be using a managed identity to authenticate to Azure Storage. If that is not possible, consider having the storage credential (connection string, storage account key, SAS, service principal credential) in Azure KeyVault or an equivalent service.",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Consider storing connection strings in Azure KeyVault (in scenarios where managed identities are not possible)",
+ "checklist": "SAP Checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For applications that access SAP, you might want to use principal propagation to establish SSO.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Strive for short validity periods for ad-hoc SAS",
+ "checklist": "SAP Checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), consider implementing SSO between SAP Cloud Identity Authentication Services and Azure AD to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Azure AD as the central user store and identity provider.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "When creating a SAS, be as specific and restrictive as possible. Prefer a SAS for a single resource and operation over a SAS which gives much broader access.",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
"severity": "Medium",
- "text": "Apply a narrow scope to a SAS",
+ "text": "Implement SSO to SAP BTP",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS can include parameters on which client IP addresses or address ranges are authorized to request a resource using the SAS. ",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
"severity": "Medium",
- "text": "Consider scoping SAS to a specific client IP address, wherever possible",
+ "text": "If you're using SAP SuccessFactors, consider using the Azure AD automated user provisioning. With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Azure AD. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Azure AD. Use write-back of the email address to SAP SuccessFactors.",
"waf": "Security"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "A SAS cannot constrain how much data a client uploads; given the pricing model of amount of storage over time, it might make sense to validate whether clients uploaded maliciously large contents.",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
- "service": "Azure Storage",
- "severity": "Low",
- "text": "Consider checking uploaded data, after clients used a SAS to upload a file. ",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "enforce existing Management Group policies to SAP Subscriptions",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "When accessing blob storage via SFTP using a 'local user account', the 'usual' RBAC controls do not apply. Blob access via NFS or REST might be more restrictive than SFTP access. Unfortunately, as of early 2023, local users are the only form of identity management that is currently supported for the SFTP endpoint",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "High",
- "text": "SFTP: Limit the amount of 'local users' for SFTP access, and audit whether access is needed over time.",
- "waf": "Security"
+ "text": "Integrate tightly coupled applications into the same SAP subscription to avoid additional routing and management complexity",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
- "service": "Azure Storage",
- "severity": "Medium",
- "text": "SFTP: The SFTP endpoint does not support POSIX-like ACLs.",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Leverage Subscription as scale unit and scaling our resources, consider deploying subscription per environment eg. Sandbox, non-prod, prod ",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Storage supports CORS (Cross-Origin Resource Sharing), i.e. an HTTP feature that enables web apps from a different domain to loosen the same-origin policy. When enabling CORS, keep the CorsRules to the least privilege.",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
"severity": "High",
- "text": "Avoid overly broad CORS policies",
- "waf": "Security"
+ "text": "Ensure quota increase as a part of subscription provisioning (e.g. total available VM cores within a subscription)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Data at rest is always encrypted server-side, and in addition might be encrypted client-side as well. Server-side encryption might happen using a platform-managed key (default) or customer-managed key. Client-side encryption might happen by either having the client supply an encryption/decryption key on a per-blob basis to Azure storage, or by completely handling encryption on the client-side. thus not relying on Azure Storage at all for confidentiality guarantees.",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "The Quota API is a REST API that you can use to view and manage quotas for Azure services. Consider using it if necessary.",
+ "waf": "Operations"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
"severity": "High",
- "text": "Determine how data at rest should be encrypted. Understand the thread model for data.",
- "waf": "Security"
+ "text": "If deploying to an availability zone, ensure that the VM's zone deployment is available once the quota has been approved. Submit a support request with the subscription, VM series, number of CPUs and availability zone required.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
- "service": "Azure Storage",
- "severity": "Medium",
- "text": "Determine which/if platform encryption should be used.",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Ensure required services and features are available within the chosen deployment regions eg. ANF , Zone etc.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
"severity": "Medium",
- "text": "Determine which/if client-side encryption should be used.",
- "waf": "Security"
+ "text": "Leverage Azure resource tag for cost categorization and resource grouping (: BillTo, Department (or Business Unit), Environment (Production, Stage, Development), Tier (Web Tier, Application Tier), Application Owner, ProjectName)",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "description": "Leverage Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) to find storage accounts which allow anonymous blob access.",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "High",
- "text": "Consider whether public blob access is needed, or whether it can be disabled for certain storage accounts. ",
- "waf": "Security"
+ "text": "Help protect your HANA database by using the Azure Backup service.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "cb8eb8c0-aa62-4a25-a495-6eaa8dc4a243",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-upgrade?tabs=azure-portal",
- "service": "Azure Storage",
- "severity": "High",
- "text": "Leverage a storagev2 account type for better performance and reliability",
+ "checklist": "SAP Checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "If you deploy Azure NetApp Files for your HANA, Oracle, or DB2 database, use the Azure Application Consistent Snapshot tool (AzAcSnap) to take application-consistent snapshots. AzAcSnap also supports Oracle databases. Consider using AzAcSnap on a central VM rather than on individual VMs.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "e05bbe20-9d49-4fda-9777-8424d116785c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"severity": "High",
- "text": "Leverage GRS, ZRS or GZRS storage for the highest availability",
- "waf": "Reliability"
+ "text": "Ensure time-zone matches between the operating system and the SAP system.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "2fa56c56-ad48-4408-be72-734c486ba280",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
"severity": "Medium",
- "text": "For write operation after failover, use customer-Managed Failover ",
+ "text": "Don't group different application services in the same cluster. For example, don't combine DRBD and central services clusters on the same cluster. However, you can use the same Pacemaker cluster to manage approximately five different central services (multi-SID cluster).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "dc0590cf-65de-48e1-909c-cbd579266bcc",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-disaster-recovery-guidance#microsoft-managed-failover",
- "service": "Azure Storage",
- "severity": "Medium",
- "text": "Understand Microsoft-Managed Failover details",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "Consider running dev/test systems in a snooze model to save and optimize Azure run costs.",
+ "waf": "Cost"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Storage Review Checklist",
- "guid": "a274faa1-abfe-49d5-9d04-c3c4919cb1b3",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Enable Soft Delete",
- "waf": "Reliability"
+ "text": "If you partner with customers by managing their SAP estates, consider Azure Lighthouse. Azure Lighthouse allows managed service providers to use Azure native identity services to authenticate to the customers' environment. It puts the control in the hands of customers, because they can revoke access at any time and audit service providers' actions.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachineScaleSets",
- "checklist": "Resiliency Review",
- "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
- "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
- "service": "VMSS",
- "severity": "Low",
- "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Use Azure Update Manager to check the status of available updates for a single VM or multiple VMs and consider scheduling regular patching.",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
- "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
- "service": "VM",
- "severity": "High",
- "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "Optimize and manage SAP Basis operations by using SAP Landscape Management (LaMa). Use the SAP LaMa connector for Azure to relocate, copy, clone, and refresh SAP systems.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
- "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "VM",
- "severity": "High",
- "text": "Use Premium or Ultra disks for production VMs",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Use Azure Monitor for SAP solutions to monitor your SAP workloads(SAP HANA, high-availability SUSE clusters, and SQL systems) on Azure. Consider supplementing Azure Monitor for SAP solutions with SAP Solution Manager.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
- "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
- "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
"severity": "High",
- "text": "Ensure Managed Disks are used for all VMs",
- "waf": "Reliability"
+ "text": "Run a VM Extension for SAP check. VM Extension for SAP uses the assigned managed identity of a virtual machine (VM) to access VM monitoring and configuration data. The check ensures that all performance metrics in your SAP application come from the underlying Azure Extension for SAP.",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
- "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
- "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
"severity": "Medium",
- "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
- "waf": "Reliability"
+ "text": "Use Azure Policy for access control and compliance reporting. Azure Policy provides the ability to enforce organization-wide settings to ensure consistent policy adherence and fast violation detection. ",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
- "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Leverage Availability Zones for your VMs in regions where they are supported",
- "waf": "Reliability"
+ "text": "Use Connection Monitor in Azure Network Watcher to monitor latency metrics for SAP databases and application servers. Or collect and display network latency measurements by using Azure Monitor.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "waf": "Operations"
},
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
- "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "VM",
+ {
+ "checklist": "SAP Checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
"severity": "Medium",
- "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
- "waf": "Reliability"
+ "text": "Perform a quality check for SAP HANA on the provisioned Azure infrastructure to verify that provisioned VMs comply with SAP HANA on Azure best practices.",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
- "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"severity": "High",
- "text": "Avoid running a production workload on a single VM",
- "waf": "Reliability"
+ "text": "For each Azure subscription, run a latency test on Azure availability zones before zonal deployment to choose low-latency zones for deployment of SAP on Azure.",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
- "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
- "severity": "High",
- "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
+ "checklist": "SAP Checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Run the Resiliency Report to ensure that the configuration of the entire provisioned Azure infrastructure (Compute, Database, Networking, Storage, Site Recovery) complies with the configuration defined by Cloud Adaption Framework for Azure.",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
- "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
- "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
- "service": "VM",
- "severity": "Low",
- "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Implement threat protection by using the Microsoft Sentinel solution for SAP. Use this solution to monitor your SAP systems and detect sophisticated threats throughout the business logic and application layers.",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
- "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
- "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
"severity": "Medium",
- "text": "Increase quotas in DR region before testing failover with ASR",
- "waf": "Reliability"
+ "text": "Azure tagging can be leveraged to logically group and track resources, automate their deployments, and most importantly, provide visibility on the incurred costs.",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
- "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
- "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
"severity": "Low",
- "text": "Utilize Scheduled Events to prepare for VM maintenance",
- "waf": "Reliability"
+ "text": "Use inter-VM latency monitoring for latency-sensitive applications.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Resiliency Review",
- "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
- "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "Medium",
- "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
+ "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Resiliency Review",
- "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
- "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
- "severity": "Low",
- "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Exclude all the database file systems and executable programs from antivirus scans. Including them could lead to performance problems. Check with the database vendors for prescriptive details on the exclusion list. For example, Oracle recommends excluding /oracle//sapdata from antivirus scans.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Resiliency Review",
- "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
- "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
"severity": "Low",
- "text": "Enable soft delete for Storage Account Containers",
- "waf": "Reliability"
+ "text": "Consider collecting full database statistics for non-HANA databases after migration. For example, implement SAP note 1020260 - Delivery of Oracle statistics.",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Resiliency Review",
- "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
- "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
- "severity": "Low",
- "text": "Enable soft delete for blobs",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Consider using Oracle Automatic Storage Management (ASM) for all Oracle deployments that use SAP on Azure.",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Resiliency Review",
- "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
- "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
- "service": "Azure Backup",
+ "checklist": "SAP Checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
"severity": "Medium",
- "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
- "waf": "Reliability"
+ "text": "For SAP on Azure running Oracle, a collection of SQL scripts can help you diagnose performance problems. Automatic Workload Repository (AWR) reports contain valuable information for diagnosing problems in the Oracle system. We recommend that you run an AWR report during several sessions and choose peak times for it, to ensure broad coverage for the analysis.",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+ "waf": "Performance"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Resiliency Review",
- "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
- "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
- "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
- "service": "Azure Backup",
- "severity": "Low",
- "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use Azure Site Recovery monitoring to maintain the health of the disaster recovery service for SAP application servers.",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Resiliency Review",
- "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
- "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
- "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
- "service": "Azure Backup",
- "severity": "Low",
- "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "For secure delivery of HTTP/S apps, use Application Gateway v2 and ensure that WAF protection and policies are enabled.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "waf": "Security"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Resiliency Review",
- "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
- "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
- "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
- "service": "DNS",
- "severity": "Low",
- "text": "Implement DNS Failover using Azure DNS Private Resolvers",
- "waf": "Reliability"
+ "checklist": "SAP Checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "If the virtual machine's DNS or virtual name is not changed during migration to Azure, Background DNS and virtual names connect many system interfaces in the SAP landscape, and customers are only sometimes aware of the interfaces that developers define over time. Connection challenges arise between various systems when virtual or DNS names change after migrations, and it's recommended to retain DNS aliases to prevent these types of difficulties.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.PowerBI/gateways",
- "checklist": "Resiliency Review",
- "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
- "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
- "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
- "service": "Data Gateways",
+ "checklist": "SAP Checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+ "text": "Use different DNS zones to distinguish each environment (sandbox, development, preproduction, and production) from each other. The exception is for SAP deployments with their own VNet; here, private DNS zones might not be necessary.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operations"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Local and global VNet peering provide connectivity and are the preferred approaches to ensure connectivity between landing zones for SAP deployments across multiple Azure regions",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Resiliency Review",
- "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
- "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
+ "checklist": "SAP Checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
"severity": "High",
- "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
- "waf": "Reliability"
+ "text": "It is not supported to deploy any NVA between SAP application and SAP Database server",
+ "training": "https://me.sap.com/notes/2731110",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
"severity": "Medium",
- "text": "If you use customer-managed TLS certificates with Azure Front Door, use the 'Latest' certificate version. Reduce the risk of outages caused by manual certificate renewal",
+ "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
"waf": "Operations"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
- "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
"severity": "Medium",
- "text": "Ensure you are using Application Gateway v2 SKU",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Security"
+ "text": "Consider deploying network virtual appliances (NVAs) between regions only if partner NVAs are used. NVAs between regions or VNets aren't required if native NVAs are present. When you're deploying partner networking technologies and NVAs, follow the vendor's guidance to verify conflicting configurations with Azure networking.",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
- "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
"severity": "Medium",
- "text": "Ensure you are using the Standard SKU for your Azure Load Balancers",
- "waf": "Security"
+ "text": "Virtual WAN manages connectivity between spoke VNets for virtual-WAN-based topologies (no need to set up user-defined routing [UDR] or NVAs), and maximum network throughput for VNet-to-VNet traffic in the same virtual hub is 50 gigabits per second. If necessary, SAP landing zones can use VNet peering to connect to other landing zones and overcome this bandwidth limitation.",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
- "service": "Load Balancer",
- "severity": "Medium",
- "text": "Ensure your Load Balancers frontend IP addresses are zone-redundant (unless you require zonal frontends).",
+ "checklist": "SAP Checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Public IP assignment to VM running SAP Workload is not recommended.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
- "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Consider reserving IP address on DR side when configuring ASR",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "description": "Administration of reverse proxies in general and WAF in particular is closer to the application than to networking, so they belong in the same subscription as the app. Centralizing the Application Gateway and WAF in the connectivity subscription might be OK if it is managed by one single team.",
- "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Deploy Azure Application Gateway v2 or partner NVAs used for proxying inbound HTTP(S) connections within the landing-zone virtual network and with the apps that they're securing.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Avoid using overlapping IP address ranges for production and DR sites.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use a DDoS Network or IP protection plans for all Public IP addresses in application landing zones.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Security"
+ "text": "While Azure does help you to create multiple delegated subnets in a VNet, only one delegated subnet can exist in a VNet for Azure NetApp Files. Attempts to create a new volume will fail if you use more than one delegated subnet for Azure NetApp Files.",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
- "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+ "service": "SAP",
"severity": "Medium",
- "text": "Configure autoscaling with a minimum amount of instances of two.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Reliability"
+ "text": "Use Azure Firewall to govern Azure outbound traffic to the internet, non-HTTP/S inbound connections, and East/West traffic filtering (if the organization requires it)",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
- "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
- "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+ "service": "SAP",
"severity": "Medium",
- "text": "Deploy Application Gateway across Availability Zones",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Reliability"
+ "text": "Application Gateway and Web Application Firewall have limitations when Application Gateway serves as a reverse proxy for SAP web apps, as shown in the comparison between Application Gateway, SAP Web Dispatcher, and other third-party services.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+ "checklist": "SAP Checklist",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Front Door",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use Azure Front Door with WAF policies to deliver and help protect global HTTP/S apps that span multiple Azure regions.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "When using Front Door and Application Gateway to help protect HTTP/S apps, use WAF policies in Front Door. Lock down Application Gateway to receive traffic only from Front Door.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "Take advantage of Web Application Firewall policies in Azure Front Door when you're using Azure Front Door and Application Gateway to protect HTTP/S applications. Lock down Application Gateway to receive traffic only from Azure Front Door.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
"waf": "Security"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/trafficManagerProfiles",
- "checklist": "Azure Application Delivery Networking",
- "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+ "checklist": "SAP Checklist",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Traffic Manager",
- "severity": "High",
- "text": "Use Traffic Manager to deliver global apps that span protocols other than HTTP/S.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Reliability"
- },
- {
- "checklist": "Azure Application Delivery Networking",
- "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
- "severity": "Low",
- "text": "If users only need access to internal applications, has Microsoft Entra ID Application Proxy been considered as an alternative to Azure Virtual Desktop (AVD)?",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Use a web application firewall to scan your traffic when it's exposed to the internet. Another option is to use it with your load balancer or with resources that have built-in firewall capabilities like Application Gateway or third-party solutions.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
"waf": "Security"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
+ "checklist": "SAP Checklist",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "To reduce the number of firewall ports open for incoming connections in your network, consider using Microsoft Entra ID Application Proxy to give remote users secure and authenticated access to internal applications.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Security"
+ "text": "Use Virtual WAN for Azure deployments in new, large, or global networks where you need global transit connectivity across Azure regions and on-premises locations. With this approach, you won't need to manually set up transitive routing for Azure networking, and you can follow a standard for SAP on Azure deployments.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "Front Door",
- "severity": "High",
- "text": "Deploy your WAF policy for Front Door in 'Prevention' mode.",
+ "checklist": "SAP Checklist",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "To prevent data leakage, use Azure Private Link to securely access platform as a service resources like Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, and more. Azure Private Endpoint can also help to secure traffic between VNets and services like Azure Storage, Azure Backup, and more. Traffic between your VNet and the Private Endpoint enabled service travels across the Microsoft global network, which prevents its exposure to the public internet.",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
"waf": "Security"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "service": "SAP",
"severity": "High",
- "text": "Avoid combining Azure Traffic Manager and Azure Front Door.",
- "waf": "Security"
+ "text": "Make sure that Azure accelerated networking is enabled on the VMs used in the SAP application and DBMS layers.",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "Front Door",
- "severity": "High",
- "text": "Use the same domain name on Azure Front Door and your origin. Mismatched host names can cause subtle bugs.",
+ "checklist": "SAP Checklist",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Make sure that internal deployments for Azure Load Balancer are set up to use Direct Server Return (DSR). This setting (Enabling Floating IP) will reduce latency when internal load balancer configurations are used for high-availability configurations on the DBMS layer.",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
- "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "Front Door",
- "severity": "Low",
- "text": "Disable health probes when there is only one origin in an Azure Front Door origin group.",
+ "checklist": "SAP Checklist",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "You can use application security group (ASG) and NSG rules to define network security access-control lists between the SAP application and DBMS layers. ASGs group virtual machines to help manage their security.",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "waf": "Security"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Placing of the SAP application layer and SAP DBMS in different Azure VNets that aren't peered isn't supported.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
"waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "Medium",
- "text": "Select good health probe endpoints for Azure Front Door. Consider building health endpoints that check all of your application's dependencies.",
- "waf": "Reliability"
+ "text": "For optimal network latency with SAP applications, consider using Azure proximity placement groups.",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
- "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "Front Door",
- "severity": "Low",
- "text": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application.",
+ "checklist": "SAP Checklist",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
+ "severity": "High",
+ "text": "It is NOT supported at all to run an SAP Application Server layer and DBMS layer split between on-premise and Azure. Both layers need to completely reside either on-premise or in Azure.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
"waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
- "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "High",
- "text": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability",
- "waf": "Reliability"
+ "text": "It isn't recommended to host the database management system (DBMS) and application layers of SAP systems in different VNets and connect them with VNet peering because of the substantial costs that excessive network traffic between the layers can produce. Recommend using subnets within the Azure virtual network to separate the SAP application layer and DBMS layer.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Cost"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
- "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+ "service": "SAP",
"severity": "High",
- "text": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals.",
- "waf": "Operations"
+ "text": "If using Load Balancer with Linux guest operating systems, check that the Linux network parameter net.ipv4.tcp_timestamps is set to 0.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+ "service": "SAP",
"severity": "Medium",
- "text": "Define your Azure Front Door WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
- "waf": "Operations"
+ "text": "For SAP RISE/ECS deployments, virtual peering is the preferred way to establish connectivity with customer's existing Azure environment. Both the SAP vnet and customer vnet(s) are protected with network security groups (NSG), enabling communication on SAP and database ports through the vnet peering",
+ "waf": "Security"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "High",
- "text": "Use end-to-end TLS with Azure Front Door. Use TLS for connections from your clients to Front Door, and from Front Door to your origin.",
- "waf": "Security"
+ "text": "Review SAP HANA database backups for Azure VMs.",
+ "waf": "Cost"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use HTTP to HTTPS redirection with Azure Front Door. Support older clients by redirecting them to an HTTPS request automatically.",
- "waf": "Security"
+ "text": "Review Site Recovery built-in monitoring, where used for SAP.",
+ "waf": "Cost"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+ "service": "SAP",
"severity": "High",
- "text": "Enable the Azure Front Door WAF. Protect your application from a range of attacks.",
- "waf": "Security"
+ "text": "Review the Monitoring the SAP HANA System Landscape guidance.",
+ "waf": "Operations"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
- "service": "Front Door",
- "severity": "High",
- "text": "Tune the Azure Front Door WAF for your workload. Reduce false positive detections.",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review Oracle Database in Azure Linux VM backup strategies.",
+ "waf": "Operations"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "Front Door",
- "severity": "High",
- "text": "Enable request body inspection feature enabled in Azure Front Door WAF policy.",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review the use of Azure Blob Storage with SQL Server 2016.",
+ "waf": "Operations"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
- "service": "Front Door",
- "severity": "High",
- "text": "Enable the Azure Front Door WAF default rule sets. The default rule sets detect and block common attacks.",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review the use of Automated Backup v2 for Azure VMs.",
+ "waf": "Operations"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+ "service": "SAP",
"severity": "High",
- "text": "Enable the Azure Front Door WAF bot protection rule set. The bot rules detect good and bad bots.",
- "waf": "Security"
+ "text": "Enabling Write accelerator for M series when using premium disks(V1)",
+ "waf": "Operations"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use the latest Azure Front Door WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
- "waf": "Security"
+ "text": "Test availability zone latency.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "service": "SAP",
"severity": "Medium",
- "text": "Add rate limiting to the Azure Front Door WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
- "waf": "Security"
+ "text": "Activate SAP EarlyWatch Alert for all SAP components.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use a high threshold for Azure Front Door WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
- "service": "Front Door",
- "severity": "Low",
- "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
- "waf": "Security"
+ "text": "Review SAP application server to database server latency using SAP ABAPMeter report /SSA/CAT.",
+ "training": "https://me.sap.com/notes/0002879613",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+ "service": "SAP",
"severity": "Medium",
- "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Front Door WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
- "waf": "Security"
- },
- {
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
- "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
- "service": "App Gateway",
- "severity": "High",
- "text": "Enable the Azure Application Gateway WAF bot protection rule set The bot rules detect good and bad bots.",
- "waf": "Security"
+ "text": "Review SQL Server performance monitoring using CCMS.",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "App Gateway",
- "severity": "High",
- "text": "Enable request body inspection feature enabled in Azure Application Gateway WAF policy.",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Test network latency between SAP application layer VMs and DBMS VMs (NIPING).",
+ "training": "https://me.sap.com/notes/1100926/E",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
- "service": "App Gateway",
- "severity": "High",
- "text": "Tune the Azure Application Gateway WAF for your workload. Reduce false positive detections.",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Review SAP HANA studio alerts.",
+ "waf": "Performance"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "App Gateway",
- "severity": "High",
- "text": "Deploy your WAF policy for Application Gateway in 'Prevention' mode.",
- "waf": "Security"
+ "checklist": "SAP Checklist",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Perform SAP HANA health checks using HANA_Configuration_Minichecks.",
+ "waf": "Performance"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "Medium",
- "text": "Add rate limiting to the Azure Application Gateway WAF. Rate limiting blocks clients accidentally or intentionally sending large amounts of traffic in a short period of time.",
+ "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "Medium",
- "text": "Use a high threshold for Azure Application Gateway WAF rate limits. High rate limit thresholds avoid blocking legitimate traffic, while still providing protection against extremely high numbers of requests that might overwhelm your infrastructure. ",
+ "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"severity": "Low",
- "text": "If you are not expecting traffic from all geographical regions, use geo-filters to block traffic from non-expected countries.",
+ "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account.",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Specify the unknown (ZZ) location when geo-filtering traffic with the Azure Application Gateway WAF. Avoid accidentally blocking legitimate requests when IP addresses can't be geo-matched.",
+ "checklist": "SAP Checklist",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.",
+ "training": "https://me.sap.com/notes/3019299/E",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Use the latest Azure Application Gateway WAF rule set version. Rule set updates are regularly updated to take account of the current threat landscape.",
+ "checklist": "SAP Checklist",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Encrypting SAP HANA database servers on Azure uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "SAP",
"severity": "Medium",
- "text": "Add diagnostic settings to save your Azure Application Gateway WAF logs.",
- "waf": "Operations"
+ "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Add diagnostic settings to save your Azure Front Door WAF logs.",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Use Azure Key Vault to store your secrets and credentials",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "SAP",
"severity": "Medium",
- "text": "Send Azure Application Gateway WAF logs to Microsoft Sentinel.",
- "waf": "Operations"
+ "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "SAP",
"severity": "Medium",
- "text": "Send Azure Front Door WAF logs to Microsoft Sentinel.",
- "waf": "Operations"
+ "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Define your Azure Application Gateway WAF configuration as code. By using code, you can more easily adopt new rule set version and gain additional protection.",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Use WAF Policies instead of the legacy WAF configuration.",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "High",
+ "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Filter inbound traffic in the backends so that they only accept connections from the Application Gateway subnet, for example with NSGs.",
+ "checklist": "SAP Checklist",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
- "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Make sure your origins only take traffic from your Azure Front Door instance.",
+ "checklist": "SAP Checklist",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
- "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
- "service": "App Gateway",
- "severity": "High",
- "text": "You should encrypt traffic to the backend servers.",
+ "checklist": "SAP Checklist",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "service": "SAP",
+ "severity": "Medium",
+ "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "service": "SAP",
"severity": "High",
- "text": "You should use a Web Application Firewall.",
+ "text": "Use an Azure Key Vault per application per environment per region.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
- "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Redirect HTTP to HTTPS",
+ "checklist": "SAP Checklist",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "service": "SAP",
+ "severity": "High",
+ "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
- "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Use gateway-managed cookies to direct traffic from a user session to the same server for processing",
- "waf": "Operations"
+ "checklist": "SAP Checklist",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "service": "SAP",
"severity": "High",
- "text": "Enable connection draining during planned service updates to prevent connection loss to existing membrs of the backend pool",
+ "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
- "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "service": "SAP",
"severity": "Low",
- "text": "Create custom error pages to display a personalized user experience",
- "waf": "Operations"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
- "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Edit HTTP requests and response headers for easier routing and information exchange between the client and server",
+ "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Configure Front Door to optimize global web traffic routing and top-tier end-user performance, and reliability through quick global failover",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Use transport layer load balancing",
- "waf": "Performance"
+ "checklist": "SAP Checklist",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "severity": "High",
+ "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+ "waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
- "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
- "service": "App Gateway",
- "severity": "Medium",
- "text": "Configure routing based on host or domain name for multiple web applications on a single gateway",
+ "checklist": "SAP Checklist",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Low",
+ "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
- "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "service": "SAP",
"severity": "Medium",
- "text": "Centralize SSL certificate management to reduce encryption and decryption overhead from a backend server farm",
+ "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "Security"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
- "service": "App Gateway",
- "severity": "Low",
- "text": "Use Application Gateway for native support for WebSocket and HTTP/2 protocols",
- "waf": "Security"
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+ "service": "Redis",
+ "severity": "High",
+ "text": "Enable zone redundancy for Azure Cache for Redis. Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "PostgreSQL Review Checklist",
- "guid": "65285269-441c-44bf-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview",
- "service": "PostgreSQL",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+ "service": "Redis",
"severity": "Medium",
- "text": "Leverage Flexible Server",
+ "text": "Configure data persistence for an Azure Cache for Redis instance. Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, Redis persistence allows you to take periodic snapshots of in-memory data, and store it to your storage account.",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "PostgreSQL Review Checklist",
- "guid": "016ccf31-ae5a-41eb-9888-9535e227896d",
- "link": "https://learn.microsoft.com/azure/postgresql/flexible-server/overview#architecture-and-high-availability",
- "service": "PostgreSQL",
- "severity": "High",
- "text": "Leverage Availability Zones where regionally applicable",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+ "service": "Redis",
+ "severity": "Medium",
+ "text": "Use Geo-redundant storage account to persist Azure Cache for Redis data, or zonally redundant where geo-redundancy is not available",
"waf": "Reliability"
},
{
- "arm-service": "Microsoft.DBforPostgreSQL/servers",
- "checklist": "PostgreSQL Review Checklist",
- "guid": "31b67c67-be59-4519-8083-845d587cb391",
- "link": "https://learn.microsoft.com/azure/postgresql/single-server/concepts-business-continuity#cross-region-read-replicas",
- "service": "PostgreSQL",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+ "service": "Redis",
"severity": "Medium",
- "text": "Leverage cross-region read replicas for BCDR",
+ "text": "Configure passive geo-replication for Premium Azure Cache for Redis instances. Geo-replication is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.",
"waf": "Reliability"
},
{
@@ -8017,705 +7976,746 @@
"link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
"service": "Azure Data Factory",
"severity": "Low",
- "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
- "waf": "Reliability"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Disable image export to prevent data exfiltration. Note that this will prevent image import of images into another ACR instance.",
- "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
- "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
- "service": "ACR",
- "severity": "High",
- "text": "Disable Azure Container Registry image export",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Enable audit compliance visibility by enabling Azure Policy for Azure Container Registry",
- "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
- "service": "ACR",
- "severity": "High",
- "text": "Enable Azure Policies for Azure Container Registry",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "The Azure Key Vault (AKV) is used to store a signing key that can be utilized by?notation?with the notation AKV plugin (azure-kv) to sign and verify container images and other artifacts. The Azure Container Registry (ACR) allows you to attach these signatures using the?az?or?oras?CLI commands.",
- "guid": "d345293c-7639-4637-a551-c5c04e401955",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
- "service": "ACR",
- "severity": "High",
- "text": "Sign and Verify containers with notation (Notary v2)",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Azure Container Registry automatically encrypts images and other artifacts that you store. By default, Azure automatically encrypts the registry content at rest by using service-managed keys. By using a customer-managed key, you can supplement default encryption with an additional encryption layer.",
- "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
- "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
- "service": "ACR",
- "severity": "Medium",
- "text": "Encrypt registry with a customer managed key",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Use managed identities to secure ACRPull/Push RBAC access from client applications",
- "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
- "service": "ACR",
- "severity": "High",
- "text": "Use Managed Identities to connect instead of Service Principals",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "The local Administrator account is disabled by default and should not be enabled. Use either Token or RBAC-based access methods instead",
- "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
- "service": "ACR",
- "severity": "High",
- "text": "Disable local authentication for management plane access",
- "waf": "Security"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Disable Administrator account and assign RBAC roles to principals for ACR Pull/Push operations",
- "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
- "service": "ACR",
- "severity": "High",
- "text": "Assign AcrPull & AcrPush RBAC roles rather than granting Administrative access to identity principals",
- "waf": "Security"
+ "text": "If using Keyvault integration, use SLA of Keyvault to understand your availablity",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Disable anonymous pull/push access",
- "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
- "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
- "service": "ACR",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
"severity": "Medium",
- "text": "Disable Anonymous pull access",
- "waf": "Security"
+ "text": "Leverage Flexible Server",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Token authentication doesn't support assignment to an AAD principal. Any tokens provided are able to be used by anyone who can access the token",
- "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
- "service": "ACR",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
"severity": "High",
- "text": "Disable repository-scoped access tokens",
- "waf": "Security"
+ "text": "Leverage Availability Zones where regionally applicable",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Deploy container images to an ACR behind a Private endpoint within a trusted network",
- "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
- "service": "ACR",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
+ "severity": "Medium",
+ "text": "Leverage Data-in replication for cross-region DR scenarios",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "6d37a33b-531c-4a91-871a-b69d8044f04e",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "High",
- "text": "Deploy images from a trusted environment",
- "waf": "Security"
+ "text": "Familiarize yourself with the Key Vault's best practices such as isolation recommendations, access control, data protection, backup, and logging.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Only tokens with an ACR audience can be used for authentication. Used when enabling Conditional access policies for ACR",
- "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
- "service": "ACR",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "7ba4d380-7b9e-4a8b-a0c3-2d8e49c11872",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Key Vault",
"severity": "Medium",
- "text": "Disable Azure ARM audience tokens for authentication",
- "waf": "Security"
+ "text": "Key Vault is a managed service and Microsoft will handle the failover within and across region. Familiarize yourself with the Key Vault's availability and redundancy.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Set up a diagnostic setting to send 'repositoryEvents' & 'LoginEvents' to Log Analytics as the central destination for logging and monitoring. This allows you to monitor control plane activity on the ACR resource itself.",
- "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
- "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
- "service": "ACR",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "17fb86a2-eb45-42a4-9c34-52b92a2a1842",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#data-replication",
+ "service": "Key Vault",
"severity": "Medium",
- "text": "Enable diagnostics logging",
- "waf": "Security"
+ "text": "The contents of your key vault are replicated within the region and to a secondary region at least 150 miles away, but within the same geography to maintain high durability of your keys and secrets. Familiarize yourself with the Key Vault's data replication.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Service supports disabling public network access either through using service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public Network Access' toggle switch",
- "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
- "service": "ACR",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "614682ca-6e0c-4f34-9f03-c6d3f2b99a32",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance#failover-across-regions",
+ "service": "Key Vault",
"severity": "Medium",
- "text": "Control inbound network access with Private Link",
- "waf": "Security"
+ "text": "During failover, access policy or firewall configurations and settings can't be changed. The key vault will be in read-only mode during failover. Familiarize yourself with the Key Vault's failover guidance.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Disable public network access if inbound network access is secured using Private Link",
- "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
- "service": "ACR",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "9ef2b0d2-3206-4c94-b47a-4f07e6a1c509",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#design-considerations",
+ "service": "Key Vault",
"severity": "Medium",
- "text": "Disable Public Network access",
- "waf": "Security"
+ "text": "When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and Azure geography. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Only the ACR Premium SKU supports Private Link access",
- "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
- "service": "ACR",
- "severity": "Medium",
- "text": "Use an Azure Container Registry SKU that supports Private Link (Premium SKU)",
- "waf": "Security"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "2df045b1-c0f6-47d3-9a9b-99cf6999684e",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "Key Vault",
+ "severity": "High",
+ "text": "If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Azure Defender for containers or equivalent service should be used to scan container images for vulnerabilities",
- "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
- "service": "ACR",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "cbfa96b0-5249-4e6f-947c-d0e79509708c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "Key Vault",
"severity": "Low",
- "text": "Enable Defender for Containers to scan Azure Container Registry for vulnerabilities",
- "waf": "Security"
+ "text": "Key Vault's soft-deleted resources are retained for a set period of 90 calendar days. Familiarize yourself with the Key Vault's soft-delete guidance.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Deploy trusted code that was validated and scanned for vulnerabilities according to DevSecOps practices.",
- "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
- "service": "ACR",
- "severity": "Medium",
- "text": "Deploy validated container images",
- "waf": "Security"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "e8659d11-7e02-4db0-848c-c6541dbab68c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+ "service": "Key Vault",
+ "severity": "Low",
+ "text": "Understand Key Vault's backup limitations. Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure Container Registry Security Review",
- "description": "Use the latest versions of supported platforms, programming languages, protocols, and frameworks.",
- "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
- "service": "ACR",
- "severity": "High",
- "text": "Use up-to-date platforms, languages, protocols and frameworks",
- "waf": "Security"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "45c25e29-d0ef-4f07-aa04-0f8c64cbcc04",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/backup?tabs=azure-cli#limitations",
+ "service": "Key Vault",
+ "severity": "Low",
+ "text": "Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually. Familiarize yourself with the Key Vault's backup and restore guidance.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "service": "Azure Monitor",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Key Vault",
+ "guid": "0f15640b-31e5-4de6-85a7-d2c652fa09d3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview#purge-protection",
+ "service": "Key Vault",
"severity": "Medium",
- "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Cost"
+ "text": "Purge protection is recommended when using keys for encryption to prevent data loss. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI, PowerShell or Portal.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "45901365-d38e-443f-abcb-d868266abca2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Azure Backup",
- "severity": "Medium",
- "text": "check backup instances with the underlying datasource not found",
- "waf": "Cost"
+ "arm-service": "Microsoft.Compute/virtualMachineScaleSets",
+ "checklist": "Resiliency Review",
+ "description": "Automatic instance repairs ensure that unhealthy instances are promptly identified and replaced, maintaining a set of healthy instances within your scale set.",
+ "guid": "7e13c105-675c-41e9-95b4-59837ff7ae7c",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs",
+ "service": "VMSS",
+ "severity": "Low",
+ "text": "Enable automatic instance repairs for enhanced VM Scale Sets resiliency",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "checklist": "Resiliency Review",
+ "description": "Ensure that Azure Backup is utilized appropriately to meet your organization's resiliency requirements for Azure virtual machines (VMs).",
+ "guid": "4d874a74-8b66-42d6-b150-512a66498f6d",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-introduction",
"service": "VM",
- "severity": "Medium",
- "text": "Delete or archive unassociated services (disks, nics, ip addresses etc)",
- "waf": "Cost"
+ "severity": "High",
+ "text": "Consider Azure Backup to meet your resiliency requirements for Azure VMs",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Azure Backup",
- "severity": "Medium",
- "text": "Consider a good balance between site recovery storage and backup for non mission critical applications",
- "waf": "Cost"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Single Instance VMs using Premium SSD or Ultra Disk for all Operating System Disks and Data Disks are guaranteed to have Virtual Machine Connectivity of at least 99.9%",
+ "guid": "8052d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "VM",
+ "severity": "High",
+ "text": "Use Premium or Ultra disks for production VMs",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
- "service": "Azure Monitor",
- "severity": "Medium",
- "text": "Check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
- "waf": "Cost"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Azure automatically replicates managed disks within a region to ensure data durability and protect against single-point failures.",
+ "guid": "b31e38c3-f298-412b-8363-cffe179b599d",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview",
+ "service": "VM",
+ "severity": "High",
+ "text": "Ensure Managed Disks are used for all VMs",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Azure Monitor",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Temporary disks are intended for short-term storage of non-persistent data such as page files, swap files, or SQL Server tempdb. Storing persistent data on temporary disks can lead to data loss during maintenance events or VM redeployment.",
+ "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk",
+ "service": "VM",
"severity": "Medium",
- "text": "Enforce a purging log policy and automation (if needed, logs can be moved to cold storage)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "Cost"
+ "text": "Do not use the Temp disk for anything that is not acceptable to be lost",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "checklist": "Resiliency Review",
+ "description": "Co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones.",
+ "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
"service": "VM",
"severity": "Medium",
- "text": "Check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "Cost"
+ "text": "Leverage Availability Zones for your VMs in regions where they are supported",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Resiliency Review",
+ "description": "Use at least two VMs in Availability Sets to isolate VMs on different fault and update domains.",
+ "guid": "5a785d6f-e96c-496a-b884-4cf3b2b38c88",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "VM",
"severity": "Medium",
- "text": "Consider moving unused storage to lower tier, with customized rule - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "waf": "Cost"
+ "text": "For regions that do not support Availability Zones deploy VMs into Availability Sets",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "checklist": "Resiliency Review",
+ "description": "Azure provides multiple options for VM redundancy to meet different requirements (Availability Zones, Virtual Machine Scale Sets, Availability Sets, Azure Site Recovery)",
+ "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
"service": "VM",
- "severity": "Medium",
- "text": "Make sure advisor is configured for VM right sizing ",
- "waf": "Cost"
+ "severity": "High",
+ "text": "Avoid running a production workload on a single VM",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "description": "check by searching the Meter Category Licenses in the Cost analysys",
- "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "checklist": "Resiliency Review",
+ "description": "Azure Site Recovery enables you to achieve low RTO (Recovery Time Objective) for your Azure and hybrid VMs by providing continuous replication and failover capabilities.",
+ "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
"service": "VM",
- "severity": "Medium",
- "text": "run the script on all windows VMs https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- consider implementing a policy if windows VMs are created frequently",
- "waf": "Cost"
+ "severity": "High",
+ "text": "For Azure and on-premises VMs (Hyper-V/Phyiscal/VMware) with low RTO requirements use Azure Site Recovery",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "checklist": "Resiliency Review",
+ "description": "By using Capacity Reservations, you can effectively manage capacity for critical workloads, ensuring resource availability in specified regions.",
+ "guid": "bd7bb012-f7b9-45e0-9e15-8e3ea3992c2d",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/capacity-reservation-overview",
"service": "VM",
- "severity": "Medium",
- "text": " this can be also put under AHUB if you already have licenses https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
- "waf": "Cost"
+ "severity": "Low",
+ "text": "Use Capacity Reservations for critical workloads that require guaranteed capacity",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "checklist": "Resiliency Review",
+ "description": "By ensuring that the necessary quotas are increased in your DR region before testing failover with ASR, you can avoid any potential resource constraints during the recovery process for failed over VMs.",
+ "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666",
+ "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests",
"service": "VM",
"severity": "Medium",
- "text": "Consolidate reserved VM families with flexibility option (no more than 4-5 families)",
- "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
- "waf": "Cost"
+ "text": "Increase quotas in DR region before testing failover with ASR",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "checklist": "Resiliency Review",
+ "description": "Scheduled Events is an Azure Metadata Service that provides information about upcoming maintenance events for virtual machines (VMs). By leveraging Scheduled Events, you can proactively prepare your applications for VM maintenance, minimizing disruption and improving the availability of your VMs.",
+ "guid": "6d3b475a-5c7a-4cbe-99bb-e64dd8902e87",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/windows/scheduled-events",
"service": "VM",
+ "severity": "Low",
+ "text": "Utilize Scheduled Events to prepare for VM maintenance",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Resiliency Review",
+ "description": "Use Zone-redundant Storage (ZRS) in the primary region for scenarios that require high availability and for restricting replication to a particular country or region. For protection against regional disasters, use Geo-zone-redundant Storage (GZRS), which combines ZRS in the primary region with geo-replication to a secondary region?.",
+ "guid": "48c7c891-dcb1-4f7d-9769-ae568ba38d4a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Azure Storage",
"severity": "Medium",
- "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.",
- "waf": "Cost"
+ "text": "Choose the most appropriate data redundancy option for Azure Storage based on your requirements",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "service": "VM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Resiliency Review",
+ "description": "Assigning a Delete lock to your storage account helps protect the availability of your data, minimizing the risk of disruptions to your business operations.",
+ "guid": "85e2213d-bd7b-4b01-8f7b-95e06e158e3e",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
+ "severity": "Low",
+ "text": "Apply a Delete lock to prevent accidental or malicious deletion of storage accounts",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Resiliency Review",
+ "description": "Container soft delete protects your data from being accidentally deleted by maintaining the deleted data in the system for a specified period of time.",
+ "guid": "a3992c2d-e6e2-4065-a3a7-6af4a691e893",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
+ "severity": "Low",
+ "text": "Enable soft delete for Storage Account Containers",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Resiliency Review",
+ "description": "Blob soft delete protects an individual blob and its versions, snapshots, and metadata from accidental deletes or overwrites by maintaining the deleted data in the system for a specified period of time.",
+ "guid": "9ada4666-7e13-4c10-96b9-153d89f89dc7",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
+ "severity": "Low",
+ "text": "Enable soft delete for blobs",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Resiliency Review",
+ "description": "Azure Backup enhanced soft delete provides critical protection against ransomware attacks by retaining deleted backups, enabling recovery from potential ransomware encryption or deletion.",
+ "guid": "b44be3b1-a27f-48b9-b91b-e1038df03a82",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-enhanced-soft-delete-about",
+ "service": "Azure Backup",
"severity": "Medium",
- "text": "Only larger disks can be reserved => 1 TiB -",
- "waf": "Cost"
+ "text": "Enable Azure Backup enhanced soft delete for improved data protection and recovery",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Resiliency Review",
+ "description": "Azure Backup's multi-user authorization enables fine-grained control over user access to backup resources, allowing you to restrict privileges and ensure proper authentication and authorization for backup operations.",
+ "guid": "2cd463cb-bbc8-4ac2-a9eb-c92a43da1dae",
+ "link": "https://learn.microsoft.com/azure/backup/multi-user-authorization-concept",
+ "service": "Azure Backup",
+ "severity": "Low",
+ "text": "Implement multi-user authorization for Azure Backup to ensure secure and controlled access to backup resources",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Resiliency Review",
+ "description": "Azure Immutable Storage provides an additional layer of security by ensuring that backup data stored in the vault cannot be modified or deleted for a specified retention period. This helps safeguard your backups from ransomware attacks that may attempt to compromise or manipulate your backup data.",
+ "guid": "2cc88147-0607-4c1c-aa0e-614658dd458e",
+ "link": "https://learn.microsoft.com/azure/backup/backup-azure-immutable-vault-concept?source=recommendations&tabs=recovery-services-vault",
+ "service": "Azure Backup",
+ "severity": "Low",
+ "text": "Implement Immutable Storage for your vaults to protect against ransomware and prevent unauthorized modifications to backups",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Resiliency Review",
+ "description": "To eliminate a single point of failure in your on-premises DNS services and ensure reliable DNS resolution during business continuity and disaster recovery scenarios, it is recommended to utilize Azure DNS Private Resolvers in multiple regions. By deploying two or more Azure DNS private resolvers across different regions, you can enable DNS failover and achieve resiliency in your DNS infrastructure.",
+ "guid": "43da1dae-2cc8-4814-9060-7c1cca0e6146",
+ "link": "https://learn.microsoft.com/azure/dns/tutorial-dns-private-resolver-failover",
+ "service": "DNS",
+ "severity": "Low",
+ "text": "Implement DNS Failover using Azure DNS Private Resolvers",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.PowerBI/gateways",
+ "checklist": "Resiliency Review",
+ "description": "Use an on-premises data gateway cluster to avoid single points of failure and to load balance traffic across gateways.",
+ "guid": "89f89dc7-b44b-4e3b-8a27-f8b9e91be103",
+ "link": "https://learn.microsoft.com/data-integration/gateway/service-gateway-high-availability-clusters",
+ "service": "Data Gateways",
+ "severity": "Medium",
+ "text": "Use on-premises data gateway clusters to ensure high availability for business-critical data",
+ "waf": "Reliability"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
- "service": "VM",
+ "checklist": "Resiliency Review",
+ "description": "When choosing the best option for deploying NVAs in Azure, it is crucial to consider the vendor's recommendations and validate that the specific design has been vetted and validated by the NVA vendor. The vendor should also provide the necessary NVA configuration for seamless integration in Azure.",
+ "guid": "8b1188b3-c6a4-46ce-a544-451e192d3442",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
+ "severity": "High",
+ "text": "Deploy Network Virtual Appliances (NVAs) in a vendor supported configuration for High Availability",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "1fc2fc14-eea6-4e69-b8d9-a3edc218e687",
+ "link": "https://polite-sea-0995b240f.2.azurestaticapps.net/technical-delivery-playbook/azure-services/analytics/purview/",
+ "service": "Purview",
"severity": "Medium",
- "text": "After the right-sizing optimization",
- "waf": "Cost"
+ "text": "Leverage FTA Resillency Handbook",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "ab067acb-49e5-4b96-8332-4ecf8cc13318",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "severity": "High",
+ "text": "Plan for Data Center level outage",
+ "waf": "Reliability"
+ },
+ {
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "description": "1. Create the new account 2. Migrate configuration items 3. Run scans 4. Migrate custom typedefs and custom assets 5. Migrate relationships 6. Migrate glossary terms 7. Assign classifications to assets 8. Assign contacts to assets",
+ "guid": "da611702-69f4-4fb4-aa3d-3ef7f3176c4b",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "severity": "Medium",
+ "text": "Practice Failover for BCDR",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Sql/servers",
- "checklist": "Cost Optimization Checklist",
- "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Azure SQL",
- "severity": "Medium",
- "text": "Check if applicable and enforce policy/change https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "97b15b8a-219a-44ab-bb57-879024d22678",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
+ "severity": "High",
+ "text": "Plan a backup strategy and take regular backups",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "VM",
- "severity": "Medium",
- "text": "The VM + license part discount (ahub + 3YRI) is around 70% discount",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "6d20b56c-56a9-4581-89bf-8d8e5c586b7d",
+ "link": "https://learn.microsoft.com/purview/manage-kafka-dotnet",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Use Microsoft Purview's Event Hubs to subscribe and create entities to another account",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "VM",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "8cdc15ac-c075-4ee9-a130-a8889579e76b",
+ "link": "https://learn.microsoft.com/purview/deployment-best-practices",
+ "service": "Purview",
"severity": "Medium",
- "text": "Consider using a VMSS to match demand rather than flat sizing",
- "waf": "Cost"
+ "text": "Follow Purview accounts architectures and deployment best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Cost Optimization Checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "AKS",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "896e710a-7da7-4be9-a56d-14d3c49d997c",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-collections",
+ "service": "Purview",
"severity": "Medium",
- "text": "Use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)",
- "waf": "Cost"
+ "text": "Follow Collection Architectures and best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Azure Backup",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b3d1325a-a225-4c6f-9e06-85edddea8a4b",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-asset-lifecycle",
+ "service": "Purview",
"severity": "Medium",
- "text": "Move recovery points to vault-archive where applicable (Validate)",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Cost"
+ "text": "Follow Assest lifecycle best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Databricks/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
- "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
- "service": "Databricks",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "7cdeb3c6-1fc2-4fc1-9eea-6e69d8d9a3ed",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-automation",
+ "service": "Purview",
"severity": "Medium",
- "text": "Consider using Spot VMs with fallback where possible. Consider autotermination of clusters.",
- "waf": "Cost"
+ "text": "Follow automation best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
- "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "c218e687-ab06-47ac-a49e-5b9603324ecf",
+ "link": "https://learn.microsoft.com/purview/disaster-recovery",
+ "service": "Purview",
"severity": "Medium",
- "text": "Functions - Reuse connections",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
- "waf": "Cost"
+ "text": "Follow Backup and Migration Best practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
- "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "8cc13318-da61-4170-869f-4fb4aa3d3ef7",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-glossary",
+ "service": "Purview",
"severity": "Medium",
- "text": "Functions - Cache data locally",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
- "waf": "Cost"
+ "text": "Follow Purview Glossary Best Practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Azure Functions",
- "severity": "Medium",
- "text": "Functions - Cold starts-Use the 'Run from package' functionality. This way, the code is downloaded as a single zip file. This can, for example, result in significant improvements with Javascript functions, which have a lot of node modules.Use language specific tools to reduce the package size, for example, tree shaking Javascript applications.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "f3176c4b-97b1-45b8-a219-a4abeb578790",
+ "link": "https://learn.microsoft.com/purview/concept-workflow",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Leverage Workflows ",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "24d22678-6d20-4b56-a56a-958119bf8d8e",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-security",
+ "service": "Purview",
"severity": "Medium",
- "text": "Functions - Keep your functions warm",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Cost"
+ "text": "Follow Purview Security Best Practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "5c586b7d-8cdc-415a-ac07-5ee9b130a888",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-lineage-azure-data-factory",
+ "service": "Purview",
"severity": "Medium",
- "text": "When using autoscale with different functions, there might be one driving all the autoscale for all the resources - consider moving it to a separate consumption plan (and consider higher plan for CPU)",
- "waf": "Cost"
+ "text": "Follow Purview Data Lineage Best Practices",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
- "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "9579e76b-896e-4710-a7da-7be9956d14d3",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-scanning",
+ "service": "Purview",
"severity": "Medium",
- "text": "Function apps in a given plan are all scaled together, so any issues with scaling can affect all apps in the plan.",
- "waf": "Cost"
+ "text": "Follow Best Practices for Scanning Registered Sources",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "c49d997c-b3d1-4325-aa22-5c6f4e0685ed",
+ "link": "https://learn.microsoft.com/purview/concept-best-practices-classification",
+ "service": "Purview",
"severity": "Medium",
- "text": "Am I billed for 'await time'? This question is typically asked in the context of a C# function that does an async operation and waits for the result, e.g. await Task.Delay(1000) or await client.GetAsync('http://google.com'). The answer is yes - the GB second calculation is based on the start and end time of the function and the memory usage over that period. What actually happens over that time in terms of CPU activity is not factored into the calculation.One exception to this rule is if you are using durable functions. You are not billed for time spent at awaits in orchestrator functions.apply demand shaping techinques where possible (dev environments?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
- "waf": "Cost"
+ "text": "Follow Classification Best Practices in Governance Portal",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Front Door",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "ddea8a4b-7cde-4b3c-91fc-2fc14eea6e69",
+ "link": "https://learn.microsoft.com/purview/sensitivity-labels-frequently-asked-questions",
+ "service": "Purview",
"severity": "Medium",
- "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.",
- "waf": "Cost"
+ "text": "Perform Sensitivity Labelling in the Purview Data Map",
+ "waf": "Reliability"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Front Door",
- "severity": "Medium",
- "text": "Frontdoor - Route to something that returns nothing. Either set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "d8d9a3ed-c218-4e68-9ab0-67acb49e5b96",
+ "link": "https://learn.microsoft.com/purview/concept-data-share",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Leverage Azure Storage in-place data sharing with Microsoft Purview",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
- "service": "Storage",
- "severity": "Medium",
- "text": "Consider archiving tiers for less used data",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "03324ecf-8cc1-4331-ada6-1170269f4fb4",
+ "link": "https://learn.microsoft.com/purview/concept-insights",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Leverage Data Estate Insights",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "VM",
- "severity": "Medium",
- "text": "Check disk sizes where the size does not match the tier (i.e. A 513 GiB disk will pay a P30 (1TiB) and consider resizing",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "aa3d3ef7-f317-46c4-a97b-15b8a219a4ab",
+ "link": "https://learn.microsoft.com/purview/catalog-adoption-insights",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Use Data stewardship and Catalog adoption",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "Storage",
- "severity": "Medium",
- "text": "Consider using standard SSD rather than Premium or Ultra where possible",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "eb578790-24d2-4267-a6d2-0b56c56a9581",
+ "link": "https://learn.microsoft.com/purview/concept-insights",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Use Inventory and Ownership",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "Storage",
- "severity": "Medium",
- "text": "For storage accounts, make sure that the chosen tier is not adding up transaction charges (it might be cheaper to move to the next tier)",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "19bf8d8e-5c58-46b7-b8cd-c15acc075ee9",
+ "link": "https://learn.microsoft.com/purview/glossary-insights",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Leverage Insights for Glossary, Classifications, Sensitivity Labels",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "Site Recovery",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b130a888-9579-4e76-a896-e710a7da7be9",
+ "link": "https://learn.microsoft.com/purview/compliance-manager",
+ "service": "Purview",
"severity": "Medium",
- "text": "For ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it",
- "waf": "Cost"
+ "text": "Generate assessment scores",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
- "service": "Storage",
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "956d14d3-c49d-4997-ab3d-1325aa225c6f",
+ "link": "https://learn.microsoft.com/purview/compliance-manager-scoring",
+ "service": "Purview",
"severity": "Medium",
- "text": "Storage accounts: check hot tier and/or GRS necessary",
- "waf": "Cost"
+ "text": "Profiling- get summaries of data content",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "VM",
- "severity": "Medium",
- "text": "Disks - validate use of Premium SSD disks everywhere: for example, non-prod could swap to Standard SSD or on-demand Premium SSD ",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "4e0685ed-ddea-48a4-a7cd-eb3c61fc2fc1",
+ "link": "https://learn.microsoft.com/purview/concept-policies-data-owner#microsoft-purview-policy-concepts",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Follow Microsoft Purview Data Owner access policies",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "4eea6e69-d8d9-4a3e-bc21-8e687ab067ac",
+ "link": "https://learn.microsoft.com/purview/concept-self-service-data-access-policy",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Follow Self-service access policies",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Export cost data to a storage account for additional data analysis.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Purview/accounts",
+ "checklist": "Microsoft Purview Review Checklist",
+ "guid": "b49e5b96-0332-44ec-b8cc-13318da61170",
+ "link": "https://learn.microsoft.com/purview/concept-policies-devops",
+ "service": "Purview",
+ "severity": "Low",
+ "text": "Follow DevOps policies",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "Device Update Review",
+ "guid": "0e03f5ee-4648-423c-bb86-7239480f9171",
+ "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+ "service": "Device Update for IoT Hub",
+ "severity": "High",
+ "text": "Leverage Availability Zones if regionally applicable (this is automatically enabled).",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Enable the serverless Apache Spark automatic pause feature and set your timeout value accordingly.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "Device Update Review",
+ "guid": "c0c273bd-00ad-419a-9f2f-fc72fb181e55",
+ "link": "https://learn.microsoft.com/en-us/azure/iot-dps/iot-dps-ha-dr#high-availability",
+ "service": "Device Update for IoT Hub",
+ "severity": "High",
+ "text": "Be aware of Microsoft-initiated failovers. These are exercised by Microsoft in rare situations to fail over all the DPS instances from an affected region to the corresponding geo-paired region.",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Create multiple Apache Spark pool definitions of various sizes.",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "Device Update Review",
+ "guid": "3af8abe6-07eb-4287-b393-6c4abe3702eb",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Device Update for IoT Hub",
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "service": "Synapse",
- "severity": "Medium",
- "text": "Purchase Azure Synapse commit units (SCU) for one year with a pre-purchase plan to save on your Azure Synapse Analytics costs.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/deviceUpdateServices",
+ "checklist": "Device Update Review",
+ "guid": "bd91245c-fe32-4e98-a085-794a40f4bfe1",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Device Update for IoT Hub",
+ "severity": "High",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "VM",
- "severity": "Medium",
- "text": "Use Spot VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
+ "severity": "High",
+ "text": "Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "VM",
- "severity": "Medium",
- "text": "Right-sizing all VMs",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
+ "severity": "High",
+ "text": "Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "VM",
- "severity": "Medium",
- "text": "Swap VM sized with normalized and most recent sizes",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
+ "severity": "High",
+ "text": "Consider a Cross-Region DR strategy for critical workloads",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "severity": "Medium",
- "text": "right-sizing VMs - start with monitoring usage below 5% and then work up to 40%",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Cost"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
+ "severity": "High",
+ "text": "If deploying to an Isolated environment, use or migrate to App Service Environment (ASE) v3",
+ "waf": "Reliability"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
"severity": "Medium",
- "text": "Containerizing an application can improve VM density and save money on scaling it",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Cost"
+ "text": "Leverage Azure DevOps or GitHub to streamline CI/CD and safeguard your Logic App code",
+ "waf": "Operations"
}
],
"metadata": {
"name": "WAF checklist",
- "timestamp": "August 05, 2024"
+ "timestamp": "August 08, 2024"
},
"severities": [
{
diff --git a/checklists/waf_checklist.es.json b/checklists/waf_checklist.es.json
index 123857f95..2e5c33a23 100644
--- a/checklists/waf_checklist.es.json
+++ b/checklists/waf_checklist.es.json
@@ -1,5709 +1,5338 @@
{
"items": [
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
- "severity": "Alto",
- "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO",
- "waf": "Fiabilidad"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+ "service": "Entra",
+ "severity": "Medio",
+ "text": "Use un inquilino de Entra para administrar los recursos de Azure, a menos que tenga un requisito normativo o empresarial claro para varios inquilinos.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Entra",
+ "severity": "Bajo",
+ "text": "Use el enfoque de automatización multiinquilino para administrar los inquilinos de Microsoft Entra ID.",
+ "waf": "Operaciones"
+ },
+ {
+ "checklist": "Azure Landing Zone Review",
+ "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "Entra",
"severity": "Alto",
- "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad",
- "waf": "Fiabilidad"
+ "text": "Use Azure Lighthouse para la administración de varios inquilinos con los mismos identificadores.",
+ "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Entra",
"severity": "Alto",
- "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
- "waf": "Fiabilidad"
+ "text": "Si concede a un asociado acceso para administrar el inquilino, use Azure Lighthouse.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+ "service": "Entra",
"severity": "Alto",
- "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
- "waf": "Fiabilidad"
+ "text": "Aplique un modelo RBAC que se alinee con su modelo operativo en la nube. Ámbito y asignación entre grupos de administración y suscripciones.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
- "severity": "Medio",
- "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica",
- "waf": "Operaciones"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+ "service": "Entra",
+ "severity": "Alto",
+ "text": "Utilice únicamente el tipo de autenticación Cuenta profesional o educativa para todos los tipos de cuenta. Evite usar la cuenta de Microsoft",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "Entra",
"severity": "Medio",
- "text": "Aproveche el servidor flexible",
- "waf": "Fiabilidad"
+ "text": "Utilice solo grupos para asignar permisos. Agregue grupos locales al grupo Solo ID de Entra si ya existe un sistema de administración de grupos.",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+ "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+ "service": "Entra",
"severity": "Alto",
- "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
- "severity": "Medio",
- "text": "Aproveche la replicación de entrada de datos para escenarios de recuperación ante desastres entre regiones",
- "waf": "Fiabilidad"
+ "text": "Aplique directivas de acceso condicional de identificador de Microsoft Entra para cualquier usuario con derechos sobre entornos de Azure.",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
- "service": "IoT",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+ "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+ "service": "Entra",
"severity": "Alto",
- "text": "Aproveche las zonas de disponibilidad si corresponden regionalmente (esto se habilita automáticamente)",
- "waf": "Fiabilidad"
+ "text": "Aplique la autenticación multifactor para cualquier usuario con derechos en los entornos de Azure.",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "Entra",
"severity": "Medio",
- "text": "Tenga en cuenta las conmutaciones por error iniciadas por Microsoft. Microsoft los ejerce en situaciones excepcionales para conmutar por error todos los centros de IoT de una región afectada a la región emparejada geográficamente correspondiente.",
- "waf": "Fiabilidad"
+ "text": "Aplique la administración de identidades privilegiadas (PIM) de Microsoft Entra ID para establecer un acceso permanente cero y privilegios mínimos.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
- "service": "IoT",
- "severity": "Alto",
- "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
- "waf": "Fiabilidad"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+ "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
+ "service": "Entra",
+ "severity": "Medio",
+ "text": "Si planea cambiar de Servicios de dominio de Active Directory a Servicios de dominio Entra, evalúe la compatibilidad de todas las cargas de trabajo.",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
- "severity": "Alto",
- "text": "Obtenga información sobre cómo desencadenar una conmutación por error manual.",
- "waf": "Fiabilidad"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+ "service": "Entra",
+ "severity": "Medio",
+ "text": "Integre los registros de identificador de Microsoft Entra con Azure Monitor central de la plataforma. Azure Monitor permite una única fuente de información sobre los datos de registro y supervisión en Azure, lo que proporciona a las organizaciones opciones nativas en la nube para cumplir con los requisitos relacionados con la recopilación y retención de registros.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
- "service": "IoT",
+ "ammp": true,
+ "checklist": "Azure Landing Zone Review",
+ "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+ "service": "Entra",
"severity": "Alto",
- "text": "Obtenga información sobre cómo conmutar por recuperación después de una conmutación por error.",
- "waf": "Fiabilidad"
+ "text": "Implemente un acceso de emergencia o cuentas de emergencia para evitar el bloqueo de cuentas en todo el inquilino.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "Entra",
"severity": "Medio",
- "text": "Azure Spring Apps permite dos implementaciones para cada aplicación, de las cuales solo una recibe tráfico de producción. Puede lograr cero tiempo de inactividad con estrategias de implementación azul verde. La implementación azul verde solo está disponible en los niveles Estándar y Enterprise. Puede automatizar la implementación mediante CI/CD con acciones de ADO/GitHub",
- "waf": "Fiabilidad"
+ "text": "No use cuentas sincronizadas locales para las asignaciones de roles de identificador de Microsoft Entra, a menos que tenga un escenario que lo requiera específicamente.",
+ "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Entra",
"severity": "Medio",
- "text": "Las instancias de Azure Spring Apps se pueden crear en varias regiones para las aplicaciones y el tráfico se puede enrutar mediante Traffic Manager o Front Door.",
- "waf": "Fiabilidad"
+ "text": "Al usar el proxy de aplicación de Microsoft Entra ID para proporcionar a los usuarios remotos acceso a las aplicaciones, adminístrelo como un recurso de plataforma, ya que solo puede tener una instancia por inquilino.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+ "service": "VNet",
"severity": "Medio",
- "text": "En la región admitida, Azure Spring Apps se puede implementar como zona redundante, lo que significa que las instancias se distribuyen automáticamente entre las zonas de disponibilidad. Esta función solo está disponible en los niveles Standard y Enterprise.",
- "waf": "Fiabilidad"
+ "text": "Utilice una topología de red en estrella tipo hub-and-spoke para escenarios de red que requieran la máxima flexibilidad.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
- "severity": "Medio",
- "text": "Usar más de 1 instancia de aplicación para las aplicaciones",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "Implemente servicios de red compartidos, incluidas puertas de enlace de ExpressRoute, puertas de enlace de VPN y Azure Firewall o aplicaciones virtuales de red de asociados en la red virtual del centro central. Si es necesario, implemente también servicios DNS.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
- "severity": "Medio",
- "text": "Supervise Azure Spring Apps con registros, métricas y seguimiento. Integre ASA con la información de las aplicaciones, realice un seguimiento de los errores y cree libros de trabajo.",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "Utilice un plan de protección de IP o red DDoS para todas las direcciones IP públicas en las zonas de aterrizaje de aplicaciones.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
"severity": "Medio",
- "text": "Configuración del escalado automático en Spring Cloud Gateway",
+ "text": "Al implementar tecnologías de redes de asociados o NVA, siga las instrucciones del proveedor del asociado.",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+ "service": "ExpressRoute",
"severity": "Bajo",
- "text": "Habilite el escalado automático para las aplicaciones con el consumo estándar y el plan dedicado.",
- "waf": "Fiabilidad"
+ "text": "Si necesita tránsito entre ExpressRoute y puertas de enlace de VPN en escenarios tipo hub-and-spoke, use Azure Route Server.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.Network/virtualHubs",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+ "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+ "service": "ARS",
+ "severity": "Bajo",
+ "text": "Si utiliza el servidor de rutas, utilice un prefijo /27 para la subred del servidor de rutas.",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+ "service": "VNet",
"severity": "Medio",
- "text": "Use el plan Enterprise para obtener soporte comercial de Spring Boot para aplicaciones de misión crítica. Con otros niveles, obtienes soporte OSS.",
- "waf": "Fiabilidad"
+ "text": "En el caso de las arquitecturas de red con varias topologías en estrella tipo hub-and-spoke en las regiones de Azure, use emparejamientos de red virtual global entre las redes virtuales del centro para conectar las regiones entre sí.",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Services",
- "severity": "Bajo",
- "text": "Consulte la arquitectura de aplicación web de redundancia de zona de alta disponibilidad de línea de base para conocer los procedimientos recomendados",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+ "service": "VNet",
+ "severity": "Medio",
+ "text": "Use Azure Monitor para redes para supervisar el estado de un extremo a otro de las redes de Azure.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "Operaciones"
+ },
+ {
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+ "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
+ "severity": "Medio",
+ "text": "Si tiene más de 400 redes radiales en una región, implemente un centro adicional para omitir los límites de emparejamiento de red virtual (500) y el número máximo de prefijos que se pueden anunciar a través de ExpressRoute (1000).",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+ "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
"severity": "Medio",
- "text": "Utilice los niveles Premium y Estándar. Estos niveles admiten ranuras de ensayo y copias de seguridad automatizadas.",
+ "text": "Limite el número de rutas por tabla de rutas a 400.",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+ "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+ "service": "VNet",
"severity": "Alto",
- "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (requiere el nivel Premium v2 o v3)",
+ "text": "Use la opción \"Permitir tráfico a la red virtual remota\" al configurar emparejamientos de red virtual.",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Implementación de comprobaciones de estado",
- "waf": "Fiabilidad"
+ "text": "Cuando use ExpressRoute Direct, configure MACsec para cifrar el tráfico en el nivel de capa dos entre los enrutadores de la organización y MSEE. El diagrama muestra este cifrado en el flujo.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
- "service": "App Services",
- "severity": "Alto",
- "text": "Consulte los procedimientos recomendados de copia de seguridad y restauración para Azure App Service",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
+ "service": "ExpressRoute",
+ "severity": "Medio",
+ "text": "En escenarios en los que MACsec no es una opción (por ejemplo, no usar ExpressRoute Direct), use una puerta de enlace de VPN para establecer túneles IPsec a través del emparejamiento privado de ExpressRoute.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "ExpressRoute",
"severity": "Alto",
- "text": "Implementación de los procedimientos recomendados de confiabilidad de Azure App Service",
- "waf": "Fiabilidad"
+ "text": "Asegúrese de que no se usen espacios de direcciones IP superpuestos entre regiones de Azure y ubicaciones locales.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
- "service": "App Services",
- "severity": "Bajo",
- "text": "Familiarizarse con cómo mover una aplicación de App Service a otra región durante un desastre",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
+ "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
+ "severity": "Medio",
+ "text": "Utilice las direcciones IP de los rangos de asignación de direcciones para Internet privadas (RFC 1918).",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+ "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
"severity": "Alto",
- "text": "Familiarizarse con la compatibilidad con la confiabilidad en Azure App Service",
- "waf": "Fiabilidad"
+ "text": "Asegúrese de que no se desperdicie el espacio de direcciones IP, no cree redes virtuales innecesariamente grandes (por ejemplo, /16).",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "App Services",
- "severity": "Medio",
- "text": "Asegúrese de que \"Siempre activado\" está habilitado para las aplicaciones de funciones que se ejecutan en un plan de App Service",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+ "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "No utilice intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
+ "service": "DNS",
"severity": "Medio",
- "text": "Supervisión de instancias de App Service mediante comprobaciones de estado",
- "waf": "Fiabilidad"
+ "text": "En entornos en los que la resolución de nombres en Azure es todo lo necesario, use Azure Private DNS para la resolución con una zona delegada para la resolución de nombres (como 'azure.contoso.com').",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+ "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+ "service": "DNS",
"severity": "Medio",
- "text": "Supervisión de la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web mediante pruebas de disponibilidad de Application Insights",
- "waf": "Fiabilidad"
+ "text": "En el caso de los entornos en los que se requiere la resolución de nombres en Azure y en el entorno local y no existe ningún servicio DNS empresarial como Active Directory, use Azure DNS Private Resolver para enrutar las solicitudes DNS a Azure o a servidores DNS locales.",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+ "service": "DNS",
"severity": "Bajo",
- "text": "Uso de la prueba estándar de Application Insights para supervisar la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web",
- "waf": "Fiabilidad"
+ "text": "Las cargas de trabajo especiales que requieren e implementan su propio DNS (como Red Hat OpenShift) deben usar su solución de DNS preferida.",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Use Azure Key Vault para almacenar los secretos que necesita la aplicación. Key Vault proporciona un entorno seguro y auditado para almacenar secretos y está bien integrado con App Service a través del SDK de Key Vault o las referencias de Key Vault de App Service.",
- "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "614658d3-558f-4d77-849b-821112df27ee",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+ "service": "DNS",
"severity": "Alto",
- "text": "Uso de Key Vault para almacenar secretos",
- "waf": "Seguridad"
+ "text": "Habilite el registro automático de Azure DNS para administrar automáticamente el ciclo de vida de los registros DNS de las máquinas virtuales implementadas en una red virtual.",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Use una identidad administrada para conectarse a Key Vault mediante el SDK de Key Vault o a través de las referencias de Key Vault de App Service.",
- "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
- "severity": "Alto",
- "text": "Uso de la identidad administrada para conectarse a Key Vault",
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+ "service": "Bastion",
+ "severity": "Medio",
+ "text": "Use Azure Bastion para conectarse de forma segura a la red.",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Almacene el certificado TLS de App Service en Key Vault.",
- "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
- "service": "App Services",
- "severity": "Alto",
- "text": "Use Key Vault para almacenar el certificado TLS.",
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+ "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+ "service": "Bastion",
+ "severity": "Medio",
+ "text": "Use Azure Bastion en una subred /26 o superior.",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Los sistemas que procesan información confidencial deben estar aislados. Para ello, use planes del Servicio de aplicaciones o entornos del Servicio de aplicaciones independientes y considere la posibilidad de usar suscripciones o grupos de administración diferentes.",
- "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
- "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "WAF",
"severity": "Medio",
- "text": "Aísle los sistemas que procesan información confidencial",
+ "text": "Use las directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Los discos locales de App Service no están cifrados y los datos confidenciales no deben almacenarse en ellos. (Por ejemplo: D:\\\\Local y %TMP%).",
- "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
- "service": "App Services",
- "severity": "Medio",
- "text": "No almacene datos confidenciales en el disco local",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "Bajo",
+ "text": "Al usar Azure Front Door y Azure Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Azure Front Door. Bloquee Azure Application Gateway para recibir tráfico solo de Azure Front Door.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "En el caso de la aplicación web autenticada, use un proveedor de identidades bien establecido, como Azure AD o Azure AD B2C. Aproveche el marco de aplicaciones de su elección para integrarse con este proveedor o use la característica de autenticación o autorización del Servicio de aplicaciones.",
- "guid": "919ca0b2-c121-459e-814b-933df574eccc",
- "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
- "service": "App Services",
- "severity": "Medio",
- "text": "Usar un proveedor de identidades establecido para la autenticación",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "Alto",
+ "text": "Cuando se requieran WAF y otros servidores proxy inversos para las conexiones HTTP/S entrantes, impleméntelos dentro de una red virtual de zona de aterrizaje y junto con las aplicaciones que protegen y exponen a Internet.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Implemente código en App Service desde un entorno controlado y de confianza, como una canalización de implementación de DevOps bien administrada y segura. De este modo, se evita el código que no se ha controlado la versión y se ha comprobado que se implementará desde un host malintencionado.",
- "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
"severity": "Alto",
- "text": "Implementación desde un entorno de confianza",
+ "text": "Use los planes de protección IP o de red DDoS de Azure para ayudar a proteger los puntos de conexión de direcciones IP públicas dentro de las redes virtuales.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Deshabilite la autenticación básica tanto para FTP/FTPS como para WebDeploy/SCM. Esto deshabilita el acceso a estos servicios y exige el uso de puntos de conexión protegidos de Azure AD para la implementación. Tenga en cuenta que el sitio de SCM también se puede abrir con credenciales de Azure AD.",
- "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+ "service": "VNet",
"severity": "Alto",
- "text": "Deshabilitar la autenticación básica",
- "waf": "Seguridad"
+ "text": "Planifique cómo administrar la configuración y la estrategia del tráfico saliente de su red antes del próximo cambio importante. El 30 de septiembre de 2025, se retirará el acceso saliente predeterminado para las nuevas implementaciones y solo se permitirán configuraciones de acceso explícitas.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Siempre que sea posible, use Managed Identity para conectarse a los recursos protegidos de Azure AD. Si esto no es posible, almacene los secretos en Key Vault y conéctese a Key Vault mediante una identidad administrada en su lugar.",
- "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
- "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
"severity": "Alto",
- "text": "Uso de la identidad administrada para conectarse a los recursos",
+ "text": "Agregue configuraciones de diagnóstico para guardar los registros relacionados con DDoS para todas las direcciones IP públicas protegidas (IP DDoS o Protección de red).",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas mediante una identidad administrada.",
- "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
- "service": "App Services",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+ "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+ "service": "Policy",
"severity": "Alto",
- "text": "Extracción de contenedores mediante una identidad administrada",
+ "text": "Asegúrese de que haya una asignación de directiva para denegar las direcciones IP públicas vinculadas directamente a las máquinas virtuales. Use exclusiones si se necesitan direcciones IP públicas en máquinas virtuales específicas.",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Al configurar las opciones de diagnóstico de App Service, puede enviar todos los datos de telemetría a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad en tiempo de ejecución de App Service, como los registros HTTP, los registros de aplicaciones, los registros de plataforma, ...",
- "guid": "47768314-c115-4775-a2ea-55b46ad48408",
- "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Envío de registros en tiempo de ejecución de App Service a Log Analytics",
- "waf": "Seguridad"
+ "text": "Use ExpressRoute como conexión principal a Azure. Utilice las VPN como fuente de conectividad de respaldo.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Configure una configuración de diagnóstico para enviar el registro de actividad a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad del plano de control en el propio recurso de App Service.",
- "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "description": "Puede usar la anteposición de AS y los pesos de conexión para influir en el tráfico de Azure al entorno local, y la gama completa de atributos BGP en sus propios enrutadores para influir en el tráfico del entorno local a Azure.",
+ "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Envío de registros de actividad de App Service a Log Analytics",
- "waf": "Seguridad"
+ "text": "Cuando use varios circuitos ExpressRoute o varias ubicaciones locales, use atributos BGP para optimizar el enrutamiento.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Controle el acceso saliente a la red mediante una combinación de integración de red virtual regional, grupos de seguridad de red y UDR. El tráfico debe enrutarse a una aplicación virtual de red, como Azure Firewall. Asegúrese de supervisar los registros del cortafuegos.",
- "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
- "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+ "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "El acceso a la red saliente debe controlarse",
- "waf": "Seguridad"
+ "text": "Seleccione la SKU correcta para las puertas de enlace de ExpressRoute/VPN en función de los requisitos de ancho de banda y rendimiento.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Puede proporcionar una dirección IP de salida estable mediante la integración de red virtual y una puerta de enlace NAT de red virtual o una aplicación virtual de red como Azure Firewall. Esto permite a la parte receptora incluir en la lista de permitidos en función de la IP, en caso de que sea necesario. Tenga en cuenta que para las comunicaciones con los servicios de Azure, a menudo no es necesario depender de la dirección IP y, en su lugar, se deben usar mecanismos como los puntos de conexión de servicio. (Además, el uso de puntos de conexión privados en el extremo receptor evita que se produzca SNAT y proporciona un intervalo de IP de salida estable).",
- "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
- "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
- "service": "App Services",
- "severity": "Bajo",
- "text": "Garantizar una IP estable para las comunicaciones salientes hacia las direcciones de Internet",
- "waf": "Seguridad"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+ "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+ "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+ "service": "ExpressRoute",
+ "severity": "Alto",
+ "text": "Asegúrese de que usa circuitos ExpressRoute de datos ilimitados solo si alcanza el ancho de banda que justifica su costo.",
+ "waf": "Costar"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Controle el acceso entrante a la red mediante una combinación de restricciones de acceso al Servicio de aplicaciones, puntos de conexión de servicio o puntos de conexión privados. Se pueden requerir y configurar diferentes restricciones de acceso para la propia aplicación web y el sitio de SCM.",
- "guid": "0725769e-e669-41a4-a34a-c932223ece80",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+ "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+ "service": "ExpressRoute",
"severity": "Alto",
- "text": "El acceso a la red entrante debe controlarse",
- "waf": "Seguridad"
+ "text": "Aproveche la SKU local de ExpressRoute para reducir el costo de los circuitos, si la ubicación de emparejamiento de circuitos admite las regiones de Azure para la SKU local.",
+ "waf": "Costar"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Protéjase contra el tráfico entrante malintencionado mediante un firewall de aplicaciones web como Application Gateway o Azure Front Door. Asegúrese de supervisar los registros del WAF.",
- "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
- "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
- "service": "App Services",
- "severity": "Alto",
- "text": "Uso de un WAF delante de App Service",
- "waf": "Seguridad"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+ "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+ "service": "ExpressRoute",
+ "severity": "Medio",
+ "text": "Implemente una puerta de enlace de ExpressRoute con redundancia de zona en las regiones de Azure admitidas.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Asegúrese de que no se pueda omitir el WAF bloqueando el acceso solo al WAF. Use una combinación de restricciones de acceso, puntos de conexión de servicio y puntos de conexión privados.",
- "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
- "severity": "Alto",
- "text": "Evite que se omita WAF",
- "waf": "Seguridad"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
+ "severity": "Medio",
+ "text": "En escenarios que requieren un ancho de banda superior a 10 Gbps o puertos dedicados de 10/100 Gbps, use ExpressRoute Direct.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Establezca la directiva TLS mínima en 1.2 en la configuración de App Service.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
- "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+ "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Establezca la directiva TLS mínima en 1.2",
- "waf": "Seguridad"
+ "text": "Cuando se requiera una latencia baja o el rendimiento del entorno local a Azure debe ser superior a 10 Gbps, habilite FastPath para omitir la puerta de enlace de ExpressRoute de la ruta de acceso de datos.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Configure App Service para que use solo HTTPS. Esto hace que App Service se redirija de HTTP a HTTPS. Considere seriamente el uso de HTTP Strict Transport Security (HSTS) en su código o desde su WAF, que informa a los navegadores que solo se debe acceder al sitio mediante HTTPS.",
- "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
- "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
- "service": "App Services",
- "severity": "Alto",
- "text": "Usar solo HTTPS",
- "waf": "Seguridad"
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+ "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+ "service": "VPN",
+ "severity": "Medio",
+ "text": "Use puertas de enlace de VPN con redundancia de zona para conectar sucursales o ubicaciones remotas a Azure (donde estén disponibles).",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "No utilice caracteres comodín en la configuración de CORS, ya que esto permite que todos los orígenes accedan al servicio (lo que anula el propósito de CORS). En concreto, solo permite los orígenes que esperas poder acceder al servicio.",
- "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
- "service": "App Services",
- "severity": "Alto",
- "text": "Los comodines no deben usarse para CORS",
- "waf": "Seguridad"
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+ "service": "VPN",
+ "severity": "Medio",
+ "text": "Utilice dispositivos VPN redundantes en las instalaciones (activo/activo o activo/pasivo).",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "La depuración remota no debe estar activada en producción, ya que esto abre puertos adicionales en el servicio, lo que aumenta la superficie expuesta a ataques. Tenga en cuenta que el servicio desactiva la depuración remota automáticamente después de 48 horas.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
- "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
- "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+ "service": "ExpressRoute",
"severity": "Alto",
- "text": "Desactivar la depuración remota",
- "waf": "Seguridad"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Habilite Defender para App Service. Esto (entre otras amenazas) detecta comunicaciones a direcciones IP maliciosas conocidas. Revise las recomendaciones de Defender para App Service como parte de las operaciones.",
- "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
- "service": "App Services",
- "severity": "Medio",
- "text": "Habilitación de Defender for Cloud: Defender for App Service",
- "waf": "Seguridad"
+ "text": "Si usa ExpressRoute Direct, considere la posibilidad de usar circuitos locales de ExpressRoute a las regiones locales de Azure para ahorrar costos.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Costar"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure proporciona protección básica contra DDoS en su red, que se puede mejorar con funcionalidades inteligentes de DDoS Standard que aprenden sobre los patrones de tráfico normales y pueden detectar comportamientos inusuales. DDoS Standard se aplica a una red virtual, por lo que debe configurarse para el recurso de red delante de la aplicación, como Application Gateway o una aplicación virtual de red.",
- "guid": "223ece80-b123-4071-a541-6415833ea3ad",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Habilitación del estándar de protección DDoS en la red virtual de WAF",
+ "text": "Cuando se requiera aislamiento de tráfico o ancho de banda dedicado, por ejemplo, para separar entornos de producción y no de producción, use diferentes circuitos ExpressRoute. Le ayudará a garantizar dominios de enrutamiento aislados y a aliviar los riesgos de vecinos ruidosos.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas a través de una red virtual desde Azure Container Registry mediante su punto de conexión privado y la configuración de la aplicación \"WEBSITE_PULL_IMAGE_OVER_VNET\".",
- "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Extracción de contenedores a través de una red virtual",
- "waf": "Seguridad"
+ "text": "Supervise la disponibilidad y el uso de ExpressRoute mediante Express Route Insights integrado.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Realice una prueba de penetración en la aplicación web siguiendo las reglas de participación de las pruebas de penetración.",
- "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+ "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Realizar una prueba de penetración",
- "waf": "Seguridad"
+ "text": "Use el Monitor de conexión para la supervisión de la conectividad en toda la red, especialmente entre el entorno local y Azure.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Implemente código de confianza que se haya validado y analizado en busca de vulnerabilidades de acuerdo con las prácticas de DevSecOps.",
- "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+ "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Implementación de código validado",
- "waf": "Seguridad"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Utilice las versiones más recientes de plataformas, lenguajes de programación, protocolos y marcos compatibles.",
- "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
- "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
- "service": "App Services",
- "severity": "Alto",
- "text": "Utilizar plataformas, lenguajes, protocolos y marcos actualizados",
- "waf": "Seguridad"
+ "text": "Use circuitos ExpressRoute de diferentes ubicaciones de emparejamiento para obtener redundancia.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
- "service": "Azure Data Factory",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Aproveche el cuaderno de estrategias de resistencia de FTA para Azure Data Factory",
+ "text": "Use VPN de sitio a sitio como conmutación por error de ExpressRoute, si solo usa un único circuito ExpressRoute.",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+ "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+ "service": "ExpressRoute",
"severity": "Alto",
- "text": "Uso de canalizaciones con redundancia de zona en regiones que admiten zonas de disponibilidad",
+ "text": "Si utiliza una tabla de rutas en GatewaySubnet, asegúrese de que se propaguen las rutas de puerta de enlace.",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
- "link": "https://learn.microsoft.com/azure/data-factory/source-control",
- "service": "Azure Data Factory",
- "severity": "Medio",
- "text": "Uso de DevOps para realizar copias de seguridad de las plantillas de ARM con la integración de Github/Azure DevOps ",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+ "service": "ExpressRoute",
+ "severity": "Alto",
+ "text": "Si usa ExpressRoute, el enrutamiento local debe ser dinámico: en caso de que se produzca un error de conexión, debe converger a la conexión restante del circuito. La carga debe compartirse entre ambas conexiones, idealmente como activa/activa, aunque también se admite activa/pasiva.",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Asegúrese de replicar las máquinas virtuales de Integration Runtime autohospedadas en otra región ",
+ "text": "Asegúrese de que los dos vínculos físicos del circuito ExpressRoute están conectados a dos dispositivos perimetrales distintos de la red.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Asegúrese de replicar o duplicar la red en la región hermana. Tiene que hacer una copia de la red virtual en otra región",
+ "text": "Asegúrese de que la detección de reenvío bidireccional (BFD) esté habilitada y configurada en los dispositivos de enrutamiento perimetral del cliente o proveedor.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "description": "Si las canalizaciones de ADF usan Key Vault, no tiene que hacer nada para replicar Key Vault. Key Vault es un servicio administrado y Microsoft se encarga de ello por ti",
- "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Azure Data Factory",
- "severity": "Bajo",
- "text": "Si utiliza la integración de Keyvault, utilice el Acuerdo de Nivel de Servicio de Keyvault para comprender su disponibilidad",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "ExpressRoute",
+ "severity": "Alto",
+ "text": "Conecte la puerta de enlace de ExpressRoute a dos o más circuitos de diferentes ubicaciones de emparejamiento para una mayor resistencia.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Fiabilidad"
},
{
+ "arm-service": "microsoft.network/expressRouteCircuits",
"checklist": "Azure Landing Zone Review",
- "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
- "service": "Entra",
+ "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+ "service": "ExpressRoute",
"severity": "Medio",
- "text": "Use un inquilino de Entra para administrar los recursos de Azure, a menos que tenga un requisito normativo o empresarial claro para varios inquilinos.",
+ "text": "Configure registros de diagnóstico y alertas para la puerta de enlace de red virtual de ExpressRoute.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Operaciones"
},
{
+ "arm-service": "microsoft.network/expressRouteCircuits",
"checklist": "Azure Landing Zone Review",
- "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Entra",
+ "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+ "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+ "service": "ExpressRoute",
+ "severity": "Medio",
+ "text": "No use circuitos ExpressRoute para la comunicación de red virtual a red virtual.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Rendimiento"
+ },
+ {
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "service": "N/A",
"severity": "Bajo",
- "text": "Use el enfoque de automatización multiinquilino para administrar los inquilinos de Microsoft Entra ID.",
- "waf": "Operaciones"
+ "text": "No envíe el tráfico de Azure a ubicaciones híbridas para su inspección. En su lugar, siga el principio \"el tráfico de Azure permanece en Azure\" para que la comunicación entre los recursos de Azure se produzca a través de la red troncal de Microsoft.",
+ "waf": "Rendimiento"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "Entra",
+ "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+ "link": "https://learn.microsoft.com/azure/firewall/overview",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Use Azure Lighthouse para la administración de varios inquilinos con los mismos identificadores.",
- "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
- "waf": "Operaciones"
+ "text": "Use Azure Firewall para controlar el tráfico de salida de Azure a Internet, las conexiones de entrada que no son HTTP/S y el filtrado del tráfico Este/Oeste (si la organización lo requiere).",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Entra",
- "severity": "Alto",
- "text": "Si concede a un asociado acceso para administrar el inquilino, use Azure Lighthouse.",
- "waf": "Costar"
+ "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+ "service": "Firewall",
+ "severity": "Medio",
+ "text": "Cree una directiva global de Azure Firewall para controlar la posición de seguridad en todo el entorno de red global y asígnela a todas las instancias de Azure Firewall. Permita que las directivas granulares cumplan los requisitos de regiones específicas delegando directivas de firewall incrementales a los equipos de seguridad locales a través del control de acceso basado en roles de Azure.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "348ef254-c27d-442e-abba-c7571559ab91",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
- "service": "Entra",
- "severity": "Alto",
- "text": "Aplique un modelo RBAC que se alinee con su modelo operativo en la nube. Ámbito y asignación entre grupos de administración y suscripciones.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+ "service": "Firewall",
+ "severity": "Bajo",
+ "text": "Configure los proveedores de seguridad SaaS de socios compatibles dentro de Firewall Manager si la organización desea utilizar dichas soluciones para ayudar a proteger las conexiones salientes.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
- "service": "Entra",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+ "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+ "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Utilice únicamente el tipo de autenticación Cuenta profesional o educativa para todos los tipos de cuenta. Evite usar la cuenta de Microsoft",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "text": "Utilice las reglas de la aplicación para filtrar el tráfico saliente en el nombre de host de destino para los protocolos compatibles. Use reglas de red basadas en FQDN y Azure Firewall con proxy DNS para filtrar el tráfico de salida a Internet a través de otros protocolos.",
"waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "Entra",
- "severity": "Medio",
- "text": "Utilice solo grupos para asignar permisos. Agregue grupos locales al grupo Solo ID de Entra si ya existe un sistema de administración de grupos.",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+ "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+ "service": "Firewall",
+ "severity": "Alto",
+ "text": "Use Azure Firewall Premium para habilitar características de seguridad adicionales.",
"waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
- "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
- "service": "Entra",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+ "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Aplique directivas de acceso condicional de identificador de Microsoft Entra para cualquier usuario con derechos sobre entornos de Azure.",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "text": "Configure el modo de Inteligencia sobre amenazas de Azure Firewall en Alerta y Denegar para obtener protección adicional.",
"waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
- "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
- "service": "Entra",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+ "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Aplique la autenticación multifactor para cualquier usuario con derechos en los entornos de Azure.",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "text": "Configure el modo IDPS de Azure Firewall en Denegar para obtener protección adicional.",
"waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "Entra",
- "severity": "Medio",
- "text": "Aplique la administración de identidades privilegiadas (PIM) de Microsoft Entra ID para establecer un acceso permanente cero y privilegios mínimos.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+ "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+ "service": "Firewall",
+ "severity": "Alto",
+ "text": "En el caso de las subredes de las redes virtuales que no están conectadas a Virtual WAN, adjunte una tabla de rutas para que el tráfico de Internet se redirija a Azure Firewall o a una aplicación virtual de red.",
"waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
- "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
- "service": "Entra",
+ "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+ "service": "Firewall",
"severity": "Medio",
- "text": "Si planea cambiar de Servicios de dominio de Active Directory a Servicios de dominio Entra, evalúe la compatibilidad de todas las cargas de trabajo.",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "Seguridad"
+ "text": "Agregue la configuración de diagnóstico para guardar registros, mediante la tabla de destino Recurso específico, para todas las implementaciones de Azure Firewall.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Operaciones"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
- "service": "Entra",
- "severity": "Medio",
- "text": "Integre los registros de identificador de Microsoft Entra con Azure Monitor central de la plataforma. Azure Monitor permite una única fuente de información sobre los datos de registro y supervisión en Azure, lo que proporciona a las organizaciones opciones nativas en la nube para cumplir con los requisitos relacionados con la recopilación y retención de registros.",
- "waf": "Seguridad"
+ "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+ "service": "Firewall",
+ "severity": "Importante",
+ "text": "Migre de las reglas de Azure Firewall clásico (si existen) a la directiva de firewall.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Operaciones"
},
{
- "ammp": true,
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
- "service": "Entra",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+ "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Implemente un acceso de emergencia o cuentas de emergencia para evitar el bloqueo de cuentas en todo el inquilino.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "Use un prefijo /26 para las subredes de Azure Firewall.",
"waf": "Seguridad"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "35037e68-9349-4c15-b371-228514f4cdff",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "Entra",
+ "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+ "service": "Firewall",
"severity": "Medio",
- "text": "No use cuentas sincronizadas locales para las asignaciones de roles de identificador de Microsoft Entra, a menos que tenga un escenario que lo requiera específicamente.",
- "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
- "waf": "Seguridad"
+ "text": "Organice las reglas dentro de la política de firewall en grupos de colecciones de reglas y colecciones de reglas, en función de su frecuencia de uso.",
+ "waf": "Rendimiento"
},
{
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Entra",
+ "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+ "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+ "service": "Firewall",
"severity": "Medio",
- "text": "Al usar el proxy de aplicación de Microsoft Entra ID para proporcionar a los usuarios remotos acceso a las aplicaciones, adminístrelo como un recurso de plataforma, ya que solo puede tener una instancia por inquilino.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Seguridad"
+ "text": "Utilice grupos de direcciones IP o prefijos de direcciones IP para reducir el número de reglas de tabla de direcciones IP.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
- "service": "VNet",
+ "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+ "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+ "service": "Firewall",
"severity": "Medio",
- "text": "Utilice una topología de red en estrella tipo hub-and-spoke para escenarios de red que requieran la máxima flexibilidad.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Seguridad"
+ "text": "No utilice caracteres comodín como IP de origen para DNATS, como * o cualquiera, debe especificar IP de origen para los DNAT entrantes.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
- "service": "VNet",
- "severity": "Alto",
- "text": "Implemente servicios de red compartidos, incluidas puertas de enlace de ExpressRoute, puertas de enlace de VPN y Azure Firewall o aplicaciones virtuales de red de asociados en la red virtual del centro central. Si es necesario, implemente también servicios DNS.",
- "waf": "Costar"
+ "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+ "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
+ "service": "Firewall",
+ "severity": "Medio",
+ "text": "Evite el agotamiento del puerto SNAT supervisando el uso del puerto SNAT, evaluando la configuración de la puerta de enlace NAT y garantizando una conmutación por error sin problemas. Si el número de puertos se acerca al límite, es una señal de que el agotamiento de SNAT podría ser inminente.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "VNet",
+ "guid": "346840b8-1064-496e-8396-4b1340172d52",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Utilice un plan de protección de IP o red DDoS para todas las direcciones IP públicas en las zonas de aterrizaje de aplicaciones.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Seguridad"
- },
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
- "severity": "Medio",
- "text": "Al implementar tecnologías de redes de asociados o NVA, siga las instrucciones del proveedor del asociado.",
- "waf": "Fiabilidad"
+ "text": "Si usa Azure Firewall Premium, habilite la inspección de TLS.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
- "service": "ExpressRoute",
+ "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+ "service": "Firewall",
"severity": "Bajo",
- "text": "Si necesita tránsito entre ExpressRoute y puertas de enlace de VPN en escenarios tipo hub-and-spoke, use Azure Route Server.",
- "waf": "Seguridad"
+ "text": "Utilice categorías web para permitir o denegar el acceso saliente a temas específicos.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Network/virtualHubs",
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
- "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
- "service": "ARS",
- "severity": "Bajo",
- "text": "Si utiliza el servidor de rutas, utilice un prefijo /27 para la subred del servidor de rutas.",
- "waf": "Seguridad"
- },
- {
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
- "service": "VNet",
+ "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+ "service": "Firewall",
"severity": "Medio",
- "text": "En el caso de las arquitecturas de red con varias topologías en estrella tipo hub-and-spoke en las regiones de Azure, use emparejamientos de red virtual global entre las redes virtuales del centro para conectar las regiones entre sí.",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+ "text": "Como parte de la inspección de TLS, planee la recepción de tráfico de Azure App Gateways para su inspección.",
"waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
- "service": "VNet",
+ "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+ "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+ "service": "Firewall",
"severity": "Medio",
- "text": "Use Azure Monitor para redes para supervisar el estado de un extremo a otro de las redes de Azure.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
- "waf": "Operaciones"
+ "text": "Habilite la configuración del proxy DNS de Azure Firewall.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
- "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
- "severity": "Medio",
- "text": "Si tiene más de 400 redes radiales en una región, implemente un centro adicional para omitir los límites de emparejamiento de red virtual (500) y el número máximo de prefijos que se pueden anunciar a través de ExpressRoute (1000).",
- "waf": "Fiabilidad"
+ "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+ "service": "Firewall",
+ "severity": "Alto",
+ "text": "Integre Azure Firewall con Azure Monitor y habilite el registro de diagnóstico para almacenar y analizar los registros de firewall.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
- "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
- "severity": "Medio",
- "text": "Limite el número de rutas por tabla de rutas a 400.",
- "waf": "Fiabilidad"
+ "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+ "service": "Firewall",
+ "severity": "Bajo",
+ "text": "Implementación de copias de seguridad para las reglas de firewall",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "microsoft.network/applicationGateways",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
- "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
- "service": "VNet",
+ "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "App Gateway",
"severity": "Alto",
- "text": "Use la opción \"Permitir tráfico a la red virtual remota\" al configurar emparejamientos de red virtual.",
- "waf": "Fiabilidad"
+ "text": "No interrumpa la comunicación del plano de control para los servicios PaaS de Azure insertados en una red virtual, por ejemplo, con una ruta 0.0.0.0/0 o una regla de NSG que bloquee el tráfico del plano de control.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "Seguridad"
},
{
"arm-service": "microsoft.network/expressRouteCircuits",
"checklist": "Azure Landing Zone Review",
- "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+ "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+ "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
"service": "ExpressRoute",
"severity": "Medio",
- "text": "Cuando use ExpressRoute Direct, configure MACsec para cifrar el tráfico en el nivel de capa dos entre los enrutadores de la organización y MSEE. El diagrama muestra este cifrado en el flujo.",
+ "text": "Acceda a los servicios PaaS de Azure desde el entorno local a través de puntos de conexión privados y el emparejamiento privado de ExpressRoute. Este método evita el tránsito a través de la Internet pública.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Network/virtualNetworks",
"checklist": "Azure Landing Zone Review",
- "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
- "service": "ExpressRoute",
+ "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+ "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "No habilite los puntos de conexión de servicio de red virtual de forma predeterminada en todas las subredes.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+ "link": "azure/private-link/inspect-traffic-with-azure-firewall",
+ "service": "Firewall",
"severity": "Medio",
- "text": "En escenarios en los que MACsec no es una opción (por ejemplo, no usar ExpressRoute Direct), use una puerta de enlace de VPN para establecer túneles IPsec a través del emparejamiento privado de ExpressRoute.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "text": "Filtre el tráfico de salida a los servicios PaaS de Azure mediante FQDN en lugar de direcciones IP en Azure Firewall o una NVA para evitar la filtración de datos. Si usa Private Link, puede bloquear todos los FQDN, de lo contrario, permitir solo los servicios PaaS necesarios.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.network/expressRouteCircuits",
"checklist": "Azure Landing Zone Review",
- "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
"service": "ExpressRoute",
"severity": "Alto",
- "text": "Asegúrese de que no se usen espacios de direcciones IP superpuestos entre regiones de Azure y ubicaciones locales.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "text": "Utilice al menos un prefijo /27 para las subredes de puerta de enlace.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
- "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
- "severity": "Medio",
- "text": "Utilice las direcciones IP de los rangos de asignación de direcciones para Internet privadas (RFC 1918).",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+ "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+ "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+ "service": "NSG",
+ "severity": "Alto",
+ "text": "No confíe en las reglas predeterminadas de entrada de NSG que usan la etiqueta de servicio VirtualNetwork para limitar la conectividad.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
- "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
- "severity": "Alto",
- "text": "Asegúrese de que no se desperdicie el espacio de direcciones IP, no cree redes virtuales innecesariamente grandes (por ejemplo, /16).",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Rendimiento"
+ "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+ "service": "NSG",
+ "severity": "Medio",
+ "text": "Use los grupos de seguridad de red para ayudar a proteger el tráfico a través de las subredes, así como el tráfico este/oeste a través de la plataforma (tráfico entre zonas de aterrizaje).",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
"checklist": "Azure Landing Zone Review",
- "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
- "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
- "service": "VNet",
- "severity": "Alto",
- "text": "No utilice intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "Fiabilidad"
+ "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "NSG",
+ "severity": "Medio",
+ "text": "Use grupos de seguridad de red y grupos de seguridad de aplicaciones para microsegmentar el tráfico dentro de la zona de aterrizaje y evite usar una NVA central para filtrar los flujos de tráfico.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
"checklist": "Azure Landing Zone Review",
- "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
- "service": "DNS",
+ "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+ "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
+ "service": "NSG",
"severity": "Medio",
- "text": "En entornos en los que la resolución de nombres en Azure es todo lo necesario, use Azure Private DNS para la resolución con una zona delegada para la resolución de nombres (como 'azure.contoso.com').",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "Operaciones"
+ "text": "Habilite los registros de flujo de red virtual e introdúzcalos en Traffic Analytics para obtener información sobre los flujos de tráfico internos y externos.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
"checklist": "Azure Landing Zone Review",
- "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
- "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
- "service": "DNS",
+ "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+ "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "NSG",
"severity": "Medio",
- "text": "En el caso de los entornos en los que se requiere la resolución de nombres en Azure y en el entorno local y no existe ningún servicio DNS empresarial como Active Directory, use Azure DNS Private Resolver para enrutar las solicitudes DNS a Azure o a servidores DNS locales.",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
- "waf": "Seguridad"
+ "text": "No implemente más de 900 reglas de NSG por NSG, debido al límite de 1000 reglas.",
+ "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
- "service": "DNS",
- "severity": "Bajo",
- "text": "Las cargas de trabajo especiales que requieren e implementan su propio DNS (como Red Hat OpenShift) deben usar su solución de DNS preferida.",
+ "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+ "service": "VWAN",
+ "severity": "Medio",
+ "text": "Use Virtual WAN si el escenario se describe explícitamente en la lista de diseños de enrutamiento de Virtual WAN.",
+ "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
"waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "guid": "614658d3-558f-4d77-849b-821112df27ee",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
- "service": "DNS",
- "severity": "Alto",
- "text": "Habilite el registro automático de Azure DNS para administrar automáticamente el ciclo de vida de los registros DNS de las máquinas virtuales implementadas en una red virtual.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "Operaciones"
+ "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
+ "service": "VWAN",
+ "severity": "Medio",
+ "text": "Use un centro de conectividad de Virtual WAN por región de Azure para conectar varias zonas de aterrizaje juntas en regiones de Azure a través de una instancia global común de Azure Virtual WAN.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/bastionHosts",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
- "service": "Bastion",
+ "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+ "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
+ "service": "VWAN",
"severity": "Medio",
- "text": "Use Azure Bastion para conectarse de forma segura a la red.",
+ "text": "Para la protección y el filtrado del tráfico de Internet saliente, implemente Azure Firewall en centros seguros.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/bastionHosts",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
- "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
- "service": "Bastion",
+ "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
+ "service": "VWAN",
"severity": "Medio",
- "text": "Use Azure Bastion en una subred /26 o superior.",
- "waf": "Seguridad"
+ "text": "Asegúrese de que la arquitectura de red WAN virtual se alinee con un escenario de arquitectura identificado.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "WAF",
+ "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+ "service": "VWAN",
"severity": "Medio",
- "text": "Use las directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Seguridad"
+ "text": "Use Azure Monitor Insights para Virtual WAN para supervisar la topología de un extremo a otro de Virtual WAN, el estado y las métricas clave.",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "severity": "Bajo",
- "text": "Al usar Azure Front Door y Azure Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Azure Front Door. Bloquee Azure Application Gateway para recibir tráfico solo de Azure Front Door.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Seguridad"
- },
- {
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "severity": "Alto",
- "text": "Cuando se requieran WAF y otros servidores proxy inversos para las conexiones HTTP/S entrantes, impleméntelos dentro de una red virtual de zona de aterrizaje y junto con las aplicaciones que protegen y exponen a Internet.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Seguridad"
+ "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+ "service": "VWAN",
+ "severity": "Medio",
+ "text": "No deshabilite el tráfico de rama a rama en Virtual WAN, a menos que estos flujos deban bloquearse explícitamente.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
- "severity": "Alto",
- "text": "Use los planes de protección IP o de red DDoS de Azure para ayudar a proteger los puntos de conexión de direcciones IP públicas dentro de las redes virtuales.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Seguridad"
+ "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+ "service": "VWAN",
+ "severity": "Medio",
+ "text": "Use AS-Path como preferencia de enrutamiento del concentrador, ya que es más flexible que ExpressRoute o VPN.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
- "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
- "service": "VNet",
- "severity": "Alto",
- "text": "Planifique cómo administrar la configuración y la estrategia del tráfico saliente de su red antes del próximo cambio importante. El 30 de septiembre de 2025, se retirará el acceso saliente predeterminado para las nuevas implementaciones y solo se permitirán configuraciones de acceso explícitas.",
+ "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+ "service": "VWAN",
+ "severity": "Medio",
+ "text": "Configure la propagación basada en etiquetas en Virtual WAN, de lo contrario, la conectividad entre los centros virtuales se verá afectada.",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "microsoft.network/virtualWans",
"checklist": "Azure Landing Zone Review",
- "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
+ "guid": "9c75dfef-573c-461c-a698-68598595581a",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+ "service": "VWAN",
"severity": "Alto",
- "text": "Agregue configuraciones de diagnóstico para guardar los registros relacionados con DDoS para todas las direcciones IP públicas protegidas (IP DDoS o Protección de red).",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Seguridad"
+ "text": "Asigne al menos un prefijo /23 a los centros virtuales para asegurarse de que haya suficiente espacio IP disponible.",
+ "waf": "Fiabilidad"
},
{
"arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
- "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+ "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
"service": "Policy",
"severity": "Alto",
- "text": "Asegúrese de que haya una asignación de directiva para denegar las direcciones IP públicas vinculadas directamente a las máquinas virtuales. Use exclusiones si se necesitan direcciones IP públicas en máquinas virtuales específicas.",
+ "text": "Aproveche Azure Policy de forma estratégica, defina controles para su entorno mediante iniciativas de directivas para agrupar directivas relacionadas.",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
+ "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "Medio",
- "text": "Use ExpressRoute como conexión principal a Azure. Utilice las VPN como fuente de conectividad de respaldo.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Rendimiento"
+ "text": "Asigne los requisitos normativos y de cumplimiento a las definiciones de Azure Policy y las asignaciones de roles de Azure.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "description": "Puede usar la anteposición de AS y los pesos de conexión para influir en el tráfico de Azure al entorno local, y la gama completa de atributos BGP en sus propios enrutadores para influir en el tráfico del entorno local a Azure.",
- "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
- "service": "ExpressRoute",
+ "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "Medio",
- "text": "Cuando use varios circuitos ExpressRoute o varias ubicaciones locales, use atributos BGP para optimizar el enrutamiento.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidad"
+ "text": "Establezca definiciones de Azure Policy en el grupo de administración raíz intermedio para que se puedan asignar en ámbitos heredados.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
- "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
- "service": "ExpressRoute",
- "severity": "Medio",
- "text": "Seleccione la SKU correcta para las puertas de enlace de ExpressRoute/VPN en función de los requisitos de ancho de banda y rendimiento.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Rendimiento"
+ "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "Alto",
+ "text": "Administre las asignaciones de políticas en el nivel más alto apropiado con exclusiones en los niveles inferiores, si es necesario.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
- "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
- "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Asegúrese de que usa circuitos ExpressRoute de datos ilimitados solo si alcanza el ancho de banda que justifica su costo.",
- "waf": "Costar"
+ "guid": "43334f24-9116-4341-a2ba-527526944008",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+ "service": "Policy",
+ "severity": "Bajo",
+ "text": "Use Azure Policy para controlar qué servicios pueden aprovisionar los usuarios en el nivel de suscripción o grupo de administración.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
- "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
- "service": "ExpressRoute",
+ "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "Alto",
- "text": "Aproveche la SKU local de ExpressRoute para reducir el costo de los circuitos, si la ubicación de emparejamiento de circuitos admite las regiones de Azure para la SKU local.",
- "waf": "Costar"
+ "text": "Utilice políticas integradas siempre que sea posible para minimizar la sobrecarga operativa.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
- "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
- "service": "ExpressRoute",
+ "description": "La asignación del rol Colaborador de directivas de recursos a ámbitos específicos le permite delegar la administración de directivas a los equipos pertinentes. Por ejemplo, un equipo de TI central puede supervisar las políticas a nivel de grupo de administración, mientras que los equipos de aplicaciones se encargan de las políticas de sus suscripciones, lo que permite la gobernanza distribuida con el cumplimiento de los estándares de la organización.",
+ "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+ "service": "Policy",
"severity": "Medio",
- "text": "Implemente una puerta de enlace de ExpressRoute con redundancia de zona en las regiones de Azure admitidas.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidad"
+ "text": "Asigne el rol integrado Colaborador de directiva de recursos en un ámbito determinado para habilitar la gobernanza de nivel de aplicación.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
+ "guid": "19048384-5c98-46cb-8913-156a12476e49",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "Medio",
- "text": "En escenarios que requieren un ancho de banda superior a 10 Gbps o puertos dedicados de 10/100 Gbps, use ExpressRoute Direct.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Rendimiento"
+ "text": "Limite el número de asignaciones de Azure Policy realizadas en el ámbito del grupo de administración raíz para evitar la administración a través de exclusiones en ámbitos heredados.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
- "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
- "service": "ExpressRoute",
+ "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+ "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+ "service": "Policy",
"severity": "Medio",
- "text": "Cuando se requiera una latencia baja o el rendimiento del entorno local a Azure debe ser superior a 10 Gbps, habilite FastPath para omitir la puerta de enlace de ExpressRoute de la ruta de acceso de datos.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Rendimiento"
+ "text": "Si existen requisitos de soberanía de datos, se deben implementar Azure Policies para aplicarlos.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
- "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
- "service": "VPN",
+ "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+ "service": "Policy",
"severity": "Medio",
- "text": "Use puertas de enlace de VPN con redundancia de zona para conectar sucursales o ubicaciones remotas a Azure (donde estén disponibles).",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "Fiabilidad"
+ "text": "Para la zona de aterrizaje soberana, implemente la línea base de la política de soberanía y asígnela en el nivel de grupo de administración correcto.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
- "service": "VPN",
+ "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+ "service": "Policy",
"severity": "Medio",
- "text": "Utilice dispositivos VPN redundantes en las instalaciones (activo/activo o activo/pasivo).",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Si usa ExpressRoute Direct, considere la posibilidad de usar circuitos locales de ExpressRoute a las regiones locales de Azure para ahorrar costos.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Costar"
+ "text": "En el caso de la Zona de Aterrizaje Soberana, documente los objetivos del Control Soberano para el mapeo de políticas.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
"checklist": "Azure Landing Zone Review",
- "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
- "service": "ExpressRoute",
+ "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
+ "service": "Policy",
"severity": "Medio",
- "text": "Cuando se requiera aislamiento de tráfico o ancho de banda dedicado, por ejemplo, para separar entornos de producción y no de producción, use diferentes circuitos ExpressRoute. Le ayudará a garantizar dominios de enrutamiento aislados y a aliviar los riesgos de vecinos ruidosos.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "text": "En el caso de la Zona de Aterrizaje Soberana, garantizar que exista un proceso para la gestión de los \"objetivos de control soberano para el mapeo de políticas\".",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Insights/components",
"checklist": "Azure Landing Zone Review",
- "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
- "service": "ExpressRoute",
+ "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
"severity": "Medio",
- "text": "Supervise la disponibilidad y el uso de ExpressRoute mediante Express Route Insights integrado.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "text": "Use un único área de trabajo de registros de monitor para administrar las plataformas de forma centralizada, excepto cuando el control de acceso basado en rol de Azure (Azure RBAC), los requisitos de soberanía de datos o las directivas de retención de datos exijan áreas de trabajo independientes.",
+ "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Insights/components",
"checklist": "Azure Landing Zone Review",
- "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
- "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
- "service": "ExpressRoute",
- "severity": "Medio",
- "text": "Use el Monitor de conexión para la supervisión de la conectividad en toda la red, especialmente entre el entorno local y Azure.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Operaciones"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
- "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
- "service": "ExpressRoute",
- "severity": "Medio",
- "text": "Use circuitos ExpressRoute de diferentes ubicaciones de emparejamiento para obtener redundancia.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidad"
+ "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Monitor",
+ "severity": "Alto",
+ "text": "Exporte registros a Azure Storage si los requisitos de retención de registros superan los doce años. Use el almacenamiento inmutable con una política de escritura única y lectura múltiple para que los datos no se puedan borrar ni modificar durante un intervalo especificado por el usuario.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Compute/virtualMachines",
"checklist": "Azure Landing Zone Review",
- "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
- "service": "ExpressRoute",
+ "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+ "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+ "service": "VM",
"severity": "Medio",
- "text": "Use VPN de sitio a sitio como conmutación por error de ExpressRoute, si solo usa un único circuito ExpressRoute.",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
- "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Si utiliza una tabla de rutas en GatewaySubnet, asegúrese de que se propaguen las rutas de puerta de enlace.",
- "waf": "Fiabilidad"
+ "text": "Supervise el desfase de la configuración de la máquina virtual (VM) a nivel de sistema operativo mediante Azure Policy. La habilitación de las funcionalidades de auditoría de Azure Automanage Machine Configuration a través de la directiva ayuda a las cargas de trabajo del equipo de aplicaciones a consumir inmediatamente las funcionalidades de características con poco esfuerzo.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Compute/virtualMachines",
"checklist": "Azure Landing Zone Review",
- "guid": "d581a947-69a2-4783-942e-9df3664324c8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Si usa ExpressRoute, el enrutamiento local debe ser dinámico: en caso de que se produzca un error de conexión, debe converger a la conexión restante del circuito. La carga debe compartirse entre ambas conexiones, idealmente como activa/activa, aunque también se admite activa/pasiva.",
- "waf": "Fiabilidad"
+ "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
+ "service": "VM",
+ "severity": "Medio",
+ "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux en Azure.",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Compute/virtualMachines",
"checklist": "Azure Landing Zone Review",
- "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
- "service": "ExpressRoute",
+ "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+ "service": "VM",
"severity": "Medio",
- "text": "Asegúrese de que los dos vínculos físicos del circuito ExpressRoute están conectados a dos dispositivos perimetrales distintos de la red.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidad"
+ "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux fuera de Azure mediante Azure Arc.",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "microsoft.network/networkWatchers",
"checklist": "Azure Landing Zone Review",
- "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
- "service": "ExpressRoute",
+ "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Network Watcher",
"severity": "Medio",
- "text": "Asegúrese de que la detección de reenvío bidireccional (BFD) esté habilitada y configurada en los dispositivos de enrutamiento perimetral del cliente o proveedor.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidad"
+ "text": "Utilice Network Watcher para supervisar de forma proactiva los flujos de tráfico.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Insights/components",
"checklist": "Azure Landing Zone Review",
- "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Conecte la puerta de enlace de ExpressRoute a dos o más circuitos de diferentes ubicaciones de emparejamiento para una mayor resistencia.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidad"
+ "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Monitor",
+ "severity": "Medio",
+ "text": "Use los registros de Azure Monitor para obtener información e informes.",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Insights/components",
"checklist": "Azure Landing Zone Review",
- "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
- "service": "ExpressRoute",
+ "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+ "service": "Monitor",
"severity": "Medio",
- "text": "Configure registros de diagnóstico y alertas para la puerta de enlace de red virtual de ExpressRoute.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "text": "Use alertas de Azure Monitor para la generación de alertas operativas.",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Insights/components",
"checklist": "Azure Landing Zone Review",
- "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
- "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
- "service": "ExpressRoute",
+ "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "Monitor",
"severity": "Medio",
- "text": "No use circuitos ExpressRoute para la comunicación de red virtual a red virtual.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Rendimiento"
+ "text": "Al usar el seguimiento de cambios e inventario a través de cuentas de Azure Automation, asegúrese de que ha seleccionado las regiones admitidas para vincular el área de trabajo de Log Analytics y las cuentas de automatización.",
+ "waf": "Operaciones"
},
{
+ "arm-service": "Microsoft.RecoveryServices/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "service": "N/A",
+ "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Backup",
"severity": "Bajo",
- "text": "No envíe el tráfico de Azure a ubicaciones híbridas para su inspección. En su lugar, siga el principio \"el tráfico de Azure permanece en Azure\" para que la comunicación entre los recursos de Azure se produzca a través de la red troncal de Microsoft.",
- "waf": "Rendimiento"
+ "text": "Al usar Azure Backup, use los tipos de copia de seguridad correctos (GRS, ZRS Y LRS) para la copia de seguridad, ya que la configuración predeterminada es GRS.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.Compute/virtualMachines",
"checklist": "Azure Landing Zone Review",
- "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
- "link": "https://learn.microsoft.com/azure/firewall/overview",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Use Azure Firewall para controlar el tráfico de salida de Azure a Internet, las conexiones de entrada que no son HTTP/S y el filtrado del tráfico Este/Oeste (si la organización lo requiere).",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "VM",
+ "severity": "Medio",
+ "text": "Use directivas de invitado de Azure para implementar automáticamente configuraciones de software a través de extensiones de máquina virtual y aplicar una configuración de máquina virtual de línea base compatible.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.Compute/virtualMachines",
"checklist": "Azure Landing Zone Review",
- "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
- "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
- "service": "Firewall",
+ "description": "Use las características de configuración de invitado de Azure Policy para auditar y corregir la configuración de la máquina (por ejemplo, el sistema operativo, la aplicación, el entorno) para asegurarse de que los recursos se alinean con las configuraciones esperadas, y Update Management puede aplicar la administración de revisiones para las máquinas virtuales.",
+ "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "VM",
"severity": "Medio",
- "text": "Cree una directiva global de Azure Firewall para controlar la posición de seguridad en todo el entorno de red global y asígnela a todas las instancias de Azure Firewall. Permita que las directivas granulares cumplan los requisitos de regiones específicas delegando directivas de firewall incrementales a los equipos de seguridad locales a través del control de acceso basado en roles de Azure.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "Supervise el desfase de la configuración de seguridad de la máquina virtual a través de Azure Policy.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.Compute/virtualMachines",
"checklist": "Azure Landing Zone Review",
- "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
- "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
- "service": "Firewall",
- "severity": "Bajo",
- "text": "Configure los proveedores de seguridad SaaS de socios compatibles dentro de Firewall Manager si la organización desea utilizar dichas soluciones para ayudar a proteger las conexiones salientes.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Seguridad"
+ "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "VM",
+ "severity": "Medio",
+ "text": "Use Azure Site Recovery para escenarios de recuperación ante desastres de Azure a Azure Virtual Machines. Esto le permite replicar cargas de trabajo en todas las regiones.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
- "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
- "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Utilice las reglas de la aplicación para filtrar el tráfico saliente en el nombre de host de destino para los protocolos compatibles. Use reglas de red basadas en FQDN y Azure Firewall con proxy DNS para filtrar el tráfico de salida a Internet a través de otros protocolos.",
- "waf": "Seguridad"
+ "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "Backup",
+ "severity": "Medio",
+ "text": "Use funcionalidades de copia de seguridad nativas de Azure o una solución de copia de seguridad de terceros compatible con Azure.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
- "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features",
- "service": "Firewall",
+ "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "WAF",
"severity": "Alto",
- "text": "Use Azure Firewall Premium para habilitar características de seguridad adicionales.",
- "waf": "Seguridad"
+ "text": "Agregue configuración de diagnóstico para guardar los registros de WAF de los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway. Revise periódicamente los registros para comprobar si hay ataques y detecciones de falsos positivos.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
- "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Configure el modo de Inteligencia sobre amenazas de Azure Firewall en Alerta y Denegar para obtener protección adicional.",
- "waf": "Seguridad"
+ "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "WAF",
+ "severity": "Medio",
+ "text": "Envíe registros de WAF desde los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway, a Microsoft Sentinel. Detecte ataques e integre la telemetría de WAF en su entorno general de Azure.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
- "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
- "service": "Firewall",
+ "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "Key Vault",
"severity": "Alto",
- "text": "Configure el modo IDPS de Azure Firewall en Denegar para obtener protección adicional.",
+ "text": "Use Azure Key Vault para almacenar sus secretos y credenciales.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
- "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
- "service": "Firewall",
- "severity": "Alto",
- "text": "En el caso de las subredes de las redes virtuales que no están conectadas a Virtual WAN, adjunte una tabla de rutas para que el tráfico de Internet se redirija a Azure Firewall o a una aplicación virtual de red.",
+ "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+ "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+ "service": "Key Vault",
+ "severity": "Medio",
+ "text": "Use diferentes Azure Key Vaults para diferentes aplicaciones y regiones para evitar límites de escala de transacciones y restringir el acceso a los secretos.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
- "service": "Firewall",
+ "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Medio",
- "text": "Agregue la configuración de diagnóstico para guardar registros, mediante la tabla de destino Recurso específico, para todas las implementaciones de Azure Firewall.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Operaciones"
+ "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención para los objetos eliminados.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
- "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
- "service": "Firewall",
- "severity": "Importante",
- "text": "Migre de las reglas de Azure Firewall clásico (si existen) a la directiva de firewall.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Operaciones"
+ "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "Medio",
+ "text": "Siga un modelo de privilegios mínimos limitando la autorización para eliminar claves, secretos y certificados de forma permanente a roles de identificador personalizados especializados de Microsoft Entra.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
- "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Use un prefijo /26 para las subredes de Azure Firewall.",
+ "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "Medio",
+ "text": "Automatice el proceso de gestión y renovación de certificados con autoridades de certificación públicas para facilitar la administración.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
- "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
- "service": "Firewall",
+ "guid": "913156a1-2476-4e49-b541-acdce979377b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Medio",
- "text": "Organice las reglas dentro de la política de firewall en grupos de colecciones de reglas y colecciones de reglas, en función de su frecuencia de uso.",
- "waf": "Rendimiento"
+ "text": "Establezca un proceso automatizado para la rotación de claves y certificados.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
- "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
- "service": "Firewall",
+ "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Medio",
- "text": "Utilice grupos de direcciones IP o prefijos de direcciones IP para reducir el número de reglas de tabla de direcciones IP.",
- "waf": "Rendimiento"
+ "text": "Habilite el firewall y el punto de conexión de servicio de red virtual o el punto de conexión privado en el almacén para controlar el acceso al almacén de claves.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
- "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
- "service": "Firewall",
+ "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+ "service": "Key Vault",
"severity": "Medio",
- "text": "No utilice caracteres comodín como IP de origen para DNATS, como * o cualquiera, debe especificar IP de origen para los DNAT entrantes.",
- "waf": "Rendimiento"
+ "text": "Use el área de trabajo de Log Analytics de Azure Monitor central de la plataforma para auditar el uso de claves, certificados y secretos en cada instancia de Key Vault.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
- "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
- "service": "Firewall",
+ "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Medio",
- "text": "Evite el agotamiento del puerto SNAT supervisando el uso del puerto SNAT, evaluando la configuración de la puerta de enlace NAT y garantizando una conmutación por error sin problemas. Si el número de puertos se acerca al límite, es una señal de que el agotamiento de SNAT podría ser inminente.",
- "waf": "Rendimiento"
+ "text": "Delegue la creación de instancias de Key Vault y el acceso con privilegios, y use Azure Policy para aplicar una configuración coherente y conforme.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "346840b8-1064-496e-8396-4b1340172d52",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Si usa Azure Firewall Premium, habilite la inspección de TLS.",
- "waf": "Rendimiento"
+ "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "Medio",
+ "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
- "service": "Firewall",
- "severity": "Bajo",
- "text": "Utilice categorías web para permitir o denegar el acceso saliente a temas específicos.",
- "waf": "Rendimiento"
+ "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "Medio",
+ "text": "Si desea traer sus propias claves, es posible que esto no sea compatible con todos los servicios considerados. Implemente la mitigación pertinente para que las inconsistencias no obstaculicen los resultados deseados. Elija los pares de regiones y las regiones de recuperación ante desastres adecuados que minimicen la latencia.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
- "service": "Firewall",
+ "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+ "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+ "service": "Key Vault",
"severity": "Medio",
- "text": "Como parte de la inspección de TLS, planee la recepción de tráfico de Azure App Gateways para su inspección.",
- "waf": "Rendimiento"
+ "text": "En el caso de la zona de aterrizaje soberana, use el HSM administrado de Azure Key Vault para almacenar los secretos y las credenciales.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
- "link": "https://learn.microsoft.com/azure/firewall/dns-details",
- "service": "Firewall",
+ "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+ "service": "Entra",
"severity": "Medio",
- "text": "Habilite la configuración del proxy DNS de Azure Firewall.",
+ "text": "Use las capacidades de generación de informes de Microsoft Entra ID para generar informes de auditoría de control de acceso.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
"checklist": "Azure Landing Zone Review",
- "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
- "service": "Firewall",
+ "guid": "09945bda-4333-44f2-9911-634182ba5275",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+ "service": "Defender",
"severity": "Alto",
- "text": "Integre Azure Firewall con Azure Monitor y habilite el registro de diagnóstico para almacenar y analizar los registros de firewall.",
- "waf": "Operaciones"
- },
- {
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
- "service": "Firewall",
- "severity": "Bajo",
- "text": "Implementación de copias de seguridad para las reglas de firewall",
- "waf": "Operaciones"
+ "text": "Habilite la administración de la posición de seguridad en la nube de Defender para todas las suscripciones.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
"checklist": "Azure Landing Zone Review",
- "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "App Gateway",
+ "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+ "service": "Defender",
"severity": "Alto",
- "text": "No interrumpa la comunicación del plano de control para los servicios PaaS de Azure insertados en una red virtual, por ejemplo, con una ruta 0.0.0.0/0 o una regla de NSG que bloquee el tráfico del plano de control.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "text": "Habilite un plan de protección de cargas de trabajo en la nube de Defender para servidores en todas las suscripciones.",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
"checklist": "Azure Landing Zone Review",
- "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
- "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
- "service": "ExpressRoute",
- "severity": "Medio",
- "text": "Acceda a los servicios PaaS de Azure desde el entorno local a través de puntos de conexión privados y el emparejamiento privado de ExpressRoute. Este método evita el tránsito a través de la Internet pública.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+ "service": "Defender",
+ "severity": "Alto",
+ "text": "Habilite los planes de protección de cargas de trabajo en la nube de Defender para recursos de Azure en todas las suscripciones.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
+ "arm-service": "Microsoft.Compute/virtualMachines",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
- "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
- "service": "VNet",
+ "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+ "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+ "service": "VM",
"severity": "Alto",
- "text": "No habilite los puntos de conexión de servicio de red virtual de forma predeterminada en todas las subredes.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "text": "Habilite la protección de puntos de conexión en servidores IaaS.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
+ "arm-service": "Microsoft.Compute/virtualMachines",
"checklist": "Azure Landing Zone Review",
- "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
- "link": "azure/private-link/inspect-traffic-with-azure-firewall",
- "service": "Firewall",
+ "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+ "link": "https://learn.microsoft.com/azure/security-center/",
+ "service": "VM",
"severity": "Medio",
- "text": "Filtre el tráfico de salida a los servicios PaaS de Azure mediante FQDN en lugar de direcciones IP en Azure Firewall o una NVA para evitar la filtración de datos. Si usa Private Link, puede bloquear todos los FQDN, de lo contrario, permitir solo los servicios PaaS necesarios.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "text": "Supervise el desfase de revisiones del sistema operativo base a través de los registros de Azure Monitor y Defender for Cloud.",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
+ "arm-service": "Microsoft.Insights/components",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Utilice al menos un prefijo /27 para las subredes de puerta de enlace.",
+ "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
+ "severity": "Medio",
+ "text": "Conecte las configuraciones de recursos predeterminadas a un área de trabajo centralizada de Log Analytics de Azure Monitor.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
- "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
- "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
- "service": "NSG",
- "severity": "Alto",
- "text": "No confíe en las reglas predeterminadas de entrada de NSG que usan la etiqueta de servicio VirtualNetwork para limitar la conectividad.",
+ "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+ "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+ "service": "Entra",
+ "severity": "Medio",
+ "text": "Para Sovereign Landing Zone, habilite los registros de transparencia en el inquilino de Entra ID.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
"checklist": "Azure Landing Zone Review",
- "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
- "service": "NSG",
+ "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+ "service": "Entra",
"severity": "Medio",
- "text": "Use los grupos de seguridad de red para ayudar a proteger el tráfico a través de las subredes, así como el tráfico este/oeste a través de la plataforma (tráfico entre zonas de aterrizaje).",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "text": "Para Sovereign Landing Zone, habilite la caja de seguridad del cliente en el inquilino de Entra ID.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Landing Zone Review",
- "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "NSG",
- "severity": "Medio",
- "text": "Use grupos de seguridad de red y grupos de seguridad de aplicaciones para microsegmentar el tráfico dentro de la zona de aterrizaje y evite usar una NVA central para filtrar los flujos de tráfico.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Storage",
+ "severity": "Alto",
+ "text": "Habilite la transferencia segura a cuentas de almacenamiento.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Landing Zone Review",
- "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
- "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
- "service": "NSG",
- "severity": "Medio",
- "text": "Habilite los registros de flujo de red virtual e introdúzcalos en Traffic Analytics para obtener información sobre los flujos de tráfico internos y externos.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+ "service": "Storage",
+ "severity": "Alto",
+ "text": "Habilite la eliminación temporal de contenedor para que la cuenta de almacenamiento recupere un contenedor eliminado y su contenido.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
- "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "NSG",
- "severity": "Medio",
- "text": "No implemente más de 900 reglas de NSG por NSG, debido al límite de 1000 reglas.",
- "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
- "service": "VWAN",
- "severity": "Medio",
- "text": "Use Virtual WAN si el escenario se describe explícitamente en la lista de diseños de enrutamiento de Virtual WAN.",
- "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+ "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+ "service": "Key Vault",
+ "severity": "Alto",
+ "text": "Use secretos de Key Vault para evitar codificar de forma rígida información confidencial, como credenciales (máquinas virtuales, contraseñas de usuario), certificados o claves.",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
- "service": "VWAN",
- "severity": "Medio",
- "text": "Use un centro de conectividad de Virtual WAN por región de Azure para conectar varias zonas de aterrizaje juntas en regiones de Azure a través de una instancia global común de Azure Virtual WAN.",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+ "service": "IoT",
+ "severity": "Alto",
+ "text": "Aproveche las zonas de disponibilidad si corresponden regionalmente (esto se habilita automáticamente)",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
- "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
- "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
- "service": "VWAN",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
"severity": "Medio",
- "text": "Para la protección y el filtrado del tráfico de Internet saliente, implemente Azure Firewall en centros seguros.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Seguridad"
+ "text": "Tenga en cuenta las conmutaciones por error iniciadas por Microsoft. Microsoft los ejerce en situaciones excepcionales para conmutar por error todos los centros de IoT de una región afectada a la región emparejada geográficamente correspondiente.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
- "service": "VWAN",
- "severity": "Medio",
- "text": "Asegúrese de que la arquitectura de red WAN virtual se alinee con un escenario de arquitectura identificado.",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+ "service": "IoT",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
- "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
- "service": "VWAN",
- "severity": "Medio",
- "text": "Use Azure Monitor Insights para Virtual WAN para supervisar la topología de un extremo a otro de Virtual WAN, el estado y las métricas clave.",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
+ "severity": "Alto",
+ "text": "Obtenga información sobre cómo desencadenar una conmutación por error manual.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
- "service": "VWAN",
- "severity": "Medio",
- "text": "No deshabilite el tráfico de rama a rama en Virtual WAN, a menos que estos flujos deban bloquearse explícitamente.",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+ "service": "IoT",
+ "severity": "Alto",
+ "text": "Obtenga información sobre cómo conmutar por recuperación después de una conmutación por error.",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
- "service": "VWAN",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
"severity": "Medio",
- "text": "Use AS-Path como preferencia de enrutamiento del concentrador, ya que es más flexible que ExpressRoute o VPN.",
+ "text": "Siga las recomendaciones de soporte técnico de confiabilidad en Azure Bot Service",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
- "service": "VWAN",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
"severity": "Medio",
- "text": "Configure la propagación basada en etiquetas en Virtual WAN, de lo contrario, la conectividad entre los centros virtuales se verá afectada.",
+ "text": "Implementación de bots con residencia de datos local y cumplimiento regional",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "9c75dfef-573c-461c-a698-68598595581a",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
- "service": "VWAN",
- "severity": "Alto",
- "text": "Asigne al menos un prefijo /23 a los centros virtuales para asegurarse de que haya suficiente espacio IP disponible.",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
+ "severity": "Medio",
+ "text": "Azure Bot Service se ejecuta en modo activo-activo para los servicios globales y regionales. Cuando se produce una interrupción, no es necesario detectar errores ni administrar el servicio. Azure Bot Service realiza automáticamente la conmutación por error y la recuperación automáticas en una arquitectura geográfica de varias regiones. En el caso del servicio regional de bots de la UE, Azure Bot Service proporciona dos regiones completas dentro de Europa con replicación activa/activa para garantizar la redundancia. En el caso del servicio de bot global, todas las regiones o zonas geográficas disponibles se pueden servir como superficie global.",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "Alto",
- "text": "Aproveche Azure Policy de forma estratégica, defina controles para su entorno mediante iniciativas de directivas para agrupar directivas relacionadas.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Aplicación de las instrucciones de la prueba comparativa de seguridad en la nube de Microsoft relacionadas con el almacenamiento",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+ "service": "Azure Storage",
+ "severity": "Medio",
+ "text": "Tenga en cuenta la \"línea base de seguridad de Azure para el almacenamiento\"",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "Medio",
- "text": "Asigne los requisitos normativos y de cumplimiento a las definiciones de Azure Policy y las asignaciones de roles de Azure.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "De forma predeterminada, Azure Storage tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten exponer de forma segura Azure Storage solo a los recursos de proceso de Azure que necesitan acceso, lo que elimina la exposición a la Internet pública",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de usar puntos de conexión privados para Azure Storage",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Las cuentas de almacenamiento recién creadas se crean mediante el modelo de implementación de ARM, de modo que RBAC, auditoría, etc. están habilitados. Asegúrese de que no hay cuentas de almacenamiento antiguas con el modelo de implementación clásica en una suscripción",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Establezca definiciones de Azure Policy en el grupo de administración raíz intermedio para que se puedan asignar en ámbitos heredados.",
+ "text": "Asegúrese de que las cuentas de almacenamiento más antiguas no usan el \"modelo de implementación clásica\"",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Aproveche Microsoft Defender para obtener información sobre la actividad sospechosa y los errores de configuración.",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+ "service": "Azure Storage",
"severity": "Alto",
- "text": "Administre las asignaciones de políticas en el nivel más alto apropiado con exclusiones en los niveles inferiores, si es necesario.",
+ "text": "Habilitación de Microsoft Defender para todas las cuentas de almacenamiento",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "43334f24-9116-4341-a2ba-527526944008",
- "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
- "service": "Policy",
- "severity": "Bajo",
- "text": "Use Azure Policy para controlar qué servicios pueden aprovisionar los usuarios en el nivel de suscripción o grupo de administración.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "El mecanismo de eliminación temporal permite recuperar blobs eliminados accidentalmente.",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+ "service": "Azure Storage",
+ "severity": "Medio",
+ "text": "Habilitación de la \"eliminación temporal\" para blobs",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "Alto",
- "text": "Utilice políticas integradas siempre que sea posible para minimizar la sobrecarga operativa.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
+ "severity": "Medio",
+ "text": "Deshabilitación de la \"eliminación temporal\" de blobs",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "description": "La asignación del rol Colaborador de directivas de recursos a ámbitos específicos le permite delegar la administración de directivas a los equipos pertinentes. Por ejemplo, un equipo de TI central puede supervisar las políticas a nivel de grupo de administración, mientras que los equipos de aplicaciones se encargan de las políticas de sus suscripciones, lo que permite la gobernanza distribuida con el cumplimiento de los estándares de la organización.",
- "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
- "service": "Policy",
- "severity": "Medio",
- "text": "Asigne el rol integrado Colaborador de directiva de recursos en un ámbito determinado para habilitar la gobernanza de nivel de aplicación.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "La eliminación temporal de contenedores permite recuperar un contenedor después de que se haya eliminado, por ejemplo, recuperarse de una operación de eliminación accidental.",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Habilitación de la \"eliminación temporal\" para los contenedores",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "19048384-5c98-46cb-8913-156a12476e49",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Limite el número de asignaciones de Azure Policy realizadas en el ámbito del grupo de administración raíz para evitar la administración a través de exclusiones en ámbitos heredados.",
+ "text": "Deshabilitación de la \"eliminación temporal\" para contenedores",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
- "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
- "service": "Policy",
- "severity": "Medio",
- "text": "Si existen requisitos de soberanía de datos, se deben implementar Azure Policies para aplicarlos.",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Evita la eliminación accidental de una cuenta de almacenamiento, obligando al usuario a quitar primero el bloqueo de eliminación, antes de la eliminación",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Habilitación de bloqueos de recursos en cuentas de almacenamiento",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
- "service": "Policy",
- "severity": "Medio",
- "text": "Para la zona de aterrizaje soberana, implemente la línea base de la política de soberanía y asígnela en el nivel de grupo de administración correcto.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Considere la posibilidad de aplicar directivas de \"retención legal\" o \"retención basada en el tiempo\" para los blobs, de modo que sea imposible eliminar el blob, el contenedor o la cuenta de almacenamiento. Tenga en cuenta que 'imposible' en realidad significa 'imposible'; una vez que una cuenta de almacenamiento contiene un blob inmutable, la única manera de \"deshacerse\" de esa cuenta de almacenamiento es cancelando la suscripción de Azure.",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de blobs inmutables",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
- "service": "Policy",
- "severity": "Medio",
- "text": "En el caso de la Zona de Aterrizaje Soberana, documente los objetivos del Control Soberano para el mapeo de políticas.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Considere la posibilidad de deshabilitar el acceso HTTP/80 sin protección a la cuenta de almacenamiento, de modo que todas las transferencias de datos estén cifradas, protegidas por integridad y el servidor esté autenticado. ",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Requerir HTTPS, es decir, deshabilitar el puerto 80 en la cuenta de almacenamiento",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
- "service": "Policy",
- "severity": "Medio",
- "text": "En el caso de la Zona de Aterrizaje Soberana, garantizar que exista un proceso para la gestión de los \"objetivos de control soberano para el mapeo de políticas\".",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Al configurar un dominio personalizado (nombre de host) en una cuenta de almacenamiento, compruebe si necesita TLS/HTTPS; si es así, es posible que tenga que colocar Azure CDN delante de la cuenta de almacenamiento.",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Al aplicar HTTPS (deshabilitar HTTP), compruebe que no usa dominios personalizados (CNAME) para la cuenta de almacenamiento.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Requerir HTTPS cuando un cliente usa un token de SAS para acceder a los datos de blobs ayuda a minimizar el riesgo de pérdida de credenciales.",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Use un único área de trabajo de registros de monitor para administrar las plataformas de forma centralizada, excepto cuando el control de acceso basado en rol de Azure (Azure RBAC), los requisitos de soberanía de datos o las directivas de retención de datos exijan áreas de trabajo independientes.",
- "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "waf": "Operaciones"
+ "text": "Limitar los tokens de firma de acceso compartido (SAS) solo a las conexiones HTTPS",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Monitor",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Los tokens de AAD deben favorecerse sobre las firmas de acceso compartido, siempre que sea posible",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+ "service": "Azure Storage",
"severity": "Alto",
- "text": "Exporte registros a Azure Storage si los requisitos de retención de registros superan los doce años. Use el almacenamiento inmutable con una política de escritura única y lectura múltiple para que los datos no se puedan borrar ni modificar durante un intervalo especificado por el usuario.",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "Operaciones"
+ "text": "Uso de tokens de Azure Active Directory (Azure AD) para el acceso a blobs",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
- "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
- "service": "VM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Al asignar un rol a un usuario, grupo o aplicación, conceda a esa entidad de seguridad solo los permisos necesarios para que pueda realizar sus tareas. Limitar el acceso a los recursos ayuda a evitar el uso indebido no intencionado y malintencionado de los datos.",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Supervise el desfase de la configuración de la máquina virtual (VM) a nivel de sistema operativo mediante Azure Policy. La habilitación de las funcionalidades de auditoría de Azure Automanage Machine Configuration a través de la directiva ayuda a las cargas de trabajo del equipo de aplicaciones a consumir inmediatamente las funcionalidades de características con poco esfuerzo.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Operaciones"
+ "text": "Privilegios mínimos en los permisos de IaM",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
- "service": "VM",
- "severity": "Medio",
- "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux en Azure.",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Una SAS de delegación de usuarios está protegida con credenciales de Azure Active Directory (Azure AD) y también con los permisos especificados para la SAS. Una SAS de delegación de usuarios es análoga a una SAS de servicio en cuanto a su ámbito y función, pero ofrece ventajas de seguridad sobre la SAS de servicio. ",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Al usar SAS, prefiera \"SAS de delegación de usuarios\" en lugar de SAS basada en claves de cuenta de almacenamiento.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
- "service": "VM",
- "severity": "Medio",
- "text": "Use Azure Update Manager como mecanismo de aplicación de revisiones para máquinas virtuales Windows y Linux fuera de Azure mediante Azure Arc.",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Las claves de la cuenta de almacenamiento (\"claves compartidas\") tienen muy pocas funcionalidades de auditoría. Si bien se puede monitorear quién o cuándo obtuvo una copia de las claves, una vez que las claves están en manos de varias personas, es imposible atribuir el uso a un usuario específico. Confiar únicamente en la autenticación de AAD facilita la vinculación del acceso al almacenamiento a un usuario. ",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de deshabilitar las claves de la cuenta de almacenamiento, de modo que solo se admita el acceso a AAD (y la SAS de delegación de usuarios).",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/networkWatchers",
- "checklist": "Azure Landing Zone Review",
- "guid": "90483845-c986-4cb2-a131-56a12476e49f",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Network Watcher",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Use los datos del registro de actividad para identificar \"cuándo\", \"quién\", \"qué\" y \"cómo\" se está viendo o cambiando la seguridad de la cuenta de almacenamiento (es decir, claves de cuenta de almacenamiento, directivas de acceso, etc.).",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de usar Azure Monitor para auditar las operaciones del plano de control en la cuenta de almacenamiento",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Una directiva de expiración de claves le permite establecer un recordatorio para la rotación de las claves de acceso a la cuenta. El recordatorio se muestra si ha transcurrido el intervalo especificado y las teclas aún no se han girado.",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Utilice Network Watcher para supervisar de forma proactiva los flujos de tráfico.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "Operaciones"
+ "text": "Al usar claves de cuenta de almacenamiento, considere la posibilidad de habilitar una \"directiva de expiración de claves\"",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Monitor",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Una directiva de expiración de SAS especifica un intervalo recomendado durante el cual la SAS es válida. Las directivas de expiración de SAS se aplican a una SAS de servicio o a una SAS de cuenta. Cuando un usuario genera una SAS de servicio o una SAS de cuenta con un intervalo de validez mayor que el intervalo recomendado, verá una advertencia.",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Use los registros de Azure Monitor para obtener información e informes.",
- "waf": "Operaciones"
+ "text": "Considere la posibilidad de configurar una directiva de expiración de SAS",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
- "service": "Monitor",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Las directivas de acceso almacenadas ofrecen la opción de revocar los permisos de una SAS de servicio sin tener que volver a generar las claves de la cuenta de almacenamiento. ",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Use alertas de Azure Monitor para la generación de alertas operativas.",
- "waf": "Operaciones"
+ "text": "Considere la posibilidad de vincular SAS a una directiva de acceso almacenada",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "Monitor",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Al usar el seguimiento de cambios e inventario a través de cuentas de Azure Automation, asegúrese de que ha seleccionado las regiones admitidas para vincular el área de trabajo de Log Analytics y las cuentas de automatización.",
- "waf": "Operaciones"
+ "text": "Considere la posibilidad de configurar el repositorio de código fuente de la aplicación para detectar cadenas de conexión protegidas y claves de cuenta de almacenamiento.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Backup",
- "severity": "Bajo",
- "text": "Al usar Azure Backup, use los tipos de copia de seguridad correctos (GRS, ZRS Y LRS) para la copia de seguridad, ya que la configuración predeterminada es GRS.",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Lo ideal es que la aplicación use una identidad administrada para autenticarse en Azure Storage. Si esto no es posible, considere la posibilidad de tener la credencial de almacenamiento (cadena de conexión, clave de cuenta de almacenamiento, SAS, credencial de entidad de servicio) en Azure KeyVault o un servicio equivalente.",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de almacenar cadenas de conexión en Azure KeyVault (en escenarios en los que las identidades administradas no son posibles)",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "VM",
- "severity": "Medio",
- "text": "Use directivas de invitado de Azure para implementar automáticamente configuraciones de software a través de extensiones de máquina virtual y aplicar una configuración de máquina virtual de línea base compatible.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Use los tiempos de expiración a corto plazo en una SAS de servicio SAS ad hoc o en una SAS de cuenta. De esta manera, incluso si una SAS se ve comprometida, es válida solo por un corto tiempo. Esta práctica es especialmente importante si no puede hacer referencia a una directiva de acceso almacenada. Los tiempos de expiración a corto plazo también limitan la cantidad de datos que se pueden escribir en un blob al limitar el tiempo disponible para cargarlo.",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Esfuércese por obtener períodos de validez cortos para SAS ad-hoc",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "description": "Use las características de configuración de invitado de Azure Policy para auditar y corregir la configuración de la máquina (por ejemplo, el sistema operativo, la aplicación, el entorno) para asegurarse de que los recursos se alinean con las configuraciones esperadas, y Update Management puede aplicar la administración de revisiones para las máquinas virtuales.",
- "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "VM",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Al crear una SAS, sea lo más específico y restrictivo posible. Prefiera una SAS para un solo recurso y operación en lugar de una SAS que proporciona un acceso mucho más amplio.",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Supervise el desfase de la configuración de seguridad de la máquina virtual a través de Azure Policy.",
+ "text": "Aplicación de un ámbito limitado a una SAS",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
- "severity": "Medio",
- "text": "Use Azure Site Recovery para escenarios de recuperación ante desastres de Azure a Azure Virtual Machines. Esto le permite replicar cargas de trabajo en todas las regiones.",
- "waf": "Operaciones"
- },
- {
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "Backup",
- "severity": "Medio",
- "text": "Use funcionalidades de copia de seguridad nativas de Azure o una solución de copia de seguridad de terceros compatible con Azure.",
- "waf": "Operaciones"
- },
- {
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "WAF",
- "severity": "Alto",
- "text": "Agregue configuración de diagnóstico para guardar los registros de WAF de los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway. Revise periódicamente los registros para comprobar si hay ataques y detecciones de falsos positivos.",
- "waf": "Operaciones"
- },
- {
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "WAF",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Una SAS puede incluir parámetros en los que las direcciones IP de cliente o los intervalos de direcciones están autorizados a solicitar un recurso mediante la SAS. ",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Envíe registros de WAF desde los servicios de entrega de aplicaciones, como Azure Front Door y Azure Application Gateway, a Microsoft Sentinel. Detecte ataques e integre la telemetría de WAF en su entorno general de Azure.",
- "waf": "Operaciones"
- },
- {
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "5017f154-e3ab-4369-9829-e7e316183687",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "Key Vault",
- "severity": "Alto",
- "text": "Use Azure Key Vault para almacenar sus secretos y credenciales.",
+ "text": "Considere la posibilidad de definir el ámbito de SAS en una dirección IP de cliente específica, siempre que sea posible",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
- "guid": "a0477a20-9945-4bda-9333-4f2491163418",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
- "service": "Key Vault",
- "severity": "Medio",
- "text": "Use diferentes Azure Key Vaults para diferentes aplicaciones y regiones para evitar límites de escala de transacciones y restringir el acceso a los secretos.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Una SAS no puede restringir la cantidad de datos que carga un cliente; Dado el modelo de precios de la cantidad de almacenamiento a lo largo del tiempo, podría tener sentido validar si los clientes cargaron contenido de gran tamaño malintencionado.",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Azure Storage",
+ "severity": "Bajo",
+ "text": "Considere la posibilidad de comprobar los datos cargados, después de que los clientes hayan usado una SAS para cargar un archivo. ",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Medio",
- "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención para los objetos eliminados.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Al acceder a Blob Storage a través de SFTP mediante una \"cuenta de usuario local\", no se aplican los controles RBAC \"habituales\". El acceso a blobs a través de NFS o REST puede ser más restrictivo que el acceso SFTP. Desafortunadamente, a partir de principios de 2023, los usuarios locales son la única forma de administración de identidades que actualmente se admite para el punto de conexión SFTP",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "SFTP: Limite la cantidad de \"usuarios locales\" para el acceso SFTP y audite si el acceso es necesario a lo largo del tiempo.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Siga un modelo de privilegios mínimos limitando la autorización para eliminar claves, secretos y certificados de forma permanente a roles de identificador personalizados especializados de Microsoft Entra.",
+ "text": "SFTP: El punto de conexión SFTP no admite ACL similares a POSIX.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Medio",
- "text": "Automatice el proceso de gestión y renovación de certificados con autoridades de certificación públicas para facilitar la administración.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "El almacenamiento es compatible con CORS (Cross-Origin Resource Sharing), es decir, una función HTTP que permite a las aplicaciones web de un dominio diferente relajar la política del mismo origen. Al habilitar CORS, mantenga CorsRules con el mínimo privilegio.",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Evite las políticas de CORS demasiado amplias",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "913156a1-2476-4e49-b541-acdce979377b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Medio",
- "text": "Establezca un proceso automatizado para la rotación de claves y certificados.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Los datos en reposo siempre están cifrados en el lado del servidor y, además, también pueden estar cifrados en el lado del cliente. El cifrado del lado del servidor puede realizarse mediante una clave administrada por la plataforma (predeterminada) o una clave administrada por el cliente. El cifrado del lado cliente puede producirse haciendo que el cliente proporcione una clave de cifrado y descifrado por blob a Azure Storage o controlando completamente el cifrado en el lado cliente. por lo tanto, no depende en absoluto de Azure Storage para obtener garantías de confidencialidad.",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Determine cómo se deben cifrar los datos en reposo. Comprender el modelo de subprocesos para los datos.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Habilite el firewall y el punto de conexión de servicio de red virtual o el punto de conexión privado en el almacén para controlar el acceso al almacén de claves.",
+ "text": "Determine qué cifrado de plataforma se debe usar o si se debe usar.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
- "service": "Key Vault",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Azure Storage",
"severity": "Medio",
- "text": "Use el área de trabajo de Log Analytics de Azure Monitor central de la plataforma para auditar el uso de claves, certificados y secretos en cada instancia de Key Vault.",
+ "text": "Determine qué cifrado del lado del cliente se debe usar o si.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Medio",
- "text": "Delegue la creación de instancias de Key Vault y el acceso con privilegios, y use Azure Policy para aplicar una configuración coherente y conforme.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Aproveche el Explorador de Resource Graph (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para buscar cuentas de almacenamiento que permitan el acceso anónimo a blobs.",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Considere si se necesita acceso público a blobs o si se puede deshabilitar para determinadas cuentas de almacenamiento. ",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Medio",
- "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.",
- "waf": "Seguridad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Services",
+ "severity": "Bajo",
+ "text": "Consulte la arquitectura de aplicación web de redundancia de zona de alta disponibilidad de línea de base para conocer los procedimientos recomendados",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "Medio",
- "text": "Si desea traer sus propias claves, es posible que esto no sea compatible con todos los servicios considerados. Implemente la mitigación pertinente para que las inconsistencias no obstaculicen los resultados deseados. Elija los pares de regiones y las regiones de recuperación ante desastres adecuados que minimicen la latencia.",
- "waf": "Seguridad"
+ "text": "Utilice los niveles Premium y Estándar. Estos niveles admiten ranuras de ensayo y copias de seguridad automatizadas.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
- "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
- "service": "Key Vault",
- "severity": "Medio",
- "text": "En el caso de la zona de aterrizaje soberana, use el HSM administrado de Azure Key Vault para almacenar los secretos y las credenciales.",
- "waf": "Seguridad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (requiere el nivel Premium v2 o v3)",
+ "waf": "Fiabilidad"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
- "service": "Entra",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"severity": "Medio",
- "text": "Use las capacidades de generación de informes de Microsoft Entra ID para generar informes de auditoría de control de acceso.",
- "waf": "Seguridad"
+ "text": "Implementación de comprobaciones de estado",
+ "waf": "Fiabilidad"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "09945bda-4333-44f2-9911-634182ba5275",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
- "service": "Defender",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+ "service": "App Services",
"severity": "Alto",
- "text": "Habilite la administración de la posición de seguridad en la nube de Defender para todas las suscripciones.",
- "waf": "Seguridad"
+ "text": "Consulte los procedimientos recomendados de copia de seguridad y restauración para Azure App Service",
+ "waf": "Fiabilidad"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
- "service": "Defender",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+ "service": "App Services",
"severity": "Alto",
- "text": "Habilite un plan de protección de cargas de trabajo en la nube de Defender para servidores en todas las suscripciones.",
- "waf": "Seguridad"
+ "text": "Implementación de los procedimientos recomendados de confiabilidad de Azure App Service",
+ "waf": "Fiabilidad"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
- "service": "Defender",
- "severity": "Alto",
- "text": "Habilite los planes de protección de cargas de trabajo en la nube de Defender para recursos de Azure en todas las suscripciones.",
- "waf": "Seguridad"
- },
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+ "service": "App Services",
+ "severity": "Bajo",
+ "text": "Familiarizarse con cómo mover una aplicación de App Service a otra región durante un desastre",
+ "waf": "Fiabilidad"
+ },
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
- "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
- "service": "VM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+ "service": "App Services",
"severity": "Alto",
- "text": "Habilite la protección de puntos de conexión en servidores IaaS.",
- "waf": "Seguridad"
+ "text": "Familiarizarse con la compatibilidad con la confiabilidad en Azure App Service",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
- "link": "https://learn.microsoft.com/azure/security-center/",
- "service": "VM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "App Services",
"severity": "Medio",
- "text": "Supervise el desfase de revisiones del sistema operativo base a través de los registros de Azure Monitor y Defender for Cloud.",
- "waf": "Seguridad"
+ "text": "Asegúrese de que \"Siempre activado\" está habilitado para las aplicaciones de funciones que se ejecutan en un plan de App Service",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"severity": "Medio",
- "text": "Conecte las configuraciones de recursos predeterminadas a un área de trabajo centralizada de Log Analytics de Azure Monitor.",
- "waf": "Seguridad"
+ "text": "Supervisión de instancias de App Service mediante comprobaciones de estado",
+ "waf": "Fiabilidad"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
- "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
- "service": "Entra",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+ "service": "App Services",
"severity": "Medio",
- "text": "Para Sovereign Landing Zone, habilite los registros de transparencia en el inquilino de Entra ID.",
- "waf": "Seguridad"
+ "text": "Supervisión de la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web mediante pruebas de disponibilidad de Application Insights",
+ "waf": "Fiabilidad"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
- "service": "Entra",
- "severity": "Medio",
- "text": "Para Sovereign Landing Zone, habilite la caja de seguridad del cliente en el inquilino de Entra ID.",
- "waf": "Seguridad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+ "service": "App Services",
+ "severity": "Bajo",
+ "text": "Uso de la prueba estándar de Application Insights para supervisar la disponibilidad y la capacidad de respuesta de la aplicación web o el sitio web",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Landing Zone Review",
- "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Use Azure Key Vault para almacenar los secretos que necesita la aplicación. Key Vault proporciona un entorno seguro y auditado para almacenar secretos y está bien integrado con App Service a través del SDK de Key Vault o las referencias de Key Vault de App Service.",
+ "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"severity": "Alto",
- "text": "Habilite la transferencia segura a cuentas de almacenamiento.",
+ "text": "Uso de Key Vault para almacenar secretos",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Landing Zone Review",
- "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
- "service": "Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Use una identidad administrada para conectarse a Key Vault mediante el SDK de Key Vault o a través de las referencias de Key Vault de App Service.",
+ "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"severity": "Alto",
- "text": "Habilite la eliminación temporal de contenedor para que la cuenta de almacenamiento recupere un contenedor eliminado y su contenido.",
+ "text": "Uso de la identidad administrada para conectarse a Key Vault",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
- "service": "Key Vault",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Almacene el certificado TLS de App Service en Key Vault.",
+ "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+ "service": "App Services",
"severity": "Alto",
- "text": "Use secretos de Key Vault para evitar codificar de forma rígida información confidencial, como credenciales (máquinas virtuales, contraseñas de usuario), certificados o claves.",
- "waf": "Operaciones"
+ "text": "Use Key Vault para almacenar el certificado TLS.",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Los sistemas que procesan información confidencial deben estar aislados. Para ello, use planes del Servicio de aplicaciones o entornos del Servicio de aplicaciones independientes y considere la posibilidad de usar suscripciones o grupos de administración diferentes.",
+ "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "Medio",
- "text": "Azure Center for SAP Solutions (ACSS) es una oferta de Azure que convierte a SAP en una carga de trabajo de nivel superior en Azure. ACSS es una solución integral que permite crear y ejecutar sistemas SAP como una carga de trabajo unificada en Azure y proporciona una base más fluida para la innovación. Puede aprovechar las funcionalidades de administración de los sistemas SAP nuevos y existentes basados en Azure.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
- "waf": "Operaciones"
+ "text": "Aísle los sistemas que procesan información confidencial",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Los discos locales de App Service no están cifrados y los datos confidenciales no deben almacenarse en ellos. (Por ejemplo: D:\\\\Local y %TMP%).",
+ "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+ "service": "App Services",
"severity": "Medio",
- "text": "Azure admite la automatización de implementaciones de SAP en Linux y Windows. SAP Deployment Automation Framework es una herramienta de orquestación de código abierto que puede implementar, instalar y mantener entornos SAP.",
- "training": "https://github.com/Azure/sap-automation",
- "waf": "Operaciones"
+ "text": "No almacene datos confidenciales en el disco local",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "En el caso de la aplicación web autenticada, use un proveedor de identidades bien establecido, como Azure AD o Azure AD B2C. Aproveche el marco de aplicaciones de su elección para integrarse con este proveedor o use la característica de autenticación o autorización del Servicio de aplicaciones.",
+ "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+ "service": "App Services",
"severity": "Medio",
- "text": "Realice una recuperación a un momento dado de sus bases de datos de producción en cualquier momento y en un período de tiempo que cumpla con su RTO; La recuperación a un momento dado suele incluir errores del operador al eliminar datos en la capa DBMS o a través de SAP, por cierto",
- "waf": "Fiabilidad"
+ "text": "Usar un proveedor de identidades establecido para la autenticación",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
- "service": "SAP",
- "severity": "Medio",
- "text": "Pruebe los tiempos de copia de seguridad y recuperación para verificar que cumplen con los requisitos de RTO para restaurar todos los sistemas simultáneamente después de un desastre.",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Implemente código en App Service desde un entorno controlado y de confianza, como una canalización de implementación de DevOps bien administrada y segura. De este modo, se evita el código que no se ha controlado la versión y se ha comprobado que se implementará desde un host malintencionado.",
+ "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Implementación desde un entorno de confianza",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Deshabilite la autenticación básica tanto para FTP/FTPS como para WebDeploy/SCM. Esto deshabilita el acceso a estos servicios y exige el uso de puntos de conexión protegidos de Azure AD para la implementación. Tenga en cuenta que el sitio de SCM también se puede abrir con credenciales de Azure AD.",
+ "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+ "service": "App Services",
"severity": "Alto",
- "text": "Puede replicar el almacenamiento estándar entre regiones emparejadas, pero no puede usar el almacenamiento estándar para almacenar las bases de datos o los discos duros virtuales. Las copias de seguridad solo se pueden replicar entre las regiones emparejadas que utilice. Para todos los demás datos, ejecute la replicación mediante características nativas de DBMS, como SQL Server Always On o SAP HANA System Replication. Use una combinación de Site Recovery, rsync o robocopy y otro software de terceros para la capa de aplicación de SAP.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "Fiabilidad"
+ "text": "Deshabilitar la autenticación básica",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
- "severity": "Medio",
- "text": "Al usar Azure Availability Zones para lograr una alta disponibilidad, debe tener en cuenta la latencia entre los servidores de aplicaciones SAP y los servidores de bases de datos. En el caso de las zonas con latencias altas, es necesario implementar procedimientos operativos para garantizar que los servidores de aplicaciones SAP y los servidores de bases de datos se ejecuten en la misma zona en todo momento.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Siempre que sea posible, use Managed Identity para conectarse a los recursos protegidos de Azure AD. Si esto no es posible, almacene los secretos en Key Vault y conéctese a Key Vault mediante una identidad administrada en su lugar.",
+ "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Uso de la identidad administrada para conectarse a los recursos",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas mediante una identidad administrada.",
+ "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+ "service": "App Services",
"severity": "Alto",
- "text": "Configure conexiones de ExpressRoute desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria. Además, como alternativa al uso de ExpressRoute, considere la posibilidad de configurar conexiones VPN desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria.",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
- "waf": "Fiabilidad"
+ "text": "Extracción de contenedores mediante una identidad administrada",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "SAP",
- "severity": "Bajo",
- "text": "Replique el contenido del almacén de claves, como certificados, secretos o claves, en todas las regiones para poder descifrar los datos de la región de recuperación ante desastres.",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Al configurar las opciones de diagnóstico de App Service, puede enviar todos los datos de telemetría a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad en tiempo de ejecución de App Service, como los registros HTTP, los registros de aplicaciones, los registros de plataforma, ...",
+ "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+ "service": "App Services",
+ "severity": "Medio",
+ "text": "Envío de registros en tiempo de ejecución de App Service a Log Analytics",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Configure una configuración de diagnóstico para enviar el registro de actividad a Log Analytics como destino central para el registro y la supervisión. Esto le permite supervisar la actividad del plano de control en el propio recurso de App Service.",
+ "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "service": "App Services",
"severity": "Medio",
- "text": "Empareje las redes virtuales principal y de recuperación ante desastres. Por ejemplo, para la replicación del sistema HANA, una red virtual de base de datos de SAP HANA debe estar emparejada con la red virtual de base de datos de SAP HANA del sitio de recuperación ante desastres.",
- "waf": "Fiabilidad"
+ "text": "Envío de registros de actividad de App Service a Log Analytics",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
- "service": "SAP",
- "severity": "Bajo",
- "text": "Si usa el almacenamiento de Azure NetApp Files para las implementaciones de SAP, como mínimo, cree dos cuentas de Azure NetApp Files en el nivel Premium, en dos regiones.",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
- "waf": "Fiabilidad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
- "severity": "Alto",
- "text": "Se debe usar la tecnología de replicación de bases de datos nativas para sincronizar la base de datos en un par de alta disponibilidad.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Controle el acceso saliente a la red mediante una combinación de integración de red virtual regional, grupos de seguridad de red y UDR. El tráfico debe enrutarse a una aplicación virtual de red, como Azure Firewall. Asegúrese de supervisar los registros del cortafuegos.",
+ "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+ "service": "App Services",
+ "severity": "Medio",
+ "text": "El acceso a la red saliente debe controlarse",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
- "service": "SAP",
- "severity": "Alto",
- "text": "El CIDR de la red virtual (VNet) principal no debe entrar en conflicto ni superponerse con el CIDR de la red virtual del sitio de recuperación ante desastres",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Puede proporcionar una dirección IP de salida estable mediante la integración de red virtual y una puerta de enlace NAT de red virtual o una aplicación virtual de red como Azure Firewall. Esto permite a la parte receptora incluir en la lista de permitidos en función de la IP, en caso de que sea necesario. Tenga en cuenta que para las comunicaciones con los servicios de Azure, a menudo no es necesario depender de la dirección IP y, en su lugar, se deben usar mecanismos como los puntos de conexión de servicio. (Además, el uso de puntos de conexión privados en el extremo receptor evita que se produzca SNAT y proporciona un intervalo de IP de salida estable).",
+ "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+ "service": "App Services",
+ "severity": "Bajo",
+ "text": "Garantizar una IP estable para las comunicaciones salientes hacia las direcciones de Internet",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Controle el acceso entrante a la red mediante una combinación de restricciones de acceso al Servicio de aplicaciones, puntos de conexión de servicio o puntos de conexión privados. Se pueden requerir y configurar diferentes restricciones de acceso para la propia aplicación web y el sitio de SCM.",
+ "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
"severity": "Alto",
- "text": "Use Site Recovery para replicar un servidor de aplicaciones en un sitio de recuperación ante desastres. Site Recovery también puede ayudar a replicar máquinas virtuales de clúster de servicios centrales en el sitio de recuperación ante desastres. Al invocar la recuperación ante desastres, deberá volver a configurar el clúster de Linux Pacemaker en el sitio de recuperación ante desastres (por ejemplo, reemplazar el VIP o SBD, ejecutar corosync.conf, etc.).",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "Fiabilidad"
+ "text": "El acceso a la red entrante debe controlarse",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Protéjase contra el tráfico entrante malintencionado mediante un firewall de aplicaciones web como Application Gateway o Azure Front Door. Asegúrese de supervisar los registros del WAF.",
+ "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+ "service": "App Services",
"severity": "Alto",
- "text": "Considere la disponibilidad del software de SAP frente a puntos únicos de fallo. Esto incluye puntos únicos de falla dentro de aplicaciones como DBMS utilizados en las arquitecturas SAP NetWeaver y SAP S/4HANA, SAP ABAP y ASCS + SCS. También, otras herramientas como SAP Web Dispatcher.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Uso de un WAF delante de App Service",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Asegúrese de que no se pueda omitir el WAF bloqueando el acceso solo al WAF. Use una combinación de restricciones de acceso, puntos de conexión de servicio y puntos de conexión privados.",
+ "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
"severity": "Alto",
- "text": "En el caso de SAP y bases de datos de SAP, considere la posibilidad de implementar clústeres de conmutación por error automática. En Windows, los clústeres de conmutación por error de Windows Server admiten la conmutación por error. En Linux, Linux Pacemaker o herramientas de terceros como SIOS Protection Suite y Veritas InfoScale admiten la conmutación por error.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Evite que se omita WAF",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
- "severity": "Alto",
- "text": "Azure no admite arquitecturas en las que las máquinas virtuales principal y secundaria compartan el almacenamiento de los datos de DBMS. Para la capa DBMS, el patrón de arquitectura común es replicar bases de datos al mismo tiempo y con pilas de almacenamiento diferentes a las que usan las máquinas virtuales principal y secundaria.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Establezca la directiva TLS mínima en 1.2 en la configuración de App Service.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+ "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+ "service": "App Services",
+ "severity": "Medio",
+ "text": "Establezca la directiva TLS mínima en 1.2",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Configure App Service para que use solo HTTPS. Esto hace que App Service se redirija de HTTP a HTTPS. Considere seriamente el uso de HTTP Strict Transport Security (HSTS) en su código o desde su WAF, que informa a los navegadores que solo se debe acceder al sitio mediante HTTPS.",
+ "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+ "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+ "service": "App Services",
"severity": "Alto",
- "text": "Los datos de DBMS y los archivos de registro de transacciones y puesta al día se almacenan en el almacenamiento en bloque compatible con Azure o en Azure NetApp Files. Azure Files o Azure Premium Files no se admiten como almacenamiento para datos de DBMS o archivos de registro de puesta al día con la carga de trabajo de SAP.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "Fiabilidad"
+ "text": "Usar solo HTTPS",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "No utilice caracteres comodín en la configuración de CORS, ya que esto permite que todos los orígenes accedan al servicio (lo que anula el propósito de CORS). En concreto, solo permite los orígenes que esperas poder acceder al servicio.",
+ "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+ "service": "App Services",
"severity": "Alto",
- "text": "Puede usar discos compartidos de Azure en Windows para componentes ASCS + SCS y escenarios específicos de alta disponibilidad. Configure los clústeres de conmutación por error por separado para los componentes de la capa de aplicación de SAP y la capa de DBMS. Actualmente, Azure no admite arquitecturas de alta disponibilidad que combinen componentes de la capa de aplicación de SAP y la capa de DBMS en un clúster de conmutación por error.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Los comodines no deben usarse para CORS",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "La depuración remota no debe estar activada en producción, ya que esto abre puertos adicionales en el servicio, lo que aumenta la superficie expuesta a ataques. Tenga en cuenta que el servicio desactiva la depuración remota automáticamente después de 48 horas.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+ "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+ "service": "App Services",
"severity": "Alto",
- "text": "La mayoría de los clústeres de conmutación por error para los componentes de la capa de aplicación (ASCS) de SAP y la capa de DBMS requieren una dirección IP virtual para un clúster de conmutación por error. Azure Load Balancer debe controlar la dirección IP virtual para todos los demás casos. Un principio de diseño es usar un equilibrador de carga por configuración de clúster. Te recomendamos que utilices la versión estándar del equilibrador de carga (SKU de equilibrador de carga estándar).",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Desactivar la depuración remota",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
- "service": "SAP",
- "severity": "Alto",
- "text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Habilite Defender para App Service. Esto (entre otras amenazas) detecta comunicaciones a direcciones IP maliciosas conocidas. Revise las recomendaciones de Defender para App Service como parte de las operaciones.",
+ "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+ "service": "App Services",
+ "severity": "Medio",
+ "text": "Habilitación de Defender for Cloud: Defender for App Service",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "SAP",
- "severity": "Alto",
- "text": "Antes de implementar la infraestructura de alta disponibilidad, y en función de la región que elija, determine si desea realizar la implementación con un conjunto de disponibilidad de Azure o una zona de disponibilidad.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure proporciona protección básica contra DDoS en su red, que se puede mejorar con funcionalidades inteligentes de DDoS Standard que aprenden sobre los patrones de tráfico normales y pueden detectar comportamientos inusuales. DDoS Standard se aplica a una red virtual, por lo que debe configurarse para el recurso de red delante de la aplicación, como Application Gateway o una aplicación virtual de red.",
+ "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "App Services",
+ "severity": "Medio",
+ "text": "Habilitación del estándar de protección DDoS en la red virtual de WAF",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "SAP",
- "severity": "Alto",
- "text": "Si desea cumplir los acuerdos de nivel de servicio de infraestructura para las aplicaciones de los componentes de SAP (servicios centrales, servidores de aplicaciones y bases de datos), debe elegir las mismas opciones de alta disponibilidad (máquinas virtuales, conjuntos de disponibilidad, zonas de disponibilidad) para todos los componentes.",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Cuando use imágenes almacenadas en Azure Container Registry, extráigalas a través de una red virtual desde Azure Container Registry mediante su punto de conexión privado y la configuración de la aplicación \"WEBSITE_PULL_IMAGE_OVER_VNET\".",
+ "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+ "service": "App Services",
+ "severity": "Medio",
+ "text": "Extracción de contenedores a través de una red virtual",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
- "severity": "Alto",
- "text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de base de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Realice una prueba de penetración en la aplicación web siguiendo las reglas de participación de las pruebas de penetración.",
+ "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "service": "App Services",
+ "severity": "Medio",
+ "text": "Realizar una prueba de penetración",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Implemente código de confianza que se haya validado y analizado en busca de vulnerabilidades de acuerdo con las prácticas de DevSecOps.",
+ "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+ "service": "App Services",
"severity": "Medio",
- "text": "No se pueden implementar conjuntos de disponibilidad de Azure dentro de una zona de disponibilidad de Azure a menos que se usen grupos de selección de ubicación de proximidad.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "waf": "Fiabilidad"
+ "text": "Implementación de código validado",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Utilice las versiones más recientes de plataformas, lenguajes de programación, protocolos y marcos compatibles.",
+ "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+ "service": "App Services",
"severity": "Alto",
- "text": "Al crear conjuntos de disponibilidad, use el número máximo de dominios de error y dominios de actualización disponibles. Por ejemplo, si implementa más de dos máquinas virtuales en un conjunto de disponibilidad, use el número máximo de dominios de error (tres) y suficientes dominios de actualización para limitar el efecto de posibles errores de hardware físico, interrupciones de red o interrupciones de energía, además del mantenimiento planeado de Azure. El número predeterminado de dominios de error es dos y no puede cambiarlo en línea más adelante.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Utilizar plataformas, lenguajes, protocolos y marcos actualizados",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "Alto",
- "text": "Cuando se usan grupos de selección con selección de ubicación de proximidad de Azure en una implementación de conjunto de disponibilidad, los tres componentes de SAP (servicios centrales, servidor de aplicaciones y base de datos) deben estar en el mismo grupo con selección de ubicación de proximidad.",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Siga las barreras de seguridad de Metaprompting para una IA responsable",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+ "link": "https://github.com/Azure-Samples/AI-Gateway",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Use un grupo de selección de ubicación de proximidad por SID de SAP. Los grupos no abarcan zonas de disponibilidad ni regiones de Azure",
- "waf": "Fiabilidad"
+ "text": "Considere la posibilidad de crear patrones de puerta de enlace con APIM o soluciones como AI Central para mejorar la limitación de velocidad, el equilibrio de carga, la autenticación y el registro",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Utilice uno de los siguientes servicios para ejecutar clústeres de servicios centrales de SAP, en función del sistema operativo.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Habilitación de la supervisión para las instancias de AOAI",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
- "service": "SAP",
- "severity": "Medio",
- "text": "Actualmente, Azure no admite la combinación de ASCS y alta disponibilidad de base de datos en el mismo clúster de Linux Pacemaker; sepáralos en grupos individuales. Sin embargo, puede combinar hasta cinco clústeres de servicios centrales en un par de máquinas virtuales.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Cree alertas para notificar a los equipos de eventos, como una entrada en el registro de actividad creada por una acción realizada en el recurso, como la regeneración de sus claves de suscripción, o un umbral de métrica, como el número de errores que superan los 10 en una hora",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
- "severity": "Medio",
- "text": "Implemente ambas máquinas virtuales en el par de alta disponibilidad en un conjunto de disponibilidad o en zonas de disponibilidad. Estas máquinas virtuales deben tener el mismo tamaño y la misma configuración de almacenamiento.",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Supervise el uso de tokens para evitar interrupciones del servicio debido a la capacidad",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Azure admite la instalación y configuración de SAP HANA y las instancias de ASCS/SCS y ERS en el mismo clúster de alta disponibilidad que se ejecuta en Red Hat Enterprise Linux (RHEL).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Observe métricas como tokens de inferencia procesados, tokens de finalización generados, monitoree el límite de velocidad",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
- "severity": "Alto",
- "text": "Ejecute todos los sistemas de producción en SSD administradas Premium y use Azure NetApp Files o Ultra Disk Storage. Al menos el disco del sistema operativo debe estar en el nivel Premium para que pueda lograr un mejor rendimiento y el mejor Acuerdo de Nivel de Servicio.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+ "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+ "service": "Azure OpenAI",
+ "severity": "Bajo",
+ "text": "Si los diagnósticos no son suficientes para usted, considere la posibilidad de usar una puerta de enlace como Azure API Managements frente a Azure OpenAI para registrar tanto los mensajes entrantes como las respuestas salientes, cuando esté permitido",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+ "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Debe ejecutar SAP HANA en Azure solo en los tipos de almacenamiento certificados por SAP. Tenga en cuenta que ciertos volúmenes deben ejecutarse en determinadas configuraciones de disco, cuando corresponda. Estas configuraciones incluyen la habilitación del acelerador de escritura y el uso del almacenamiento premium. También debe asegurarse de que el sistema de archivos que se ejecuta en el almacenamiento es compatible con el DBMS que se ejecuta en la máquina.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Use la infraestructura como código para implementar el servicio Azure OpenAI, las implementaciones de modelos y todos los recursos relacionados",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Considere la posibilidad de configurar la alta disponibilidad en función del tipo de almacenamiento que utilice para las cargas de trabajo de SAP. Algunos servicios de almacenamiento disponibles en Azure no son compatibles con Azure Site Recovery, por lo que la configuración de alta disponibilidad puede diferir.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
- "waf": "Fiabilidad"
+ "text": "Uso de la autenticación de Microsoft Entra con identidad administrada en lugar de clave de API",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Es posible que los diferentes servicios de almacenamiento nativos de Azure (como Azure Files, Azure NetApp Files, Azure Shared Disk) no estén disponibles en todas las regiones. Por lo tanto, para tener una configuración de SAP similar en la región de recuperación ante desastres después de la conmutación por error, asegúrese de que el servicio de almacenamiento correspondiente se ofrece en el sitio de recuperación ante desastres.",
- "waf": "Fiabilidad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
- "service": "SAP",
- "severity": "Medio",
- "text": "Automatice SAP System Start-Stop para gestionar los costes.",
- "waf": "Costar"
+ "text": "Evalúe el rendimiento/precisión del sistema con un conjunto de datos dorado conocido que tenga las entradas y las respuestas correctas. Aproveche las capacidades de PromptFlow para la evaluación.",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "Bajo",
- "text": "En el caso de usar Azure Premium Storage con SAP HANA, se puede usar el almacenamiento SSD estándar de Azure para seleccionar una solución de almacenamiento rentable. Sin embargo, tenga en cuenta que la elección de SSD estándar o almacenamiento de Azure HDD estándar afectará al Acuerdo de Nivel de Servicio de las máquinas virtuales individuales. Además, para sistemas con menor rendimiento de E/S y baja latencia, como entornos que no son de producción, se pueden usar máquinas virtuales de series inferiores.",
- "waf": "Costar"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "68889535-e327-4897-b31b-67d67be5962a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Evaluación del uso del modelo de rendimiento aprovisionado ",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "Bajo",
- "text": "Como configuración alternativa de menor costo (multipropósito), puede elegir una SKU de bajo rendimiento para las máquinas virtuales del servidor de base de datos de HANA que no son de producción. Sin embargo, es importante tener en cuenta que algunos tipos de máquinas virtuales, como la serie E, no están certificadas para HANA (directorio de hardware de SAP HANA) o no pueden alcanzar una latencia de almacenamiento inferior a 1 ms.",
- "waf": "Costar"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Revisión e implementación de la seguridad del contenido de Azure AI",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Aplicación de un modelo RBAC para grupos de administración, suscripciones, grupos de recursos y recursos",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "Seguridad"
+ "text": "Defina y evalúe el rendimiento del sistema en función de los tokens y la respuesta por minuto y alinee con los requisitos",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Aplicación de la propagación de la entidad de seguridad para reenviar la identidad de la aplicación en la nube de SAP a SAP local (incluida IaaS) a través del conector en la nube",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
- "waf": "Seguridad"
+ "text": "Mejore la latencia del sistema limitando el tamaño de los tokens, las opciones de transmisión",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Implemente SSO en aplicaciones SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics y SAP C4C con Azure AD mediante SAML.",
- "waf": "Seguridad"
+ "text": "Calcule las demandas de elasticidad para determinar la segregación de solicitudes sincrónicas y por lotes en función de la prioridad. Para la prioridad alta, utilice el enfoque sincrónico y para la prioridad baja, se prefiere el procesamiento por lotes asincrónico con cola",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
- "severity": "Medio",
- "text": "Implemente SSO en aplicaciones web basadas en SAP NetWeaver, como SAP Fiori y SAP Web GUI mediante SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Compare los requisitos de consumo de tokens en función de las demandas estimadas de los consumidores. Considere la posibilidad de usar la herramienta de pruebas comparativas de Azure OpenAI para ayudarle a validar el rendimiento si usa implementaciones de unidades de rendimiento aprovisionadas",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Implemente SSO en aplicaciones web basadas en SAP NetWeaver, como SAP Fiori y SAP Web GUI mediante SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
- "waf": "Seguridad"
+ "text": "Si usa unidades de rendimiento aprovisionadas (PTU), considere la posibilidad de implementar una implementación de token por minuto (TPM) para las solicitudes de desbordamiento. Use una puerta de enlace para enrutar las solicitudes a la implementación de TPM cuando se alcancen los límites de PTU.",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
- "severity": "Medio",
- "text": "Puede implementar SSO en la GUI de SAP mediante SAP NetWeaver SSO o una solución de partner.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "Seguridad"
- },
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Elija el modelo adecuado para la tarea correcta. Elija modelos con el equilibrio adecuado entre velocidad, calidad de respuesta y complejidad de salida",
+ "waf": "Rendimiento"
+ },
{
- "checklist": "SAP Checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Para SSO para SAP GUI y acceso al navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociación GSSAPI simple y protegido) debido a su facilidad de configuración y mantenimiento. Para SSO con certificados de cliente X.509, considere el servidor de inicio de sesión seguro de SAP, que es un componente de la solución SSO de SAP.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
- "waf": "Seguridad"
+ "text": "Tener una línea de base para el rendimiento sin ajuste fino para saber si el ajuste fino ha mejorado o no el rendimiento del modelo",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
- "service": "SAP",
- "severity": "Medio",
- "text": "Para SSO para SAP GUI y acceso al navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociación GSSAPI simple y protegido) debido a su facilidad de configuración y mantenimiento. Para SSO con certificados de cliente X.509, considere el servidor de inicio de sesión seguro de SAP, que es un componente de la solución SSO de SAP.",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
+ "severity": "Bajo",
+ "text": "Implementación de varias instancias de OAI en todas las regiones",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
- "service": "SAP",
- "severity": "Medio",
- "text": "Implemente el inicio de sesión único mediante OAuth para SAP NetWeaver a fin de permitir que aplicaciones personalizadas o de terceros accedan a los servicios OData de SAP NetWeaver.",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Implemente reintentos y comprobaciones de estado con el patrón de puerta de enlace como APIM",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Implementación de SSO en SAP HANA",
- "waf": "Seguridad"
+ "text": "Asegúrese de tener cuotas adecuadas de TPM y RPM para la carga de trabajo",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+ "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Considere Azure AD como un proveedor de identidades para sistemas SAP hospedados en RISE. Para obtener más información, consulte Integración del servicio con Azure AD.",
- "waf": "Seguridad"
+ "text": "Revise las consideraciones de la guía del kit de herramientas de HAI y aplique esas prácticas de interacción para el slution",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "En el caso de las aplicaciones que acceden a SAP, es posible que desee utilizar la propagación de entidades de seguridad para establecer el inicio de sesión único.",
- "waf": "Seguridad"
+ "text": "Implemente modelos de ajuste de precisión independientes en todas las regiones si se emplea el ajuste de precisión",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+ "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Si usa servicios BTP de SAP o soluciones SaaS que requieren SAP Identity Authentication Service (IAS), considere la posibilidad de implementar SSO entre SAP Cloud Identity Authentication Services y Azure AD para acceder a esos servicios de SAP. Esta integración permite a SAP IAS actuar como proveedor de identidades de proxy y reenvía las solicitudes de autenticación a Azure AD como almacén de usuarios central y proveedor de identidades.",
- "waf": "Seguridad"
+ "text": "Realice copias de seguridad y replique regularmente los datos críticos para garantizar la disponibilidad y la capacidad de recuperación de los datos en caso de pérdida de datos o fallos del sistema. Aproveche los servicios de copia de seguridad y recuperación ante desastres de Azure para proteger sus datos.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
- "service": "SAP",
- "severity": "Medio",
- "text": "Implementación de SSO en SAP BTP",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Los niveles de servicio de búsqueda de Azure AI deben elegirse para tener un Acuerdo de Nivel de Servicio ",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
- "service": "SAP",
- "severity": "Medio",
- "text": "Si usa SAP SuccessFactors, considere la posibilidad de usar el aprovisionamiento automatizado de usuarios de Azure AD. Con esta integración, a medida que agrega nuevos empleados a SAP SuccessFactors, puede crear automáticamente sus cuentas de usuario en Azure AD. Opcionalmente, puede crear cuentas de usuario en Microsoft 365 u otras aplicaciones SaaS compatibles con Azure AD. Utilice la escritura diferida de la dirección de correo electrónico en SAP SuccessFactors.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+ "link": "https://learn.microsoft.com/purview/purview",
+ "service": "Azure OpenAI",
+ "severity": "Bajo",
+ "text": "Clasifique los datos y la confidencialidad, etiquetando con Microsoft Purview antes de generar las incrustaciones y asegúrese de tratar las incrustaciones generadas con la misma confidencialidad y clasificación",
"waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
- "severity": "Medio",
- "text": "aplicar las directivas de grupo de administración existentes a las suscripciones de SAP",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Cifre los datos utilizados para RAG con cifrado SSE/Disk con BYOK opcional",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+ "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Integre aplicaciones estrechamente acopladas en la misma suscripción de SAP para evitar una complejidad adicional de enrutamiento y administración",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
- "waf": "Operaciones"
+ "text": "Asegúrese de que TLS se aplica a los datos en tránsito a través de fuentes de datos, la búsqueda de IA utilizada para la generación aumentada de recuperación (RAG) y la comunicación de LLM",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Aprovechar la suscripción como unidad de escalado y escalar nuestros recursos, considere implementar la suscripción por entorno, por ejemplo. Sandbox, no-prod, prod ",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
- "waf": "Operaciones"
+ "text": "Use RBAC para administrar el acceso a los servicios de Azure OpenAI. Asigne los permisos adecuados a los usuarios y restrinja el acceso en función de sus funciones y responsabilidades",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+ "service": "Azure OpenAI",
+ "severity": "Medio",
+ "text": "Implemente técnicas de cifrado, enmascaramiento o redacción de datos para ocultar datos confidenciales o reemplazarlos con valores ofuscados en entornos que no sean de producción o al compartir datos con fines de prueba o solución de problemas",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Garantizar el aumento de la cuota como parte del aprovisionamiento de suscripciones (por ejemplo, el total de núcleos de máquina virtual disponibles dentro de una suscripción)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "waf": "Operaciones"
+ "text": "Use Azure Defender para detectar y responder a las amenazas de seguridad y configurar mecanismos de supervisión y alerta para identificar actividades sospechosas o infracciones. Aproveche Azure Sentinel para la detección y respuesta a amenazas avanzadas",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
- "severity": "Bajo",
- "text": "La API de cuota es una API de REST que se puede usar para ver y administrar las cuotas de los servicios de Azure. Considere usarlo si es necesario.",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+ "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+ "service": "Azure OpenAI",
+ "severity": "Medio",
+ "text": "Establezca políticas de retención y eliminación de datos para cumplir con las regulaciones de cumplimiento. Implemente métodos de eliminación seguros para los datos que ya no son necesarios y mantenga un registro de auditoría de las actividades de retención y eliminación de datos",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Si realiza la implementación en una zona de disponibilidad, asegúrese de que la implementación de la zona de la máquina virtual esté disponible una vez que se haya aprobado la cuota. Envíe una solicitud de soporte técnico con la suscripción, la serie de máquinas virtuales, el número de CPU y la zona de disponibilidad necesarias.",
- "waf": "Operaciones"
+ "text": "Implemente los escudos de aviso y la detección de conexión a tierra mediante Content Safety ",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+ "link": "https://learn.microsoft.com/azure/compliance/",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Asegúrese de que los servicios y funciones requeridos estén disponibles dentro de las regiones de implementación elegidas, por ejemplo. ANF, Zona, etc.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
- "waf": "Operaciones"
+ "text": "Garantice el cumplimiento de las normativas de protección de datos pertinentes, como el RGPD o la HIPAA, mediante la implementación de controles de privacidad y la obtención de los consentimientos o permisos necesarios para las actividades de tratamiento de datos.",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Aproveche la etiqueta de recurso de Azure para la categorización de costos y la agrupación de recursos (facturación, departamento (o unidad de negocio), entorno (producción, fase, desarrollo), nivel (nivel web, nivel de aplicación), propietario de la aplicación, ProjectName)",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "Operaciones"
+ "text": "Eduque a sus empleados sobre las mejores prácticas de seguridad de datos, la importancia de manejar los datos de forma segura y los riesgos potenciales asociados con las violaciones de datos. Anímelos a seguir diligentemente los protocolos de seguridad de datos.",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Ayude a proteger la base de datos de HANA mediante el servicio Azure Backup.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Mantenga los datos de producción separados de los datos de desarrollo y pruebas. Utilice únicamente datos confidenciales reales en producción y utilice datos anónimos o sintéticos en entornos de desarrollo y prueba.",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Si implementa Azure NetApp Files para la base de datos HANA, Oracle o DB2, use la herramienta Azure Application Consistent Snapshot (AzAcSnap) para tomar instantáneas coherentes con la aplicación. AzAcSnap también es compatible con las bases de datos de Oracle. Considere la posibilidad de usar AzAcSnap en una máquina virtual central en lugar de en máquinas virtuales individuales.",
- "waf": "Fiabilidad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
- "severity": "Alto",
- "text": "Asegúrese de que la zona horaria coincida entre el sistema operativo y el sistema SAP.",
- "waf": "Operaciones"
+ "text": "Si tiene distintos niveles de confidencialidad de datos, considere la posibilidad de crear índices independientes para cada nivel. Por ejemplo, podría tener un índice para los datos generales y otro para los datos confidenciales, cada uno gobernado por diferentes protocolos de acceso",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "No agrupe diferentes servicios de aplicaciones en el mismo clúster. Por ejemplo, no combine DRBD y clústeres de servicios centrales en el mismo clúster. Sin embargo, puede usar el mismo clúster de Pacemaker para administrar aproximadamente cinco servicios centrales diferentes (clúster de varios SID).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
- "severity": "Bajo",
- "text": "Considere la posibilidad de ejecutar sistemas de desarrollo y pruebas en un modelo de repetición para ahorrar y optimizar los costos de ejecución de Azure.",
- "waf": "Costar"
+ "text": "Lleve la segregación un paso más allá colocando conjuntos de datos confidenciales en diferentes instancias del servicio. Cada instancia se puede controlar con su propio conjunto específico de políticas RBAC",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
- "severity": "Medio",
- "text": "Si se asocia con los clientes mediante la administración de sus propiedades de SAP, considere la posibilidad de usar Azure Lighthouse. Azure Lighthouse permite a los proveedores de servicios administrados usar los servicios de identidad nativos de Azure para autenticarse en el entorno de los clientes. Pone el control en manos de los clientes, ya que pueden revocar el acceso en cualquier momento y auditar las acciones de los proveedores de servicios.",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Reconozca que las incrustaciones y los vectores generados a partir de información confidencial son en sí mismos confidenciales. Estos datos deben recibir las mismas medidas de protección que el material de origen",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
- "severity": "Medio",
- "text": "Use Azure Update Manager para comprobar el estado de las actualizaciones disponibles para una sola máquina virtual o varias máquinas virtuales y considere la posibilidad de programar revisiones periódicas.",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Aplique RBAC a los almacenes de datos que tienen incrustaciones y vectores y alcance el acceso en función de los requisitos de acceso del rol",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
- "severity": "Bajo",
- "text": "Optimice y gestione las operaciones de SAP Basis mediante SAP Landscape Management (LaMa). Use el conector de SAP LaMa para Azure para reubicar, copiar, clonar y actualizar sistemas SAP.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Configure un punto de conexión privado para que los servicios de IA restrinjan el acceso al servicio dentro de su red",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
- "severity": "Medio",
- "text": "Use Azure Monitor para soluciones SAP para supervisar las cargas de trabajo de SAP (SAP HANA, clústeres de SUSE de alta disponibilidad y sistemas SQL) en Azure. Considere la posibilidad de complementar las soluciones de Azure Monitor para SAP con SAP Solution Manager.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Aplique un estricto control del tráfico entrante y saliente con Azure Firewall y UDR, y limite los puntos de integración externos",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Ejecute una comprobación de extensión de máquina virtual para SAP. VM Extension for SAP usa la identidad administrada asignada de una máquina virtual (VM) para acceder a los datos de configuración y supervisión de VM. La comprobación garantiza que todas las métricas de rendimiento de la aplicación SAP proceden de la extensión de Azure para SAP subyacente.",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
- "waf": "Operaciones"
+ "text": "Implemente la segmentación de la red y los controles de acceso para restringir el acceso a la aplicación LLM solo a los usuarios y sistemas autorizados y evitar el movimiento lateral",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+ "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Use Azure Policy para el control de acceso y los informes de cumplimiento. Azure Policy proporciona la capacidad de aplicar la configuración de toda la organización para garantizar el cumplimiento coherente de las directivas y la detección rápida de infracciones. ",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "Operaciones"
+ "text": "Utilice herramientas de compresión rápida como LLMLingua o gprtrim",
+ "waf": "Optimización de costes"
},
{
- "checklist": "SAP Checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
- "severity": "Medio",
- "text": "Use el Monitor de conexión en Azure Network Watcher para supervisar las métricas de latencia de las bases de datos y los servidores de aplicaciones de SAP. O bien, recopile y muestre medidas de latencia de red mediante Azure Monitor.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Asegúrese de que las API y los puntos finales utilizados por la aplicación LLM estén correctamente protegidos con mecanismos de autenticación y autorización, como identidades administradas, claves de API u OAuth, para evitar el acceso no autorizado.",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Realice una comprobación de calidad de SAP HANA en la infraestructura de Azure aprovisionada para comprobar que las máquinas virtuales aprovisionadas cumplen con los procedimientos recomendados de SAP HANA en Azure.",
- "waf": "Operaciones"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
- "severity": "Alto",
- "text": "Para cada suscripción de Azure, ejecute una prueba de latencia en las zonas de disponibilidad de Azure antes de la implementación zonal para elegir zonas de baja latencia para la implementación de SAP en Azure.",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "Rendimiento"
+ "text": "Aplique mecanismos sólidos de autenticación de usuario final, como la autenticación multifactor, para evitar el acceso no autorizado a la aplicación LLM y a los recursos de red asociados",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Ejecute el informe de resistencia para asegurarse de que la configuración de toda la infraestructura de Azure aprovisionada (proceso, base de datos, redes, almacenamiento, Site Recovery) cumple con la configuración definida por Cloud Adaption Framework para Azure.",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
- "waf": "Fiabilidad"
+ "text": "Implemente herramientas de monitoreo de red para detectar y analizar el tráfico de red en busca de actividades sospechosas o maliciosas. Habilite el registro para capturar eventos de red y facilitar el análisis forense en caso de incidentes de seguridad",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Implemente la protección contra amenazas mediante la solución Microsoft Sentinel para SAP. Utilice esta solución para supervisar sus sistemas SAP y detectar amenazas sofisticadas en toda la lógica empresarial y las capas de aplicación.",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "text": "Realizar auditorías de seguridad y pruebas de penetración para identificar y abordar cualquier debilidad o vulnerabilidad de seguridad de red en la infraestructura de red de la aplicación LLM",
"waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
- "severity": "Medio",
- "text": "El etiquetado de Azure se puede aprovechar para agrupar y realizar un seguimiento lógico de los recursos, automatizar sus implementaciones y, lo que es más importante, proporcionar visibilidad de los costos incurridos.",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "service": "Azure OpenAI",
+ "severity": "Bajo",
+ "text": "Los servicios de Azure AI están etiquetados correctamente para una mejor administración",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "service": "Azure OpenAI",
"severity": "Bajo",
- "text": "Use la supervisión de latencia entre máquinas virtuales para aplicaciones sensibles a la latencia.",
- "waf": "Rendimiento"
+ "text": "Las cuentas de Azure AI Service siguen las convenciones de nomenclatura de la organización",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
- "severity": "Medio",
- "text": "Use la supervisión de Azure Site Recovery para mantener el estado del servicio de recuperación ante desastres para los servidores de aplicaciones SAP.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Los registros de diagnóstico en los recursos de servicios de Azure AI deben estar habilitados",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
- "severity": "Medio",
- "text": "Excluya todos los sistemas de archivos de bases de datos y programas ejecutables de los análisis antivirus. Incluirlos podría dar lugar a problemas de rendimiento. Consulte con los proveedores de bases de datos para obtener detalles prescriptivos sobre la lista de exclusión. Por ejemplo, Oracle recomienda excluir /oracle//sapdata de los análisis antivirus.",
- "waf": "Rendimiento"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
- "severity": "Bajo",
- "text": "Considere la posibilidad de recopilar estadísticas de base de datos completas para bases de datos que no son de HANA después de la migración. Por ejemplo, implemente la nota de SAP 1020260 - Entrega de estadísticas de Oracle.",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Se recomienda deshabilitar el acceso a claves (autenticación local) por seguridad. Después de deshabilitar el acceso basado en claves, el identificador de Microsoft Entra se convierte en el único método de acceso, lo que permite mantener el principio de privilegio mínimo y el control granular. ",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
- "severity": "Medio",
- "text": "Considere la posibilidad de usar Oracle Automatic Storage Management (ASM) para todas las implementaciones de Oracle que usan SAP en Azure.",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Almacene y administre claves de forma segura con Azure Key Vault. Evite codificar de forma rígida o incrustar claves confidenciales en el código de la aplicación de LLM y recupérelas de forma segura de Azure Key Vault mediante identidades administradas",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
- "severity": "Medio",
- "text": "En el caso de SAP en Azure que ejecuta Oracle, una colección de scripts SQL puede ayudarle a diagnosticar problemas de rendimiento. Los informes de repositorio automático de cargas de trabajo (AWR) contienen información valiosa para diagnosticar problemas en el sistema Oracle. Le recomendamos que ejecute un informe de AWR durante varias sesiones y elija las horas punta para él, a fin de garantizar una amplia cobertura del análisis.",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Rotar y expirar periódicamente las claves almacenadas en Azure Key Vault para minimizar el riesgo de acceso no autorizado.",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+ "link": "https://github.com/openai/tiktoken",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Use la supervisión de Azure Site Recovery para mantener el estado del servicio de recuperación ante desastres para los servidores de aplicaciones SAP.",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "waf": "Operaciones"
+ "text": "Use tiktoken para comprender los tamaños de los tokens para las optimizaciones de tokens en el modo conversacional",
+ "waf": "Optimización de costes"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
- "severity": "Medio",
- "text": "Para la entrega segura de aplicaciones HTTP/S, use Application Gateway v2 y asegúrese de que la protección y las directivas de WAF están habilitadas.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+ "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Siga prácticas de codificación seguras para evitar vulnerabilidades comunes, como ataques de inyección, secuencias de comandos entre sitios (XSS) o errores de configuración de seguridad.",
"waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
- "severity": "Medio",
- "text": "Si el DNS o el nombre virtual de la máquina virtual no se cambia durante la migración a Azure, el DNS en segundo plano y los nombres virtuales conectan muchas interfaces del sistema en el entorno de SAP, y los clientes solo conocen a veces las interfaces que los desarrolladores definen a lo largo del tiempo. Los desafíos de conexión surgen entre varios sistemas cuando los nombres virtuales o DNS cambian después de las migraciones, y se recomienda conservar los alias DNS para evitar este tipo de dificultades.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+ "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Configurar un proceso para actualizar y parchear regularmente las bibliotecas de LLM y otros componentes del sistema",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
- "severity": "Medio",
- "text": "Utilice diferentes zonas DNS para distinguir cada entorno (espacio aislado, desarrollo, preproducción y producción) entre sí. La excepción es para las implementaciones de SAP con su propia red virtual; en este caso, es posible que las zonas DNS privadas no sean necesarias.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+ "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Cumplir con los términos de uso, las directivas y las directrices de Azure OpenAI u otros LLM, así como con los casos de uso permitidos.",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "El emparejamiento de red virtual local y global proporciona conectividad y son los enfoques preferidos para garantizar la conectividad entre las zonas de aterrizaje para las implementaciones de SAP en varias regiones de Azure",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
- "waf": "Fiabilidad"
+ "text": "Comprenda la diferencia en el costo de los modelos base y los modelos ajustados y los tamaños de paso de token",
+ "waf": "Optimización de costes"
},
{
- "checklist": "SAP Checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "No se admite la implementación de ninguna aplicación virtual de red entre la aplicación SAP y el servidor de base de datos SAP",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "Rendimiento"
+ "text": "Solicitudes por lotes, siempre que sea posible, para minimizar la sobrecarga por llamada, lo que puede reducir los costos generales. Asegúrese de optimizar el tamaño del lote",
+ "waf": "Optimización de costes"
},
{
- "checklist": "SAP Checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Use Virtual WAN para implementaciones de Azure en redes nuevas, grandes o globales en las que necesite conectividad de tránsito global entre regiones de Azure y ubicaciones locales. Con este enfoque, no tendrá que configurar manualmente el enrutamiento transitivo para las redes de Azure y puede seguir un estándar para las implementaciones de SAP en Azure.",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "waf": "Operaciones"
+ "text": "Configure un sistema de seguimiento de costos que supervise el uso del modelo y use esa información para ayudar a informar las opciones de modelos y los tamaños indicados",
+ "waf": "Optimización de costes"
},
{
- "checklist": "SAP Checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "166cd072-af9b-4141-a898-a535e737897e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Considere la posibilidad de implementar aplicaciones virtuales de red (NVA) entre regiones solo si se usan aplicaciones virtuales de red de asociados. Las aplicaciones virtuales de red entre regiones o redes virtuales no son necesarias si hay aplicaciones virtuales de red nativas. Al implementar tecnologías de redes de asociados y aplicaciones virtuales de red, siga las instrucciones del proveedor para comprobar las configuraciones conflictivas con las redes de Azure.",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
- "waf": "Operaciones"
+ "text": "Establezca un límite máximo en el número de tokens por respuesta de modelo. Optimice el tamaño para asegurarse de que sea lo suficientemente grande para una respuesta válida",
+ "waf": "Optimización de costes"
},
{
- "checklist": "SAP Checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Virtual WAN administra la conectividad entre redes virtuales de radio para topologías basadas en WAN virtuales (sin necesidad de configurar el enrutamiento definido por el usuario [UDR] o NVA), y el rendimiento máximo de red para el tráfico de red virtual a red virtual en el mismo centro virtual es de 50 gigabits por segundo. Si es necesario, las zonas de aterrizaje de SAP pueden usar el emparejamiento de red virtual para conectarse a otras zonas de aterrizaje y superar esta limitación de ancho de banda.",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
- "waf": "Operaciones"
+ "text": "Revise las instrucciones proporcionadas sobre la configuración de la búsqueda de IA para la confiabilidad",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "Alto",
- "text": "No se recomienda la asignación de direcciones IP públicas a la máquina virtual que ejecuta SAP Workload.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+ "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "service": "Azure OpenAI",
+ "severity": "Medio",
+ "text": "Planifique y administre el almacenamiento de vectores de búsqueda de IA",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
- "severity": "Alto",
- "text": "Considere la posibilidad de reservar la dirección IP en el lado de la recuperación ante desastres al configurar ASR",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
+ "severity": "Medio",
+ "text": "Aplique prácticas de LLMOps para automatizar la gestión del ciclo de vida de sus aplicaciones GenAI",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Evite el uso de intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Operaciones"
+ "text": "Evalúe el uso de los modelos de facturación: PAYG frente a PTU",
+ "waf": "Optimización de costes"
},
{
- "checklist": "SAP Checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+ "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Aunque Azure le ayuda a crear varias subredes delegadas en una red virtual, solo puede existir una subred delegada en una red virtual para Azure NetApp Files. Se producirá un error al intentar crear un nuevo volumen si se utiliza más de una subred delegada para Azure NetApp Files.",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
- "waf": "Operaciones"
+ "text": "Evalúe la calidad de los mensajes y las aplicaciones al cambiar entre versiones de modelo",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Use Azure Firewall para controlar el tráfico saliente de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado del tráfico Este/Oeste (si la organización lo requiere)",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
- "waf": "Seguridad"
+ "text": "Evalúe, supervise y perfeccione sus aplicaciones GenAI para características como la fundamentación, la relevancia, la precisión, la coherencia, la fluidez,",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Application Gateway y Web Application Firewall tienen limitaciones cuando Application Gateway actúa como proxy inverso para aplicaciones web de SAP, como se muestra en la comparación entre Application Gateway, SAP Web Dispatcher y otros servicios de terceros.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
- "waf": "Seguridad"
+ "text": "Evalúe los resultados de búsqueda de Azure AI en función de diferentes parámetros de búsqueda",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Use directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
- "waf": "Seguridad"
+ "text": "Considere los modelos de ajuste fino como una forma de aumentar la precisión solo cuando haya probado otros enfoques básicos como la ingeniería de avisos y RAG con sus datos",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Aproveche las directivas de Web Application Firewall en Azure Front Door cuando use Azure Front Door y Application Gateway para proteger las aplicaciones HTTP/S. Bloquee Application Gateway para recibir tráfico solo de Azure Front Door.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Utilice técnicas de ingeniería rápida para mejorar la precisión de las respuestas de LLM",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Utilice un firewall de aplicaciones web para analizar su tráfico cuando esté expuesto a Internet. Otra opción es usarlo con el equilibrador de carga o con recursos que tengan funcionalidades de firewall integradas, como Application Gateway o soluciones de terceros.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "text": "Equipo rojo con sus aplicaciones GenAI",
"waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
- "severity": "Medio",
- "text": "Use Virtual WAN para implementaciones de Azure en redes nuevas, grandes o globales en las que necesite conectividad de tránsito global entre regiones de Azure y ubicaciones locales. Con este enfoque, no tendrá que configurar manualmente el enrutamiento transitivo para las redes de Azure y puede seguir un estándar para las implementaciones de SAP en Azure.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
- "waf": "Rendimiento"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+ "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Para evitar la pérdida de datos, use Azure Private Link para acceder de forma segura a los recursos de plataforma como servicio, como Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, etc. El punto de conexión privado de Azure también puede ayudar a proteger el tráfico entre redes virtuales y servicios como Azure Storage, Azure Backup, etc. El tráfico entre la red virtual y el servicio habilitado para punto de conexión privado viaja a través de la red global de Microsoft, lo que impide su exposición a la red pública de Internet.",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Proporcione a los usuarios finales opciones de puntuación para las respuestas de LLM y realice un seguimiento de estas puntuaciones. ",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Asegúrese de que las redes aceleradas de Azure están habilitadas en las máquinas virtuales que se usan en las capas de aplicación SAP y DBMS.",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Rendimiento"
+ "text": "Considere las prácticas de administración de cuotas",
+ "waf": "Optimización de costes"
},
{
- "checklist": "SAP Checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+ "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "service": "Azure OpenAI",
"severity": "Medio",
- "text": "Asegúrese de que las implementaciones internas de Azure Load Balancer están configuradas para usar Direct Server Return (DSR). Esta configuración (Habilitación de IP flotante) reducirá la latencia cuando se utilicen configuraciones internas del equilibrador de carga para configuraciones de alta disponibilidad en la capa DBMS.",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Utilice soluciones de equilibrador de carga, como la puerta de enlace basada en APIM, para equilibrar la carga y la capacidad entre servicios y regiones",
+ "waf": "Excelencia Operacional"
},
{
- "checklist": "SAP Checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
"severity": "Medio",
- "text": "Puede usar reglas de grupo de seguridad de aplicaciones (ASG) y NSG para definir listas de control de acceso de seguridad de red entre la aplicación SAP y las capas DBMS. Los ASG agrupan las máquinas virtuales para ayudar a administrar su seguridad.",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "Alto",
- "text": "No se admite la colocación de la capa de aplicación de SAP y DBMS de SAP en diferentes redes virtuales de Azure que no están emparejadas.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Rendimiento"
+ "text": "Azure Spring Apps permite dos implementaciones para cada aplicación, de las cuales solo una recibe tráfico de producción. Puede lograr cero tiempo de inactividad con estrategias de implementación azul verde. La implementación azul verde solo está disponible en los niveles Estándar y Enterprise. Puede automatizar la implementación mediante CI/CD con acciones de ADO/GitHub",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
"severity": "Medio",
- "text": "Para obtener una latencia de red óptima con aplicaciones SAP, considere la posibilidad de usar grupos de selección de ubicación por proximidad de Azure.",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
- "waf": "Rendimiento"
+ "text": "Las instancias de Azure Spring Apps se pueden crear en varias regiones para las aplicaciones y el tráfico se puede enrutar mediante Traffic Manager o Front Door.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "Alto",
- "text": "NO se admite en absoluto la ejecución de una capa de servidor de aplicaciones de SAP y una capa de DBMS divididas entre el entorno local y Azure. Ambas capas deben residir completamente en el entorno local o en Azure.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
+ "severity": "Medio",
+ "text": "En la región admitida, Azure Spring Apps se puede implementar como zona redundante, lo que significa que las instancias se distribuyen automáticamente entre las zonas de disponibilidad. Esta función solo está disponible en los niveles Standard y Enterprise.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "Alto",
- "text": "No se recomienda hospedar el sistema de administración de bases de datos (DBMS) y las capas de aplicación de los sistemas SAP en diferentes redes virtuales y conectarlas con el emparejamiento de redes virtuales debido a los costos sustanciales que puede producir un tráfico de red excesivo entre las capas. Se recomienda el uso de subredes dentro de la red virtual de Azure para separar la capa de aplicación de SAP y la capa de DBMS.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Costar"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
+ "severity": "Medio",
+ "text": "Usar más de 1 instancia de aplicación para las aplicaciones",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
- "severity": "Alto",
- "text": "Si utiliza Load Balancer con sistemas operativos invitados Linux, compruebe que el parámetro de red de Linux net.ipv4.tcp_timestamps esté establecido en 0.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
+ "severity": "Medio",
+ "text": "Supervise Azure Spring Apps con registros, métricas y seguimiento. Integre ASA con la información de las aplicaciones, realice un seguimiento de los errores y cree libros de trabajo.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
"severity": "Medio",
- "text": "En el caso de las implementaciones de SAP RISE/ECS, el emparejamiento virtual es la forma preferida de establecer la conectividad con el entorno de Azure existente del cliente. Tanto la red virtual de SAP como las redes virtuales del cliente están protegidas con grupos de seguridad de red (NSG), lo que permite la comunicación en los puertos de SAP y de base de datos a través del emparejamiento de redes virtuales",
- "waf": "Seguridad"
+ "text": "Configuración del escalado automático en Spring Cloud Gateway",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
- "severity": "Alto",
- "text": "Revise las copias de seguridad de bases de datos de SAP HANA para máquinas virtuales de Azure.",
- "waf": "Costar"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
+ "severity": "Bajo",
+ "text": "Habilite el escalado automático para las aplicaciones con el consumo estándar y el plan dedicado.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
"severity": "Medio",
- "text": "Revise la supervisión integrada de Site Recovery, si se usa para SAP.",
- "waf": "Costar"
+ "text": "Use el plan Enterprise para obtener soporte comercial de Spring Boot para aplicaciones de misión crítica. Con otros niveles, obtienes soporte OSS.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
- "severity": "Alto",
- "text": "Revise la guía Supervisión del entorno del sistema SAP HANA.",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "service": "APIM",
+ "severity": "Medio",
+ "text": "Implementar una política de control de errores a nivel global",
"waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "service": "APIM",
"severity": "Medio",
- "text": "Revise las estrategias de copia de seguridad de Oracle Database en máquinas virtuales Linux de Azure.",
+ "text": "Asegúrese de que todas las políticas de API incluyan un elemento.",
"waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+ "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "service": "APIM",
"severity": "Medio",
- "text": "Revise el uso de Azure Blob Storage con SQL Server 2016.",
+ "text": "Uso de fragmentos de políticas para evitar repetir las mismas definiciones de políticas en varias API",
"waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+ "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "service": "APIM",
"severity": "Medio",
- "text": "Revise el uso de Copia de seguridad automatizada v2 para máquinas virtuales de Azure.",
+ "text": "Si planeas monetizar tus API, revisa el artículo \"Soporte de monetización\" para conocer las prácticas recomendadas",
"waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "service": "APIM",
"severity": "Alto",
- "text": "Habilitación del acelerador de escritura para la serie M cuando se utilizan discos premium (V1)",
+ "text": "Habilitación de la configuración de diagnóstico para exportar registros a Azure Monitor",
"waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "service": "APIM",
"severity": "Medio",
- "text": "Pruebe la latencia de la zona de disponibilidad.",
- "waf": "Rendimiento"
+ "text": "Habilitación de Application Insights para obtener telemetría más detallada",
+ "waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
- "service": "SAP",
- "severity": "Medio",
- "text": "Active SAP EarlyWatch Alert para todos los componentes de SAP.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Configurar alertas sobre las métricas más críticas",
+ "waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
- "service": "SAP",
- "severity": "Medio",
- "text": "Revise la latencia del servidor de aplicaciones SAP al servidor de bases de datos mediante el informe ABAPMeter de SAP /SSA/CAT.",
- "training": "https://me.sap.com/notes/0002879613",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Asegúrese de que los certificados SSL personalizados se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
- "severity": "Medio",
- "text": "Revise la supervisión del rendimiento de SQL Server mediante CCMS.",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Protección de las solicitudes entrantes a las API (plano de datos) con Azure AD",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "service": "APIM",
"severity": "Medio",
- "text": "Pruebe la latencia de red entre las máquinas virtuales de la capa de aplicación de SAP y las máquinas virtuales de DBMS (NIPING).",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "Rendimiento"
+ "text": "Usar el identificador de Microsoft Entra para autenticar a los usuarios en el Portal para desarrolladores",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "service": "APIM",
"severity": "Medio",
- "text": "Revise las alertas de SAP HANA Studio.",
- "waf": "Rendimiento"
+ "text": "Crear grupos adecuados para controlar la visibilidad de los productos",
+ "waf": "Seguridad"
},
{
- "checklist": "SAP Checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+ "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "service": "APIM",
"severity": "Medio",
- "text": "Realice comprobaciones de estado de SAP HANA mediante HANA_Configuration_Minichecks.",
- "waf": "Rendimiento"
+ "text": "Utilice la función Backends para eliminar las configuraciones redundantes de back-end de la API",
+ "waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "service": "APIM",
"severity": "Medio",
- "text": "Si ejecuta máquinas virtuales Windows y Linux en Azure, en el entorno local o en otros entornos en la nube, puede usar el Centro de administración de actualizaciones de Automatización de Azure para administrar las actualizaciones del sistema operativo, incluidas las revisiones de seguridad.",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "waf": "Seguridad"
+ "text": "Usar valores con nombre para almacenar valores comunes que se pueden usar en directivas",
+ "waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "service": "APIM",
"severity": "Medio",
- "text": "Revise de forma rutinaria las notas de seguridad de SAP OSS, ya que SAP publica parches de seguridad muy críticos, o revisiones, que requieren una acción inmediata para proteger sus sistemas SAP.",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "Bajo",
- "text": "En el caso de SAP en SQL Server, puede deshabilitar la cuenta de administrador del sistema de SQL Server porque los sistemas SAP en SQL Server no usan la cuenta. Asegúrese de que otro usuario con derechos de administrador del sistema pueda acceder al servidor antes de deshabilitar la cuenta de administrador del sistema original.",
- "waf": "Seguridad"
+ "text": "En el caso de la recuperación ante desastres, aproveche el nivel premium con implementaciones escaladas en dos o más regiones para un acuerdo de nivel de servicio del 99,99 %",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "Alto",
- "text": "Deshabilite xp_cmdshell. La característica de SQL Server xp_cmdshell habilita un shell de comandos del sistema operativo interno de SQL Server. Es un riesgo potencial en las auditorías de seguridad.",
- "training": "https://me.sap.com/notes/3019299/E",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+ "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "service": "APIM",
+ "severity": "Medio",
+ "text": "Implemente al menos una unidad en dos o más zonas de disponibilidad para obtener un SLA aumentado del 99,99 %",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+ "service": "APIM",
"severity": "Alto",
- "text": "El cifrado de servidores de bases de datos de SAP HANA en Azure usa la tecnología de cifrado nativa de SAP HANA. Además, si usa SQL Server en Azure, use el cifrado de datos transparente (TDE) para proteger los datos y los archivos de registro y asegurarse de que las copias de seguridad también están cifradas.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "waf": "Seguridad"
+ "text": "Asegúrese de que haya una rutina de copia de seguridad automatizada",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+ "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+ "service": "APIM",
"severity": "Medio",
- "text": "El cifrado de Azure Storage está habilitado para todas las cuentas de Azure Resource Manager y de almacenamiento clásico, y no se puede deshabilitar. Dado que los datos están cifrados de forma predeterminada, no es necesario modificar el código o las aplicaciones para usar el cifrado de Azure Storage.",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Use directivas para agregar una dirección URL de back-end de conmutación por error y el almacenamiento en caché para reducir las llamadas con errores.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "SAP",
- "severity": "Alto",
- "text": "Uso de Azure Key Vault para almacenar los secretos y las credenciales",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+ "service": "APIM",
+ "severity": "Bajo",
+ "text": "Si necesita iniciar sesión en niveles de alto rendimiento, tenga en cuenta la directiva de Event Hubs",
+ "waf": "Operaciones"
},
{
- "checklist": "SAP Checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+ "service": "APIM",
"severity": "Medio",
- "text": "Se recomienda bloquear los recursos de Azure después de la implementación correcta para protegerse contra cambios no autorizados. También puede aplicar restricciones y reglas de LOCK por suscripción mediante directivas de Azure personalizadas (rol personalizado).",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Aplicación de directivas de limitación para controlar el número de solicitudes por segundo",
+ "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+ "service": "APIM",
"severity": "Medio",
- "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención de los objetos eliminados.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Configurar el escalado automático para escalar horizontalmente el número de instancias cuando aumenta la carga",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
- "service": "SAP",
- "severity": "Alto",
- "text": "En función de los requisitos existentes, controles normativos y de cumplimiento (internos y externos): determine qué directivas de Azure y el rol de RBAC de Azure son necesarios",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Alto",
- "text": "Al habilitar Microsoft Defender para punto de conexión en el entorno de SAP, se recomienda excluir los archivos de datos y registro en los servidores DBMS en lugar de dirigirse a todos los servidores. Siga las recomendaciones de su proveedor de DBMS al excluir archivos de destino.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
- "service": "SAP",
- "severity": "Alto",
- "text": "Delegue un rol personalizado de administrador de SAP con acceso Just-In-Time de Microsoft Defender for Cloud.",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Bajo",
- "text": "cifre los datos en tránsito integrando el producto de seguridad de terceros con comunicaciones de red seguras (SNC) para DIAG (SAP GUI), RFC y SPNEGO para HTTPS",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+ "service": "APIM",
"severity": "Medio",
- "text": "De forma predeterminada, utilice claves administradas por Microsoft para la funcionalidad de cifrado de entidad de seguridad y use claves administradas por el cliente cuando sea necesario.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
- "service": "SAP",
- "severity": "Alto",
- "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Implemente puertas de enlace autohospedadas en las que Azure no tenga una región cercana a las API de back-end.",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
- "service": "SAP",
- "severity": "Alto",
- "text": "Para controlar y administrar claves y secretos de cifrado de disco para sistemas operativos Windows y Windows que no son de HANA, use Azure Key Vault. SAP HANA no es compatible con Azure Key Vault, por lo que debe usar métodos alternativos como SAP ABAP o claves SSH.",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+ "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+ "service": "APIM",
+ "severity": "Medio",
+ "text": "Use el nivel premium para las cargas de trabajo de producción.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
- "service": "SAP",
- "severity": "Alto",
- "text": "Personalización de los roles de control de acceso basado en rol (RBAC) para SAP en suscripciones de Azure spoke para evitar cambios accidentales relacionados con la red",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+ "service": "APIM",
+ "severity": "Medio",
+ "text": "En el modelo de varias regiones, use directivas para enrutar las solicitudes a los back-ends regionales en función de la disponibilidad o la latencia.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+ "service": "APIM",
"severity": "Alto",
- "text": "Aísle las redes perimetrales y las aplicaciones virtuales de red del resto del patrimonio de SAP, configure Azure Private Link y administre y controle de forma segura los recursos de SAP en Azure",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "service": "SAP",
- "severity": "Bajo",
- "text": "Considere la posibilidad de usar el software antimalware de Microsoft en Azure para proteger las máquinas virtuales de archivos malintencionados, adware y otras amenazas.",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
- "waf": "Seguridad"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
- "service": "SAP",
- "severity": "Bajo",
- "text": "Para una protección aún más eficaz, considere la posibilidad de usar Microsoft Defender para punto de conexión.",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Tenga en cuenta los límites de APIM",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+ "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+ "service": "APIM",
"severity": "Alto",
- "text": "Aísle los servidores de aplicaciones y bases de datos de SAP de Internet o de la red local pasando todo el tráfico a través de la red virtual del centro de conectividad, que está conectada a la red radial mediante el emparejamiento de red virtual. Las redes virtuales emparejadas garantizan que la solución de SAP en Azure esté aislada de la red pública de Internet.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
- "waf": "Seguridad"
+ "text": "Asegúrese de que las implementaciones de puerta de enlace autohospedadas sean resistentes.",
+ "waf": "Fiabilidad"
},
{
- "checklist": "SAP Checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Bajo",
- "text": "En el caso de las aplicaciones orientadas a Internet, como SAP Fiori, asegúrese de distribuir la carga según los requisitos de la aplicación mientras se mantienen los niveles de seguridad. Para la seguridad de nivel 7, puede usar un firewall de aplicaciones web (WAF) de terceros disponible en Azure Marketplace.",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+ "service": "APIM",
+ "severity": "Medio",
+ "text": "Uso de Azure Front Door delante de APIM para la implementación en varias regiones",
+ "waf": "Rendimiento"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+ "service": "APIM",
"severity": "Medio",
- "text": "Para habilitar la comunicación segura en las soluciones de Azure Monitor para SAP, puede optar por usar un certificado raíz o un certificado de servidor. Le recomendamos encarecidamente que utilice certificados raíz.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "text": "Implementación del servicio dentro de una red virtual (VNet)",
"waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
"service": "APIM",
"severity": "Medio",
- "text": "Implementar una política de control de errores a nivel global",
- "waf": "Operaciones"
+ "text": "Implemente grupos de seguridad de red (NSG) en las subredes para restringir o supervisar el tráfico hacia/desde APIM.",
+ "waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
- "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
"service": "APIM",
"severity": "Medio",
- "text": "Asegúrese de que todas las políticas de API incluyan un elemento.",
- "waf": "Operaciones"
+ "text": "Implemente puntos de conexión privados para filtrar el tráfico entrante cuando APIM no se implemente en una red virtual.",
+ "waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
- "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
"service": "APIM",
- "severity": "Medio",
- "text": "Uso de fragmentos de políticas para evitar repetir las mismas definiciones de políticas en varias API",
- "waf": "Operaciones"
+ "severity": "Alto",
+ "text": "Deshabilitar el acceso a la red pública",
+ "waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
- "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+ "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
"service": "APIM",
"severity": "Medio",
- "text": "Si planeas monetizar tus API, revisa el artículo \"Soporte de monetización\" para conocer las prácticas recomendadas",
+ "text": "Simplifique la administración con scripts de automatización de PowerShell",
"waf": "Operaciones"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
"service": "APIM",
- "severity": "Alto",
- "text": "Habilitación de la configuración de diagnóstico para exportar registros a Azure Monitor",
+ "severity": "Medio",
+ "text": "Configure APIM a través de la infraestructura como código. Revise las prácticas recomendadas de DevOps desde el acelerador de zonas de aterrizaje de API de Cloud Adaption Framework",
"waf": "Operaciones"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
"service": "APIM",
"severity": "Medio",
- "text": "Habilitación de Application Insights para obtener telemetría más detallada",
+ "text": "Promover el uso de la extensión APIM de Visual Studio Code para un desarrollo de API más rápido",
"waf": "Operaciones"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+ "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
"service": "APIM",
- "severity": "Alto",
- "text": "Configurar alertas sobre las métricas más críticas",
+ "severity": "Medio",
+ "text": "Implemente DevOps y CI/CD en su flujo de trabajo",
"waf": "Operaciones"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
"service": "APIM",
- "severity": "Alto",
- "text": "Asegúrese de que los certificados SSL personalizados se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura",
+ "severity": "Medio",
+ "text": "API seguras mediante la autenticación de certificados de cliente",
"waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
"service": "APIM",
- "severity": "Alto",
- "text": "Protección de las solicitudes entrantes a las API (plano de datos) con Azure AD",
+ "severity": "Medio",
+ "text": "Servicios de back-end seguros mediante la autenticación de certificados de cliente",
"waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+ "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
"service": "APIM",
"severity": "Medio",
- "text": "Usar el identificador de Microsoft Entra para autenticar a los usuarios en el Portal para desarrolladores",
+ "text": "Revise el artículo \"Recomendaciones para mitigar las 10 principales amenazas de seguridad de la API de OWASP\" y compruebe qué se aplica a sus API",
"waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+ "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
"service": "APIM",
"severity": "Medio",
- "text": "Crear grupos adecuados para controlar la visibilidad de los productos",
+ "text": "Utilice la función Autorizaciones para simplificar la administración del token de OAuth 2.0 para las API de back-end",
"waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "06862505-2d9a-4874-9491-2837b00a3475",
- "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
"service": "APIM",
- "severity": "Medio",
- "text": "Utilice la función Backends para eliminar las configuraciones redundantes de back-end de la API",
- "waf": "Operaciones"
+ "severity": "Alto",
+ "text": "Utilice la versión más reciente de TLS al cifrar la información en tránsito. Deshabilite los protocolos y cifrados obsoletos e innecesarios cuando sea posible.",
+ "waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
"service": "APIM",
- "severity": "Medio",
- "text": "Usar valores con nombre para almacenar valores comunes que se pueden usar en directivas",
- "waf": "Operaciones"
+ "severity": "Alto",
+ "text": "Asegúrese de que los secretos (valores con nombre) se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura",
+ "waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
"service": "APIM",
"severity": "Medio",
- "text": "En el caso de la recuperación ante desastres, aproveche el nivel premium con implementaciones escaladas en dos o más regiones para un acuerdo de nivel de servicio del 99,99 %",
- "waf": "Fiabilidad"
+ "text": "Uso de identidades administradas para autenticarse en otros recursos de Azure siempre que sea posible",
+ "waf": "Seguridad"
},
{
"arm-service": "Microsoft.ApiManagement/service",
"checklist": "Azure API Management Review",
- "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
- "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
"service": "APIM",
+ "severity": "Alto",
+ "text": "Uso del firewall de aplicaciones web (WAF) mediante la implementación de Application Gateway delante de APIM",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
"severity": "Medio",
- "text": "Implemente al menos una unidad en dos o más zonas de disponibilidad para obtener un SLA aumentado del 99,99 %",
+ "text": "Aproveche el servidor flexible",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
- "service": "APIM",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
"severity": "Alto",
- "text": "Asegúrese de que haya una rutina de copia de seguridad automatizada",
+ "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
- "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
- "service": "APIM",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
"severity": "Medio",
- "text": "Use directivas para agregar una dirección URL de back-end de conmutación por error y el almacenamiento en caché para reducir las llamadas con errores.",
+ "text": "Aproveche la replicación de entrada de datos para escenarios de recuperación ante desastres entre regiones",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
- "service": "APIM",
- "severity": "Bajo",
- "text": "Si necesita iniciar sesión en niveles de alto rendimiento, tenga en cuenta la directiva de Event Hubs",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
+ "severity": "Alto",
+ "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
- "service": "APIM",
- "severity": "Medio",
- "text": "Aplicación de directivas de limitación para controlar el número de solicitudes por segundo",
- "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
+ "severity": "Alto",
+ "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
- "service": "APIM",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
+ "severity": "Alto",
+ "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
"severity": "Medio",
- "text": "Configurar el escalado automático para escalar horizontalmente el número de instancias cuando aumenta la carga",
- "waf": "Rendimiento"
+ "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Implemente puertas de enlace autohospedadas en las que Azure no tenga una región cercana a las API de back-end.",
- "waf": "Rendimiento"
+ "text": "Azure Center for SAP Solutions (ACSS) es una oferta de Azure que convierte a SAP en una carga de trabajo de nivel superior en Azure. ACSS es una solución integral que permite crear y ejecutar sistemas SAP como una carga de trabajo unificada en Azure y proporciona una base más fluida para la innovación. Puede aprovechar las funcionalidades de administración de los sistemas SAP nuevos y existentes basados en Azure.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
- "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "service": "SAP",
"severity": "Medio",
- "text": "Use el nivel premium para las cargas de trabajo de producción.",
- "waf": "Fiabilidad"
+ "text": "Azure admite la automatización de implementaciones de SAP en Linux y Windows. SAP Deployment Automation Framework es una herramienta de orquestación de código abierto que puede implementar, instalar y mantener entornos SAP.",
+ "training": "https://github.com/Azure/sap-automation",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "service": "SAP",
"severity": "Medio",
- "text": "En el modelo de varias regiones, use directivas para enrutar las solicitudes a los back-ends regionales en función de la disponibilidad o la latencia.",
+ "text": "Realice una recuperación a un momento dado de sus bases de datos de producción en cualquier momento y en un período de tiempo que cumpla con su RTO; La recuperación a un momento dado suele incluir errores del operador al eliminar datos en la capa DBMS o a través de SAP, por cierto",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
- "service": "APIM",
- "severity": "Alto",
- "text": "Tenga en cuenta los límites de APIM",
+ "checklist": "SAP Checklist",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Pruebe los tiempos de copia de seguridad y recuperación para verificar que cumplen con los requisitos de RTO para restaurar todos los sistemas simultáneamente después de un desastre.",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
- "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "SAP",
"severity": "Alto",
- "text": "Asegúrese de que las implementaciones de puerta de enlace autohospedadas sean resistentes.",
+ "text": "Puede replicar el almacenamiento estándar entre regiones emparejadas, pero no puede usar el almacenamiento estándar para almacenar las bases de datos o los discos duros virtuales. Las copias de seguridad solo se pueden replicar entre las regiones emparejadas que utilice. Para todos los demás datos, ejecute la replicación mediante características nativas de DBMS, como SQL Server Always On o SAP HANA System Replication. Use una combinación de Site Recovery, rsync o robocopy y otro software de terceros para la capa de aplicación de SAP.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "7519e385-a88b-4d34-966b-6269d686e890",
- "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"severity": "Medio",
- "text": "Uso de Azure Front Door delante de APIM para la implementación en varias regiones",
- "waf": "Rendimiento"
+ "text": "Al usar Azure Availability Zones para lograr una alta disponibilidad, debe tener en cuenta la latencia entre los servidores de aplicaciones SAP y los servidores de bases de datos. En el caso de las zonas con latencias altas, es necesario implementar procedimientos operativos para garantizar que los servidores de aplicaciones SAP y los servidores de bases de datos se ejecuten en la misma zona en todo momento.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
- "service": "APIM",
- "severity": "Medio",
- "text": "Implementación del servicio dentro de una red virtual (VNet)",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Configure conexiones de ExpressRoute desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria. Además, como alternativa al uso de ExpressRoute, considere la posibilidad de configurar conexiones VPN desde el entorno local a las regiones de recuperación ante desastres de Azure principal y secundaria.",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
- "service": "APIM",
- "severity": "Medio",
- "text": "Implemente grupos de seguridad de red (NSG) en las subredes para restringir o supervisar el tráfico hacia/desde APIM.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "Replique el contenido del almacén de claves, como certificados, secretos o claves, en todas las regiones para poder descifrar los datos de la región de recuperación ante desastres.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "service": "SAP",
"severity": "Medio",
- "text": "Implemente puntos de conexión privados para filtrar el tráfico entrante cuando APIM no se implemente en una red virtual.",
- "waf": "Seguridad"
+ "text": "Empareje las redes virtuales principal y de recuperación ante desastres. Por ejemplo, para la replicación del sistema HANA, una red virtual de base de datos de SAP HANA debe estar emparejada con la red virtual de base de datos de SAP HANA del sitio de recuperación ante desastres.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
- "service": "APIM",
- "severity": "Alto",
- "text": "Deshabilitar el acceso a la red pública",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "Si usa el almacenamiento de Azure NetApp Files para las implementaciones de SAP, como mínimo, cree dos cuentas de Azure NetApp Files en el nivel Premium, en dos regiones.",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
- "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
- "service": "APIM",
- "severity": "Medio",
- "text": "Simplifique la administración con scripts de automatización de PowerShell",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Se debe usar la tecnología de replicación de bases de datos nativas para sincronizar la base de datos en un par de alta disponibilidad.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
- "service": "APIM",
- "severity": "Medio",
- "text": "Configure APIM a través de la infraestructura como código. Revise las prácticas recomendadas de DevOps desde el acelerador de zonas de aterrizaje de API de Cloud Adaption Framework",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "El CIDR de la red virtual (VNet) principal no debe entrar en conflicto ni superponerse con el CIDR de la red virtual del sitio de recuperación ante desastres",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
- "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
- "service": "APIM",
- "severity": "Medio",
- "text": "Promover el uso de la extensión APIM de Visual Studio Code para un desarrollo de API más rápido",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Use Site Recovery para replicar un servidor de aplicaciones en un sitio de recuperación ante desastres. Site Recovery también puede ayudar a replicar máquinas virtuales de clúster de servicios centrales en el sitio de recuperación ante desastres. Al invocar la recuperación ante desastres, deberá volver a configurar el clúster de Linux Pacemaker en el sitio de recuperación ante desastres (por ejemplo, reemplazar el VIP o SBD, ejecutar corosync.conf, etc.).",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
- "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
- "service": "APIM",
- "severity": "Medio",
- "text": "Implemente DevOps y CI/CD en su flujo de trabajo",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Considere la disponibilidad del software de SAP frente a puntos únicos de fallo. Esto incluye puntos únicos de falla dentro de aplicaciones como DBMS utilizados en las arquitecturas SAP NetWeaver y SAP S/4HANA, SAP ABAP y ASCS + SCS. También, otras herramientas como SAP Web Dispatcher.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "b6439493-426a-45f3-9697-cf65baee208d",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
- "service": "APIM",
- "severity": "Medio",
- "text": "API seguras mediante la autenticación de certificados de cliente",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "En el caso de SAP y bases de datos de SAP, considere la posibilidad de implementar clústeres de conmutación por error automática. En Windows, los clústeres de conmutación por error de Windows Server admiten la conmutación por error. En Linux, Linux Pacemaker o herramientas de terceros como SIOS Protection Suite y Veritas InfoScale admiten la conmutación por error.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2a67d143-1033-4c0a-8732-680896478f08",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
- "service": "APIM",
- "severity": "Medio",
- "text": "Servicios de back-end seguros mediante la autenticación de certificados de cliente",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Azure no admite arquitecturas en las que las máquinas virtuales principal y secundaria compartan el almacenamiento de los datos de DBMS. Para la capa DBMS, el patrón de arquitectura común es replicar bases de datos al mismo tiempo y con pilas de almacenamiento diferentes a las que usan las máquinas virtuales principal y secundaria.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
- "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
- "service": "APIM",
- "severity": "Medio",
- "text": "Revise el artículo \"Recomendaciones para mitigar las 10 principales amenazas de seguridad de la API de OWASP\" y compruebe qué se aplica a sus API",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Los datos de DBMS y los archivos de registro de transacciones y puesta al día se almacenan en el almacenamiento en bloque compatible con Azure o en Azure NetApp Files. Azure Files o Azure Premium Files no se admiten como almacenamiento para datos de DBMS o archivos de registro de puesta al día con la carga de trabajo de SAP.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
- "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
- "service": "APIM",
- "severity": "Medio",
- "text": "Utilice la función Autorizaciones para simplificar la administración del token de OAuth 2.0 para las API de back-end",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Puede usar discos compartidos de Azure en Windows para componentes ASCS + SCS y escenarios específicos de alta disponibilidad. Configure los clústeres de conmutación por error por separado para los componentes de la capa de aplicación de SAP y la capa de DBMS. Actualmente, Azure no admite arquitecturas de alta disponibilidad que combinen componentes de la capa de aplicación de SAP y la capa de DBMS en un clúster de conmutación por error.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "service": "SAP",
"severity": "Alto",
- "text": "Utilice la versión más reciente de TLS al cifrar la información en tránsito. Deshabilite los protocolos y cifrados obsoletos e innecesarios cuando sea posible.",
- "waf": "Seguridad"
+ "text": "La mayoría de los clústeres de conmutación por error para los componentes de la capa de aplicación (ASCS) de SAP y la capa de DBMS requieren una dirección IP virtual para un clúster de conmutación por error. Azure Load Balancer debe controlar la dirección IP virtual para todos los demás casos. Un principio de diseño es usar un equilibrador de carga por configuración de clúster. Te recomendamos que utilices la versión estándar del equilibrador de carga (SKU de equilibrador de carga estándar).",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8af3d94-1d2b-4070-846f-849197524258",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "service": "SAP",
"severity": "Alto",
- "text": "Asegúrese de que los secretos (valores con nombre) se almacenan en Azure Key Vault para que se pueda acceder a ellos y actualizarlos de forma segura",
- "waf": "Seguridad"
+ "text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "791abd8b-7706-4e31-9569-afefde724be3",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
- "service": "APIM",
- "severity": "Medio",
- "text": "Uso de identidades administradas para autenticarse en otros recursos de Azure siempre que sea posible",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Antes de implementar la infraestructura de alta disponibilidad, y en función de la región que elija, determine si desea realizar la implementación con un conjunto de disponibilidad de Azure o una zona de disponibilidad.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
- "service": "APIM",
+ "checklist": "SAP Checklist",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "SAP",
"severity": "Alto",
- "text": "Uso del firewall de aplicaciones web (WAF) mediante la implementación de Application Gateway delante de APIM",
- "waf": "Seguridad"
+ "text": "Si desea cumplir los acuerdos de nivel de servicio de infraestructura para las aplicaciones de los componentes de SAP (servicios centrales, servidores de aplicaciones y bases de datos), debe elegir las mismas opciones de alta disponibilidad (máquinas virtuales, conjuntos de disponibilidad, zonas de disponibilidad) para todos los componentes.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
"severity": "Alto",
- "text": "Siga las barreras de seguridad de Metaprompting para una IA responsable",
- "waf": "Excelencia Operacional"
+ "text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de base de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
- "link": "https://github.com/Azure-Samples/AI-Gateway",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Considere la posibilidad de crear patrones de puerta de enlace con APIM o soluciones como AI Central para mejorar la limitación de velocidad, el equilibrio de carga, la autenticación y el registro",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "No se pueden implementar conjuntos de disponibilidad de Azure dentro de una zona de disponibilidad de Azure a menos que se usen grupos de selección de ubicación de proximidad.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
"severity": "Alto",
- "text": "Habilitación de la supervisión para las instancias de AOAI",
- "waf": "Excelencia Operacional"
+ "text": "Al crear conjuntos de disponibilidad, use el número máximo de dominios de error y dominios de actualización disponibles. Por ejemplo, si implementa más de dos máquinas virtuales en un conjunto de disponibilidad, use el número máximo de dominios de error (tres) y suficientes dominios de actualización para limitar el efecto de posibles errores de hardware físico, interrupciones de red o interrupciones de energía, además del mantenimiento planeado de Azure. El número predeterminado de dominios de error es dos y no puede cambiarlo en línea más adelante.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "Alto",
- "text": "Cree alertas para notificar a los equipos de eventos, como una entrada en el registro de actividad creada por una acción realizada en el recurso, como la regeneración de sus claves de suscripción, o un umbral de métrica, como el número de errores que superan los 10 en una hora",
- "waf": "Excelencia Operacional"
+ "text": "Cuando se usan grupos de selección con selección de ubicación de proximidad de Azure en una implementación de conjunto de disponibilidad, los tres componentes de SAP (servicios centrales, servidor de aplicaciones y base de datos) deben estar en el mismo grupo con selección de ubicación de proximidad.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "Alto",
- "text": "Supervise el uso de tokens para evitar interrupciones del servicio debido a la capacidad",
- "waf": "Excelencia Operacional"
+ "text": "Use un grupo de selección de ubicación de proximidad por SID de SAP. Los grupos no abarcan zonas de disponibilidad ni regiones de Azure",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Observe métricas como tokens de inferencia procesados, tokens de finalización generados, monitoree el límite de velocidad",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Utilice uno de los siguientes servicios para ejecutar clústeres de servicios centrales de SAP, en función del sistema operativo.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
- "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
- "service": "Azure OpenAI",
- "severity": "Bajo",
- "text": "Si los diagnósticos no son suficientes para usted, considere la posibilidad de usar una puerta de enlace como Azure API Managements frente a Azure OpenAI para registrar tanto los mensajes entrantes como las respuestas salientes, cuando esté permitido",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Actualmente, Azure no admite la combinación de ASCS y alta disponibilidad de base de datos en el mismo clúster de Linux Pacemaker; sepáralos en grupos individuales. Sin embargo, puede combinar hasta cinco clústeres de servicios centrales en un par de máquinas virtuales.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
- "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Use la infraestructura como código para implementar el servicio Azure OpenAI, las implementaciones de modelos y todos los recursos relacionados",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Implemente ambas máquinas virtuales en el par de alta disponibilidad en un conjunto de disponibilidad o en zonas de disponibilidad. Estas máquinas virtuales deben tener el mismo tamaño y la misma configuración de almacenamiento.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4350d092-d234-4292-a752-8537a551c5bf",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Uso de la autenticación de Microsoft Entra con identidad administrada en lugar de clave de API",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Azure admite la instalación y configuración de SAP HANA y las instancias de ASCS/SCS y ERS en el mismo clúster de alta disponibilidad que se ejecuta en Red Hat Enterprise Linux (RHEL).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "Alto",
- "text": "Evalúe el rendimiento/precisión del sistema con un conjunto de datos dorado conocido que tenga las entradas y las respuestas correctas. Aproveche las capacidades de PromptFlow para la evaluación.",
- "waf": "Excelencia Operacional"
+ "text": "Ejecute todos los sistemas de producción en SSD administradas Premium y use Azure NetApp Files o Ultra Disk Storage. Al menos el disco del sistema operativo debe estar en el nivel Premium para que pueda lograr un mejor rendimiento y el mejor Acuerdo de Nivel de Servicio.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "68889535-e327-4897-b31b-67d67be5962a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
"severity": "Alto",
- "text": "Evaluación del uso del modelo de rendimiento aprovisionado ",
- "waf": "Rendimiento"
+ "text": "Debe ejecutar SAP HANA en Azure solo en los tipos de almacenamiento certificados por SAP. Tenga en cuenta que ciertos volúmenes deben ejecutarse en determinadas configuraciones de disco, cuando corresponda. Estas configuraciones incluyen la habilitación del acelerador de escritura y el uso del almacenamiento premium. También debe asegurarse de que el sistema de archivos que se ejecuta en el almacenamiento es compatible con el DBMS que se ejecuta en la máquina.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
"severity": "Alto",
- "text": "Revisión e implementación de la seguridad del contenido de Azure AI",
- "waf": "Excelencia Operacional"
+ "text": "Considere la posibilidad de configurar la alta disponibilidad en función del tipo de almacenamiento que utilice para las cargas de trabajo de SAP. Algunos servicios de almacenamiento disponibles en Azure no son compatibles con Azure Site Recovery, por lo que la configuración de alta disponibilidad puede diferir.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"severity": "Alto",
- "text": "Defina y evalúe el rendimiento del sistema en función de los tokens y la respuesta por minuto y alinee con los requisitos",
- "waf": "Rendimiento"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Mejore la latencia del sistema limitando el tamaño de los tokens, las opciones de transmisión",
- "waf": "Rendimiento"
+ "text": "Es posible que los diferentes servicios de almacenamiento nativos de Azure (como Azure Files, Azure NetApp Files, Azure Shared Disk) no estén disponibles en todas las regiones. Por lo tanto, para tener una configuración de SAP similar en la región de recuperación ante desastres después de la conmutación por error, asegúrese de que el servicio de almacenamiento correspondiente se ofrece en el sitio de recuperación ante desastres.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
"severity": "Medio",
- "text": "Calcule las demandas de elasticidad para determinar la segregación de solicitudes sincrónicas y por lotes en función de la prioridad. Para la prioridad alta, utilice el enfoque sincrónico y para la prioridad baja, se prefiere el procesamiento por lotes asincrónico con cola",
- "waf": "Rendimiento"
+ "text": "Automatice SAP System Start-Stop para gestionar los costes.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5bda4332-4f24-4811-9331-82ba51752694",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Compare los requisitos de consumo de tokens en función de las demandas estimadas de los consumidores. Considere la posibilidad de usar la herramienta de pruebas comparativas de Azure OpenAI para ayudarle a validar el rendimiento si usa implementaciones de unidades de rendimiento aprovisionadas",
- "waf": "Rendimiento"
+ "checklist": "SAP Checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "En el caso de usar Azure Premium Storage con SAP HANA, se puede usar el almacenamiento SSD estándar de Azure para seleccionar una solución de almacenamiento rentable. Sin embargo, tenga en cuenta que la elección de SSD estándar o almacenamiento de Azure HDD estándar afectará al Acuerdo de Nivel de Servicio de las máquinas virtuales individuales. Además, para sistemas con menor rendimiento de E/S y baja latencia, como entornos que no son de producción, se pueden usar máquinas virtuales de series inferiores.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Si usa unidades de rendimiento aprovisionadas (PTU), considere la posibilidad de implementar una implementación de token por minuto (TPM) para las solicitudes de desbordamiento. Use una puerta de enlace para enrutar las solicitudes a la implementación de TPM cuando se alcancen los límites de PTU.",
- "waf": "Rendimiento"
+ "checklist": "SAP Checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "Como configuración alternativa de menor costo (multipropósito), puede elegir una SKU de bajo rendimiento para las máquinas virtuales del servidor de base de datos de HANA que no son de producción. Sin embargo, es importante tener en cuenta que algunos tipos de máquinas virtuales, como la serie E, no están certificadas para HANA (directorio de hardware de SAP HANA) o no pueden alcanzar una latencia de almacenamiento inferior a 1 ms.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
"severity": "Alto",
- "text": "Elija el modelo adecuado para la tarea correcta. Elija modelos con el equilibrio adecuado entre velocidad, calidad de respuesta y complejidad de salida",
- "waf": "Rendimiento"
+ "text": "Aplicación de un modelo RBAC para grupos de administración, suscripciones, grupos de recursos y recursos",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"severity": "Medio",
- "text": "Tener una línea de base para el rendimiento sin ajuste fino para saber si el ajuste fino ha mejorado o no el rendimiento del modelo",
- "waf": "Rendimiento"
+ "text": "Aplicación de la propagación de la entidad de seguridad para reenviar la identidad de la aplicación en la nube de SAP a SAP local (incluida IaaS) a través del conector en la nube",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
- "severity": "Bajo",
- "text": "Implementación de varias instancias de OAI en todas las regiones",
- "waf": "Fiabilidad"
+ "checklist": "SAP Checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Implemente SSO en aplicaciones SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics y SAP C4C con Azure AD mediante SAML.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Implemente reintentos y comprobaciones de estado con el patrón de puerta de enlace como APIM",
- "waf": "Fiabilidad"
+ "checklist": "SAP Checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Implemente SSO en aplicaciones web basadas en SAP NetWeaver, como SAP Fiori y SAP Web GUI mediante SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
"severity": "Medio",
- "text": "Asegúrese de tener cuotas adecuadas de TPM y RPM para la carga de trabajo",
- "waf": "Fiabilidad"
+ "text": "Implemente SSO en aplicaciones web basadas en SAP NetWeaver, como SAP Fiori y SAP Web GUI mediante SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
- "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"severity": "Medio",
- "text": "Revise las consideraciones de la guía del kit de herramientas de HAI y aplique esas prácticas de interacción para el slution",
- "waf": "Excelencia Operacional"
+ "text": "Puede implementar SSO en la GUI de SAP mediante SAP NetWeaver SSO o una solución de partner.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
"severity": "Medio",
- "text": "Implemente modelos de ajuste de precisión independientes en todas las regiones si se emplea el ajuste de precisión",
- "waf": "Fiabilidad"
+ "text": "Para SSO para SAP GUI y acceso al navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociación GSSAPI simple y protegido) debido a su facilidad de configuración y mantenimiento. Para SSO con certificados de cliente X.509, considere el servidor de inicio de sesión seguro de SAP, que es un componente de la solución SSO de SAP.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
- "link": "https://learn.microsoft.com/azure/backup/backup-overview",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
"severity": "Medio",
- "text": "Realice copias de seguridad y replique regularmente los datos críticos para garantizar la disponibilidad y la capacidad de recuperación de los datos en caso de pérdida de datos o fallos del sistema. Aproveche los servicios de copia de seguridad y recuperación ante desastres de Azure para proteger sus datos.",
- "waf": "Fiabilidad"
+ "text": "Para SSO para SAP GUI y acceso al navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociación GSSAPI simple y protegido) debido a su facilidad de configuración y mantenimiento. Para SSO con certificados de cliente X.509, considere el servidor de inicio de sesión seguro de SAP, que es un componente de la solución SSO de SAP.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Los niveles de servicio de búsqueda de Azure AI deben elegirse para tener un Acuerdo de Nivel de Servicio ",
- "waf": "Fiabilidad"
+ "checklist": "SAP Checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Implemente el inicio de sesión único mediante OAuth para SAP NetWeaver a fin de permitir que aplicaciones personalizadas o de terceros accedan a los servicios OData de SAP NetWeaver.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
- "link": "https://learn.microsoft.com/purview/purview",
- "service": "Azure OpenAI",
- "severity": "Bajo",
- "text": "Clasifique los datos y la confidencialidad, etiquetando con Microsoft Purview antes de generar las incrustaciones y asegúrese de tratar las incrustaciones generadas con la misma confidencialidad y clasificación",
+ "checklist": "SAP Checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Implementación de SSO en SAP HANA",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Cifre los datos utilizados para RAG con cifrado SSE/Disk con BYOK opcional",
+ "checklist": "SAP Checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Considere Azure AD como un proveedor de identidades para sistemas SAP hospedados en RISE. Para obtener más información, consulte Integración del servicio con Azure AD.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
- "link": "https://learn.microsoft.com/azure/search/search-security-overview",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Asegúrese de que TLS se aplica a los datos en tránsito a través de fuentes de datos, la búsqueda de IA utilizada para la generación aumentada de recuperación (RAG) y la comunicación de LLM",
+ "checklist": "SAP Checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "En el caso de las aplicaciones que acceden a SAP, es posible que desee utilizar la propagación de entidades de seguridad para establecer el inicio de sesión único.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Use RBAC para administrar el acceso a los servicios de Azure OpenAI. Asigne los permisos adecuados a los usuarios y restrinja el acceso en función de sus funciones y responsabilidades",
+ "checklist": "SAP Checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Si usa servicios BTP de SAP o soluciones SaaS que requieren SAP Identity Authentication Service (IAS), considere la posibilidad de implementar SSO entre SAP Cloud Identity Authentication Services y Azure AD para acceder a esos servicios de SAP. Esta integración permite a SAP IAS actuar como proveedor de identidades de proxy y reenvía las solicitudes de autenticación a Azure AD como almacén de usuarios central y proveedor de identidades.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
"severity": "Medio",
- "text": "Implemente técnicas de cifrado, enmascaramiento o redacción de datos para ocultar datos confidenciales o reemplazarlos con valores ofuscados en entornos que no sean de producción o al compartir datos con fines de prueba o solución de problemas",
+ "text": "Implementación de SSO en SAP BTP",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Use Azure Defender para detectar y responder a las amenazas de seguridad y configurar mecanismos de supervisión y alerta para identificar actividades sospechosas o infracciones. Aproveche Azure Sentinel para la detección y respuesta a amenazas avanzadas",
+ "checklist": "SAP Checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Si usa SAP SuccessFactors, considere la posibilidad de usar el aprovisionamiento automatizado de usuarios de Azure AD. Con esta integración, a medida que agrega nuevos empleados a SAP SuccessFactors, puede crear automáticamente sus cuentas de usuario en Azure AD. Opcionalmente, puede crear cuentas de usuario en Microsoft 365 u otras aplicaciones SaaS compatibles con Azure AD. Utilice la escritura diferida de la dirección de correo electrónico en SAP SuccessFactors.",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
- "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
"severity": "Medio",
- "text": "Establezca políticas de retención y eliminación de datos para cumplir con las regulaciones de cumplimiento. Implemente métodos de eliminación seguros para los datos que ya no son necesarios y mantenga un registro de auditoría de las actividades de retención y eliminación de datos",
- "waf": "Seguridad"
+ "text": "aplicar las directivas de grupo de administración existentes a las suscripciones de SAP",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "Alto",
- "text": "Implemente los escudos de aviso y la detección de conexión a tierra mediante Content Safety ",
- "waf": "Excelencia Operacional"
+ "text": "Integre aplicaciones estrechamente acopladas en la misma suscripción de SAP para evitar una complejidad adicional de enrutamiento y administración",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
- "link": "https://learn.microsoft.com/azure/compliance/",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "Alto",
- "text": "Garantice el cumplimiento de las normativas de protección de datos pertinentes, como el RGPD o la HIPAA, mediante la implementación de controles de privacidad y la obtención de los consentimientos o permisos necesarios para las actividades de tratamiento de datos.",
- "waf": "Seguridad"
+ "text": "Aprovechar la suscripción como unidad de escalado y escalar nuestros recursos, considere implementar la suscripción por entorno, por ejemplo. Sandbox, no-prod, prod ",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Eduque a sus empleados sobre las mejores prácticas de seguridad de datos, la importancia de manejar los datos de forma segura y los riesgos potenciales asociados con las violaciones de datos. Anímelos a seguir diligentemente los protocolos de seguridad de datos.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Garantizar el aumento de la cuota como parte del aprovisionamiento de suscripciones (por ejemplo, el total de núcleos de máquina virtual disponibles dentro de una suscripción)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "La API de cuota es una API de REST que se puede usar para ver y administrar las cuotas de los servicios de Azure. Considere usarlo si es necesario.",
+ "waf": "Operaciones"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
"severity": "Alto",
- "text": "Mantenga los datos de producción separados de los datos de desarrollo y pruebas. Utilice únicamente datos confidenciales reales en producción y utilice datos anónimos o sintéticos en entornos de desarrollo y prueba.",
- "waf": "Seguridad"
+ "text": "Si realiza la implementación en una zona de disponibilidad, asegúrese de que la implementación de la zona de la máquina virtual esté disponible una vez que se haya aprobado la cuota. Envíe una solicitud de soporte técnico con la suscripción, la serie de máquinas virtuales, el número de CPU y la zona de disponibilidad necesarias.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Si tiene distintos niveles de confidencialidad de datos, considere la posibilidad de crear índices independientes para cada nivel. Por ejemplo, podría tener un índice para los datos generales y otro para los datos confidenciales, cada uno gobernado por diferentes protocolos de acceso",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Asegúrese de que los servicios y funciones requeridos estén disponibles dentro de las regiones de implementación elegidas, por ejemplo. ANF, Zona, etc.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
"severity": "Medio",
- "text": "Lleve la segregación un paso más allá colocando conjuntos de datos confidenciales en diferentes instancias del servicio. Cada instancia se puede controlar con su propio conjunto específico de políticas RBAC",
- "waf": "Seguridad"
+ "text": "Aproveche la etiqueta de recurso de Azure para la categorización de costos y la agrupación de recursos (facturación, departamento (o unidad de negocio), entorno (producción, fase, desarrollo), nivel (nivel web, nivel de aplicación), propietario de la aplicación, ProjectName)",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "Alto",
- "text": "Reconozca que las incrustaciones y los vectores generados a partir de información confidencial son en sí mismos confidenciales. Estos datos deben recibir las mismas medidas de protección que el material de origen",
- "waf": "Seguridad"
+ "text": "Ayude a proteger la base de datos de HANA mediante el servicio Azure Backup.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Aplique RBAC a los almacenes de datos que tienen incrustaciones y vectores y alcance el acceso en función de los requisitos de acceso del rol",
- "waf": "Seguridad"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Configure un punto de conexión privado para que los servicios de IA restrinjan el acceso al servicio dentro de su red",
- "waf": "Seguridad"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Aplique un estricto control del tráfico entrante y saliente con Azure Firewall y UDR, y limite los puntos de integración externos",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Si implementa Azure NetApp Files para la base de datos HANA, Oracle o DB2, use la herramienta Azure Application Consistent Snapshot (AzAcSnap) para tomar instantáneas coherentes con la aplicación. AzAcSnap también es compatible con las bases de datos de Oracle. Considere la posibilidad de usar AzAcSnap en una máquina virtual central en lugar de en máquinas virtuales individuales.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"severity": "Alto",
- "text": "Implemente la segmentación de la red y los controles de acceso para restringir el acceso a la aplicación LLM solo a los usuarios y sistemas autorizados y evitar el movimiento lateral",
- "waf": "Seguridad"
+ "text": "Asegúrese de que la zona horaria coincida entre el sistema operativo y el sistema SAP.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
- "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
"severity": "Medio",
- "text": "Utilice herramientas de compresión rápida como LLMLingua o gprtrim",
- "waf": "Optimización de costes"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Asegúrese de que las API y los puntos finales utilizados por la aplicación LLM estén correctamente protegidos con mecanismos de autenticación y autorización, como identidades administradas, claves de API u OAuth, para evitar el acceso no autorizado.",
- "waf": "Seguridad"
+ "text": "No agrupe diferentes servicios de aplicaciones en el mismo clúster. Por ejemplo, no combine DRBD y clústeres de servicios centrales en el mismo clúster. Sin embargo, puede usar el mismo clúster de Pacemaker para administrar aproximadamente cinco servicios centrales diferentes (clúster de varios SID).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Aplique mecanismos sólidos de autenticación de usuario final, como la autenticación multifactor, para evitar el acceso no autorizado a la aplicación LLM y a los recursos de red asociados",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "Considere la posibilidad de ejecutar sistemas de desarrollo y pruebas en un modelo de repetición para ahorrar y optimizar los costos de ejecución de Azure.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Implemente herramientas de monitoreo de red para detectar y analizar el tráfico de red en busca de actividades sospechosas o maliciosas. Habilite el registro para capturar eventos de red y facilitar el análisis forense en caso de incidentes de seguridad",
- "waf": "Seguridad"
+ "text": "Si se asocia con los clientes mediante la administración de sus propiedades de SAP, considere la posibilidad de usar Azure Lighthouse. Azure Lighthouse permite a los proveedores de servicios administrados usar los servicios de identidad nativos de Azure para autenticarse en el entorno de los clientes. Pone el control en manos de los clientes, ya que pueden revocar el acceso en cualquier momento y auditar las acciones de los proveedores de servicios.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Realizar auditorías de seguridad y pruebas de penetración para identificar y abordar cualquier debilidad o vulnerabilidad de seguridad de red en la infraestructura de red de la aplicación LLM",
- "waf": "Seguridad"
+ "text": "Use Azure Update Manager para comprobar el estado de las actualizaciones disponibles para una sola máquina virtual o varias máquinas virtuales y considere la posibilidad de programar revisiones periódicas.",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
"severity": "Bajo",
- "text": "Los servicios de Azure AI están etiquetados correctamente para una mejor administración",
- "waf": "Excelencia Operacional"
+ "text": "Optimice y gestione las operaciones de SAP Basis mediante SAP Landscape Management (LaMa). Use el conector de SAP LaMa para Azure para reubicar, copiar, clonar y actualizar sistemas SAP.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
- "service": "Azure OpenAI",
- "severity": "Bajo",
- "text": "Las cuentas de Azure AI Service siguen las convenciones de nomenclatura de la organización",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Use Azure Monitor para soluciones SAP para supervisar las cargas de trabajo de SAP (SAP HANA, clústeres de SUSE de alta disponibilidad y sistemas SQL) en Azure. Considere la posibilidad de complementar las soluciones de Azure Monitor para SAP con SAP Solution Manager.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
"severity": "Alto",
- "text": "Los registros de diagnóstico en los recursos de servicios de Azure AI deben estar habilitados",
- "waf": "Excelencia Operacional"
+ "text": "Ejecute una comprobación de extensión de máquina virtual para SAP. VM Extension for SAP usa la identidad administrada asignada de una máquina virtual (VM) para acceder a los datos de configuración y supervisión de VM. La comprobación garantiza que todas las métricas de rendimiento de la aplicación SAP proceden de la extensión de Azure para SAP subyacente.",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/ai-services/authentication",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Se recomienda deshabilitar el acceso a claves (autenticación local) por seguridad. Después de deshabilitar el acceso basado en claves, el identificador de Microsoft Entra se convierte en el único método de acceso, lo que permite mantener el principio de privilegio mínimo y el control granular. ",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Use Azure Policy para el control de acceso y los informes de cumplimiento. Azure Policy proporciona la capacidad de aplicar la configuración de toda la organización para garantizar el cumplimiento coherente de las directivas y la detección rápida de infracciones. ",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Almacene y administre claves de forma segura con Azure Key Vault. Evite codificar de forma rígida o incrustar claves confidenciales en el código de la aplicación de LLM y recupérelas de forma segura de Azure Key Vault mediante identidades administradas",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Use el Monitor de conexión en Azure Network Watcher para supervisar las métricas de latencia de las bases de datos y los servidores de aplicaciones de SAP. O bien, recopile y muestre medidas de latencia de red mediante Azure Monitor.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Rotar y expirar periódicamente las claves almacenadas en Azure Key Vault para minimizar el riesgo de acceso no autorizado.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Realice una comprobación de calidad de SAP HANA en la infraestructura de Azure aprovisionada para comprobar que las máquinas virtuales aprovisionadas cumplen con los procedimientos recomendados de SAP HANA en Azure.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "adfe27be-e297-401a-a352-baaab79b088d",
- "link": "https://github.com/openai/tiktoken",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"severity": "Alto",
- "text": "Use tiktoken para comprender los tamaños de los tokens para las optimizaciones de tokens en el modo conversacional",
- "waf": "Optimización de costes"
+ "text": "Para cada suscripción de Azure, ejecute una prueba de latencia en las zonas de disponibilidad de Azure antes de la implementación zonal para elegir zonas de baja latencia para la implementación de SAP en Azure.",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
- "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Siga prácticas de codificación seguras para evitar vulnerabilidades comunes, como ataques de inyección, secuencias de comandos entre sitios (XSS) o errores de configuración de seguridad.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Ejecute el informe de resistencia para asegurarse de que la configuración de toda la infraestructura de Azure aprovisionada (proceso, base de datos, redes, almacenamiento, Site Recovery) cumple con la configuración definida por Cloud Adaption Framework para Azure.",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
- "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Configurar un proceso para actualizar y parchear regularmente las bibliotecas de LLM y otros componentes del sistema",
+ "checklist": "SAP Checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Implemente la protección contra amenazas mediante la solución Microsoft Sentinel para SAP. Utilice esta solución para supervisar sus sistemas SAP y detectar amenazas sofisticadas en toda la lógica empresarial y las capas de aplicación.",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e29711b1-352b-4eee-879b-588defc4972c",
- "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Cumplir con los términos de uso, las directivas y las directrices de Azure OpenAI u otros LLM, así como con los casos de uso permitidos.",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "El etiquetado de Azure se puede aprovechar para agrupar y realizar un seguimiento lógico de los recursos, automatizar sus implementaciones y, lo que es más importante, proporcionar visibilidad de los costos incurridos.",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Comprenda la diferencia en el costo de los modelos base y los modelos ajustados y los tamaños de paso de token",
- "waf": "Optimización de costes"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Solicitudes por lotes, siempre que sea posible, para minimizar la sobrecarga por llamada, lo que puede reducir los costos generales. Asegúrese de optimizar el tamaño del lote",
- "waf": "Optimización de costes"
+ "checklist": "SAP Checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "Use la supervisión de latencia entre máquinas virtuales para aplicaciones sensibles a la latencia.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "Medio",
- "text": "Configure un sistema de seguimiento de costos que supervise el uso del modelo y use esa información para ayudar a informar las opciones de modelos y los tamaños indicados",
- "waf": "Optimización de costes"
+ "text": "Use la supervisión de Azure Site Recovery para mantener el estado del servicio de recuperación ante desastres para los servidores de aplicaciones SAP.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "166cd072-af9b-4141-a898-a535e737897e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"severity": "Medio",
- "text": "Establezca un límite máximo en el número de tokens por respuesta de modelo. Optimice el tamaño para asegurarse de que sea lo suficientemente grande para una respuesta válida",
- "waf": "Optimización de costes"
+ "text": "Excluya todos los sistemas de archivos de bases de datos y programas ejecutables de los análisis antivirus. Incluirlos podría dar lugar a problemas de rendimiento. Consulte con los proveedores de bases de datos para obtener detalles prescriptivos sobre la lista de exclusión. Por ejemplo, Oracle recomienda excluir /oracle//sapdata de los análisis antivirus.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
- "link": "https://learn.microsoft.com/azure/search/search-reliability",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Revise las instrucciones proporcionadas sobre la configuración de la búsqueda de IA para la confiabilidad",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "Considere la posibilidad de recopilar estadísticas de base de datos completas para bases de datos que no son de HANA después de la migración. Por ejemplo, implemente la nota de SAP 1020260 - Entrega de estadísticas de Oracle.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
- "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
"severity": "Medio",
- "text": "Planifique y administre el almacenamiento de vectores de búsqueda de IA",
- "waf": "Excelencia Operacional"
+ "text": "Considere la posibilidad de usar Oracle Automatic Storage Management (ASM) para todas las implementaciones de Oracle que usan SAP en Azure.",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
"severity": "Medio",
- "text": "Aplique prácticas de LLMOps para automatizar la gestión del ciclo de vida de sus aplicaciones GenAI",
- "waf": "Excelencia Operacional"
+ "text": "En el caso de SAP en Azure que ejecuta Oracle, una colección de scripts SQL puede ayudarle a diagnosticar problemas de rendimiento. Los informes de repositorio automático de cargas de trabajo (AWR) contienen información valiosa para diagnosticar problemas en el sistema Oracle. Le recomendamos que ejecute un informe de AWR durante varias sesiones y elija las horas punta para él, a fin de garantizar una amplia cobertura del análisis.",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"severity": "Alto",
- "text": "Evalúe el uso de los modelos de facturación: PAYG frente a PTU",
- "waf": "Optimización de costes"
+ "text": "Use la supervisión de Azure Site Recovery para mantener el estado del servicio de recuperación ante desastres para los servidores de aplicaciones SAP.",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
- "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Evalúe la calidad de los mensajes y las aplicaciones al cambiar entre versiones de modelo",
- "waf": "Excelencia Operacional"
+ "text": "Para la entrega segura de aplicaciones HTTP/S, use Application Gateway v2 y asegúrese de que la protección y las directivas de WAF están habilitadas.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3418db61-2712-4650-9bb4-7a393a080327",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "Medio",
- "text": "Evalúe, supervise y perfeccione sus aplicaciones GenAI para características como la fundamentación, la relevancia, la precisión, la coherencia, la fluidez,",
- "waf": "Excelencia Operacional"
+ "text": "Si el DNS o el nombre virtual de la máquina virtual no se cambia durante la migración a Azure, el DNS en segundo plano y los nombres virtuales conectan muchas interfaces del sistema en el entorno de SAP, y los clientes solo conocen a veces las interfaces que los desarrolladores definen a lo largo del tiempo. Los desafíos de conexión surgen entre varios sistemas cuando los nombres virtuales o DNS cambian después de las migraciones, y se recomienda conservar los alias DNS para evitar este tipo de dificultades.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "294798b1-578b-4219-a46c-eb5443513592",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "Medio",
- "text": "Evalúe los resultados de búsqueda de Azure AI en función de diferentes parámetros de búsqueda",
- "waf": "Excelencia Operacional"
+ "text": "Utilice diferentes zonas DNS para distinguir cada entorno (espacio aislado, desarrollo, preproducción y producción) entre sí. La excepción es para las implementaciones de SAP con su propia red virtual; en este caso, es posible que las zonas DNS privadas no sean necesarias.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2744293b-b628-4537-a551-19b08e8f5854",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Considere los modelos de ajuste fino como una forma de aumentar la precisión solo cuando haya probado otros enfoques básicos como la ingeniería de avisos y RAG con sus datos",
- "waf": "Excelencia Operacional"
+ "text": "El emparejamiento de red virtual local y global proporciona conectividad y son los enfoques preferidos para garantizar la conectividad entre las zonas de aterrizaje para las implementaciones de SAP en varias regiones de Azure",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Utilice técnicas de ingeniería rápida para mejorar la precisión de las respuestas de LLM",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "No se admite la implementación de ninguna aplicación virtual de red entre la aplicación SAP y el servidor de base de datos SAP",
+ "training": "https://me.sap.com/notes/2731110",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e737897e-71ca-47da-acfa-962a1594946d",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
"severity": "Medio",
- "text": "Equipo rojo con sus aplicaciones GenAI",
- "waf": "Seguridad"
+ "text": "Use Virtual WAN para implementaciones de Azure en redes nuevas, grandes o globales en las que necesite conectividad de tránsito global entre regiones de Azure y ubicaciones locales. Con este enfoque, no tendrá que configurar manualmente el enrutamiento transitivo para las redes de Azure y puede seguir un estándar para las implementaciones de SAP en Azure.",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
- "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
"severity": "Medio",
- "text": "Proporcione a los usuarios finales opciones de puntuación para las respuestas de LLM y realice un seguimiento de estas puntuaciones. ",
- "waf": "Excelencia Operacional"
+ "text": "Considere la posibilidad de implementar aplicaciones virtuales de red (NVA) entre regiones solo si se usan aplicaciones virtuales de red de asociados. Las aplicaciones virtuales de red entre regiones o redes virtuales no son necesarias si hay aplicaciones virtuales de red nativas. Al implementar tecnologías de redes de asociados y aplicaciones virtuales de red, siga las instrucciones del proveedor para comprobar las configuraciones conflictivas con las redes de Azure.",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Considere las prácticas de administración de cuotas",
- "waf": "Optimización de costes"
+ "checklist": "SAP Checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Virtual WAN administra la conectividad entre redes virtuales de radio para topologías basadas en WAN virtuales (sin necesidad de configurar el enrutamiento definido por el usuario [UDR] o NVA), y el rendimiento máximo de red para el tráfico de red virtual a red virtual en el mismo centro virtual es de 50 gigabits por segundo. Si es necesario, las zonas de aterrizaje de SAP pueden usar el emparejamiento de red virtual para conectarse a otras zonas de aterrizaje y superar esta limitación de ancho de banda.",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
- "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
- "service": "Azure OpenAI",
- "severity": "Medio",
- "text": "Utilice soluciones de equilibrador de carga, como la puerta de enlace basada en APIM, para equilibrar la carga y la capacidad entre servicios y regiones",
- "waf": "Excelencia Operacional"
+ "checklist": "SAP Checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "No se recomienda la asignación de direcciones IP públicas a la máquina virtual que ejecuta SAP Workload.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
- "severity": "Medio",
- "text": "Siga las recomendaciones de soporte técnico de confiabilidad en Azure Bot Service",
- "waf": "Fiabilidad"
+ "checklist": "SAP Checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de reservar la dirección IP en el lado de la recuperación ante desastres al configurar ASR",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
- "severity": "Medio",
- "text": "Implementación de bots con residencia de datos local y cumplimiento regional",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
- "severity": "Medio",
- "text": "Azure Bot Service se ejecuta en modo activo-activo para los servicios globales y regionales. Cuando se produce una interrupción, no es necesario detectar errores ni administrar el servicio. Azure Bot Service realiza automáticamente la conmutación por error y la recuperación automáticas en una arquitectura geográfica de varias regiones. En el caso del servicio regional de bots de la UE, Azure Bot Service proporciona dos regiones completas dentro de Europa con replicación activa/activa para garantizar la redundancia. En el caso del servicio de bot global, todas las regiones o zonas geográficas disponibles se pueden servir como superficie global.",
- "waf": "Fiabilidad"
+ "checklist": "SAP Checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Evite el uso de intervalos de direcciones IP superpuestos para los sitios de producción y recuperación ante desastres.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
"severity": "Medio",
- "text": "Si usa certificados TLS administrados por el cliente con Azure Front Door, use la versión de certificado \"más reciente\". Reduzca el riesgo de interrupciones causadas por la renovación manual de certificados",
+ "text": "Aunque Azure le ayuda a crear varias subredes delegadas en una red virtual, solo puede existir una subred delegada en una red virtual para Azure NetApp Files. Se producirá un error al intentar crear un nuevo volumen si se utiliza más de una subred delegada para Azure NetApp Files.",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
- "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+ "service": "SAP",
"severity": "Medio",
- "text": "Asegúrese de que usa la SKU de Application Gateway v2",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "Use Azure Firewall para controlar el tráfico saliente de Azure a Internet, las conexiones entrantes que no son HTTP/S y el filtrado del tráfico Este/Oeste (si la organización lo requiere)",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
- "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+ "service": "SAP",
"severity": "Medio",
- "text": "Asegúrese de que usa la SKU estándar para Azure Load Balancers",
+ "text": "Application Gateway y Web Application Firewall tienen limitaciones cuando Application Gateway actúa como proxy inverso para aplicaciones web de SAP, como se muestra en la comparación entre Application Gateway, SAP Web Dispatcher y otros servicios de terceros.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Asegúrese de que las direcciones IP de front-end de Load Balancers tengan redundancia de zona (a menos que necesite front-end zonal).",
+ "text": "Use directivas de Azure Front Door y WAF para proporcionar protección global en todas las regiones de Azure para las conexiones HTTP/S entrantes a una zona de aterrizaje.",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
- "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Application Gateways v2 debe implementarse en subredes con prefijos IP iguales o mayores que /24",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "Aproveche las directivas de Web Application Firewall en Azure Front Door cuando use Azure Front Door y Application Gateway para proteger las aplicaciones HTTP/S. Bloquee Application Gateway para recibir tráfico solo de Azure Front Door.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "description": "La administración de proxies inversos en general y de WAF en particular está más cerca de la aplicación que de la red, por lo que pertenecen a la misma suscripción que la aplicación. La centralización de Application Gateway y WAF en la suscripción de conectividad puede ser correcta si la administra un solo equipo.",
- "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+ "checklist": "SAP Checklist",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "service": "SAP",
"severity": "Medio",
- "text": "Implemente Azure Application Gateway v2 o aplicaciones virtuales de red de asociados que se usan para proxy de conexiones HTTP(S) entrantes dentro de la red virtual de la zona de aterrizaje y con las aplicaciones que están protegiendo.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "Utilice un firewall de aplicaciones web para analizar su tráfico cuando esté expuesto a Internet. Otra opción es usarlo con el equilibrador de carga o con recursos que tengan funcionalidades de firewall integradas, como Application Gateway o soluciones de terceros.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Use una red DDoS o planes de protección IP para todas las direcciones IP públicas en las zonas de aterrizaje de la aplicación.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Seguridad"
+ "text": "Use Virtual WAN para implementaciones de Azure en redes nuevas, grandes o globales en las que necesite conectividad de tránsito global entre regiones de Azure y ubicaciones locales. Con este enfoque, no tendrá que configurar manualmente el enrutamiento transitivo para las redes de Azure y puede seguir un estándar para las implementaciones de SAP en Azure.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
- "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "SAP",
"severity": "Medio",
- "text": "Configure el escalado automático con una cantidad mínima de instancias de dos.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Fiabilidad"
+ "text": "Para evitar la pérdida de datos, use Azure Private Link para acceder de forma segura a los recursos de plataforma como servicio, como Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, etc. El punto de conexión privado de Azure también puede ayudar a proteger el tráfico entre redes virtuales y servicios como Azure Storage, Azure Backup, etc. El tráfico entre la red virtual y el servicio habilitado para punto de conexión privado viaja a través de la red global de Microsoft, lo que impide su exposición a la red pública de Internet.",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
- "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
- "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Implementación de Application Gateway en zonas de disponibilidad",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Fiabilidad"
+ "checklist": "SAP Checklist",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Asegúrese de que las redes aceleradas de Azure están habilitadas en las máquinas virtuales que se usan en las capas de aplicación SAP y DBMS.",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Use Azure Front Door con directivas de WAF para entregar y ayudar a proteger aplicaciones HTTP/S globales que abarcan varias regiones de Azure.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "Asegúrese de que las implementaciones internas de Azure Load Balancer están configuradas para usar Direct Server Return (DSR). Esta configuración (Habilitación de IP flotante) reducirá la latencia cuando se utilicen configuraciones internas del equilibrador de carga para configuraciones de alta disponibilidad en la capa DBMS.",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "SAP",
"severity": "Medio",
- "text": "Al usar Front Door y Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Front Door. Bloquee Application Gateway para recibir tráfico solo de Front Door.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "Puede usar reglas de grupo de seguridad de aplicaciones (ASG) y NSG para definir listas de control de acceso de seguridad de red entre la aplicación SAP y las capas DBMS. Los ASG agrupan las máquinas virtuales para ayudar a administrar su seguridad.",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
"waf": "Seguridad"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/trafficManagerProfiles",
- "checklist": "Azure Application Delivery Networking",
- "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Traffic Manager",
+ "checklist": "SAP Checklist",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "Alto",
- "text": "Use el Administrador de tráfico para entregar aplicaciones globales que abarquen protocolos distintos de HTTP/S.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Fiabilidad"
- },
- {
- "checklist": "Azure Application Delivery Networking",
- "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
- "severity": "Bajo",
- "text": "Si los usuarios solo necesitan acceso a aplicaciones internas, ¿se ha considerado Microsoft Entra ID Application Proxy como una alternativa a Azure Virtual Desktop (AVD)?",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "Seguridad"
+ "text": "No se admite la colocación de la capa de aplicación de SAP y DBMS de SAP en diferentes redes virtuales de Azure que no están emparejadas.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Rendimiento"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
+ "checklist": "SAP Checklist",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "Medio",
- "text": "Para reducir el número de puertos de firewall abiertos para las conexiones entrantes en la red, considere la posibilidad de usar Microsoft Entra ID Application Proxy para proporcionar a los usuarios remotos acceso seguro y autenticado a las aplicaciones internas.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Seguridad"
+ "text": "Para obtener una latencia de red óptima con aplicaciones SAP, considere la posibilidad de usar grupos de selección de ubicación por proximidad de Azure.",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+ "waf": "Rendimiento"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "Alto",
- "text": "Implemente la directiva de WAF para Front Door en modo de \"prevención\".",
- "waf": "Seguridad"
+ "text": "NO se admite en absoluto la ejecución de una capa de servidor de aplicaciones de SAP y una capa de DBMS divididas entre el entorno local y Azure. Ambas capas deben residir completamente en el entorno local o en Azure.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Rendimiento"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "Alto",
- "text": "Evite combinar Azure Traffic Manager y Azure Front Door.",
- "waf": "Seguridad"
+ "text": "No se recomienda hospedar el sistema de administración de bases de datos (DBMS) y las capas de aplicación de los sistemas SAP en diferentes redes virtuales y conectarlas con el emparejamiento de redes virtuales debido a los costos sustanciales que puede producir un tráfico de red excesivo entre las capas. Se recomienda el uso de subredes dentro de la red virtual de Azure para separar la capa de aplicación de SAP y la capa de DBMS.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Costar"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+ "service": "SAP",
"severity": "Alto",
- "text": "Use el mismo nombre de dominio en Azure Front Door y su origen. Los nombres de host no coincidentes pueden causar errores sutiles.",
- "waf": "Seguridad"
+ "text": "Si utiliza Load Balancer con sistemas operativos invitados Linux, compruebe que el parámetro de red de Linux net.ipv4.tcp_timestamps esté establecido en 0.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
- "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "Front Door",
- "severity": "Bajo",
- "text": "Deshabilite los sondeos de estado cuando solo haya un origen en un grupo de orígenes de Azure Front Door.",
- "waf": "Rendimiento"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+ "service": "SAP",
"severity": "Medio",
- "text": "Seleccione puntos de conexión de sondeo de estado correctos para Azure Front Door. Considere la posibilidad de crear puntos de conexión de estado que comprueben todas las dependencias de la aplicación.",
- "waf": "Fiabilidad"
+ "text": "En el caso de las implementaciones de SAP RISE/ECS, el emparejamiento virtual es la forma preferida de establecer la conectividad con el entorno de Azure existente del cliente. Tanto la red virtual de SAP como las redes virtuales del cliente están protegidas con grupos de seguridad de red (NSG), lo que permite la comunicación en los puertos de SAP y de base de datos a través del emparejamiento de redes virtuales",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
- "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "Front Door",
- "severity": "Bajo",
- "text": "Use sondeos de estado de HEAD con Azure Front Door para reducir el tráfico que Front Door envía a la aplicación.",
- "waf": "Rendimiento"
+ "checklist": "SAP Checklist",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Revise las copias de seguridad de bases de datos de SAP HANA para máquinas virtuales de Azure.",
+ "waf": "Costar"
},
{
- "ammp": true,
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
- "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "Load Balancer",
- "severity": "Alto",
- "text": "Use Azure NAT Gateway en lugar de reglas de salida de Load Balancer para mejorar la escalabilidad de SNAT",
- "waf": "Fiabilidad"
+ "checklist": "SAP Checklist",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Revise la supervisión integrada de Site Recovery, si se usa para SAP.",
+ "waf": "Costar"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
- "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+ "service": "SAP",
"severity": "Alto",
- "text": "Use certificados TLS administrados con Azure Front Door. Reduzca los costos operativos y el riesgo de interrupciones debido a las renovaciones de certificados.",
+ "text": "Revise la guía Supervisión del entorno del sistema SAP HANA.",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+ "service": "SAP",
"severity": "Medio",
- "text": "Defina la configuración de WAF de Azure Front Door como código. Mediante el uso de código, puede adoptar más fácilmente una nueva versión del conjunto de reglas y obtener protección adicional.",
+ "text": "Revise las estrategias de copia de seguridad de Oracle Database en máquinas virtuales Linux de Azure.",
"waf": "Operaciones"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Use TLS de un extremo a otro con Azure Front Door. Use TLS para las conexiones de los clientes a Front Door y de Front Door al origen.",
- "waf": "Seguridad"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+ "service": "SAP",
"severity": "Medio",
- "text": "Use el redireccionamiento de HTTP a HTTPS con Azure Front Door. Apoye a los clientes más antiguos redirigiéndolos automáticamente a una solicitud HTTPS.",
- "waf": "Seguridad"
+ "text": "Revise el uso de Azure Blob Storage con SQL Server 2016.",
+ "waf": "Operaciones"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Habilite el WAF de Azure Front Door. Proteja su aplicación de una variedad de ataques.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Revise el uso de Copia de seguridad automatizada v2 para máquinas virtuales de Azure.",
+ "waf": "Operaciones"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+ "service": "SAP",
"severity": "Alto",
- "text": "Ajuste el WAF de Azure Front Door para su carga de trabajo. Reduzca las detecciones de falsos positivos.",
- "waf": "Seguridad"
+ "text": "Habilitación del acelerador de escritura para la serie M cuando se utilizan discos premium (V1)",
+ "waf": "Operaciones"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Habilite la característica de inspección del cuerpo de la solicitud habilitada en la directiva WAF de Azure Front Door.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Pruebe la latencia de la zona de disponibilidad.",
+ "waf": "Rendimiento"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Habilite los conjuntos de reglas predeterminados de WAF de Azure Front Door. Los conjuntos de reglas predeterminados detectan y bloquean los ataques comunes.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Active SAP EarlyWatch Alert para todos los componentes de SAP.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "Rendimiento"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Habilite el conjunto de reglas de protección contra bots de Azure Front Door WAF. Las reglas de bots detectan bots buenos y malos.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Revise la latencia del servidor de aplicaciones SAP al servidor de bases de datos mediante el informe ABAPMeter de SAP /SSA/CAT.",
+ "training": "https://me.sap.com/notes/0002879613",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+ "service": "SAP",
"severity": "Medio",
- "text": "Use la versión más reciente del conjunto de reglas de WAF de Azure Front Door. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
- "waf": "Seguridad"
+ "text": "Revise la supervisión del rendimiento de SQL Server mediante CCMS.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
+ "service": "SAP",
"severity": "Medio",
- "text": "Agregue limitación de velocidad al WAF de Azure Front Door. La limitación de velocidad bloquea a los clientes que envían accidental o intencionadamente grandes cantidades de tráfico en un corto período de tiempo.",
- "waf": "Seguridad"
+ "text": "Pruebe la latencia de red entre las máquinas virtuales de la capa de aplicación de SAP y las máquinas virtuales de DBMS (NIPING).",
+ "training": "https://me.sap.com/notes/1100926/E",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "service": "SAP",
"severity": "Medio",
- "text": "Use un umbral alto para los límites de frecuencia de WAF de Azure Front Door. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
- "waf": "Seguridad"
+ "text": "Revise las alertas de SAP HANA Studio.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
- "service": "Front Door",
- "severity": "Bajo",
- "text": "Si no espera tráfico de todas las regiones geográficas, utilice filtros geográficos para bloquear el tráfico de países no esperados.",
- "waf": "Seguridad"
+ "checklist": "SAP Checklist",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Realice comprobaciones de estado de SAP HANA mediante HANA_Configuration_Minichecks.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "Medio",
- "text": "Especifique la ubicación desconocida (ZZ) al filtrar geográficamente el tráfico con el WAF de Azure Front Door. Evite bloquear accidentalmente solicitudes legítimas cuando las direcciones IP no puedan coincidir geográficamente.",
+ "text": "Si ejecuta máquinas virtuales Windows y Linux en Azure, en el entorno local o en otros entornos en la nube, puede usar el Centro de administración de actualizaciones de Automatización de Azure para administrar las actualizaciones del sistema operativo, incluidas las revisiones de seguridad.",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
"waf": "Seguridad"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
- "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
- "service": "App Gateway",
- "severity": "Alto",
- "text": "Habilitación del conjunto de reglas de protección contra bots de WAF de Azure Application Gateway Las reglas de bots detectan bots buenos y malos.",
+ "checklist": "SAP Checklist",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
+ "severity": "Medio",
+ "text": "Revise de forma rutinaria las notas de seguridad de SAP OSS, ya que SAP publica parches de seguridad muy críticos, o revisiones, que requieren una acción inmediata para proteger sus sistemas SAP.",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
"waf": "Seguridad"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "App Gateway",
- "severity": "Alto",
- "text": "Habilite la característica de inspección del cuerpo de la solicitud habilitada en la directiva WAF de Azure Application Gateway.",
+ "checklist": "SAP Checklist",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "En el caso de SAP en SQL Server, puede deshabilitar la cuenta de administrador del sistema de SQL Server porque los sistemas SAP en SQL Server no usan la cuenta. Asegúrese de que otro usuario con derechos de administrador del sistema pueda acceder al servidor antes de deshabilitar la cuenta de administrador del sistema original.",
"waf": "Seguridad"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"severity": "Alto",
- "text": "Ajuste el WAF de Azure Application Gateway para la carga de trabajo. Reduzca las detecciones de falsos positivos.",
+ "text": "Deshabilite xp_cmdshell. La característica de SQL Server xp_cmdshell habilita un shell de comandos del sistema operativo interno de SQL Server. Es un riesgo potencial en las auditorías de seguridad.",
+ "training": "https://me.sap.com/notes/3019299/E",
"waf": "Seguridad"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"severity": "Alto",
- "text": "Implemente la directiva de WAF para Application Gateway en modo de \"prevención\".",
- "waf": "Seguridad"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Agregue limitación de velocidad al WAF de Azure Application Gateway. La limitación de velocidad bloquea a los clientes que envían accidental o intencionadamente grandes cantidades de tráfico en un corto período de tiempo.",
+ "text": "El cifrado de servidores de bases de datos de SAP HANA en Azure usa la tecnología de cifrado nativa de SAP HANA. Además, si usa SQL Server en Azure, use el cifrado de datos transparente (TDE) para proteger los datos y los archivos de registro y asegurarse de que las copias de seguridad también están cifradas.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "SAP",
"severity": "Medio",
- "text": "Use un umbral alto para los límites de frecuencia de WAF de Azure Application Gateway. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
+ "text": "El cifrado de Azure Storage está habilitado para todas las cuentas de Azure Resource Manager y de almacenamiento clásico, y no se puede deshabilitar. Dado que los datos están cifrados de forma predeterminada, no es necesario modificar el código o las aplicaciones para usar el cifrado de Azure Storage.",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
- "service": "App Gateway",
- "severity": "Bajo",
- "text": "Si no espera tráfico de todas las regiones geográficas, utilice filtros geográficos para bloquear el tráfico de países no esperados.",
+ "checklist": "SAP Checklist",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Uso de Azure Key Vault para almacenar los secretos y las credenciales",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "SAP",
"severity": "Medio",
- "text": "Especifique la ubicación desconocida (ZZ) al filtrar geográficamente el tráfico con el WAF de Azure Application Gateway. Evite bloquear accidentalmente solicitudes legítimas cuando las direcciones IP no puedan coincidir geográficamente.",
+ "text": "Se recomienda bloquear los recursos de Azure después de la implementación correcta para protegerse contra cambios no autorizados. También puede aplicar restricciones y reglas de LOCK por suscripción mediante directivas de Azure personalizadas (rol personalizado).",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "SAP",
"severity": "Medio",
- "text": "Use la versión más reciente del conjunto de reglas de WAF de Azure Application Gateway. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
+ "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención de los objetos eliminados.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de Azure Application Gateway.",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "En función de los requisitos existentes, controles normativos y de cumplimiento (internos y externos): determine qué directivas de Azure y el rol de RBAC de Azure son necesarios",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "Front Door",
- "severity": "Medio",
- "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de Azure Front Door.",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Al habilitar Microsoft Defender para punto de conexión en el entorno de SAP, se recomienda excluir los archivos de datos y registro en los servidores DBMS en lugar de dirigirse a todos los servidores. Siga las recomendaciones de su proveedor de DBMS al excluir archivos de destino.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Envíe registros de WAF de Azure Application Gateway a Microsoft Sentinel.",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Delegue un rol personalizado de administrador de SAP con acceso Just-In-Time de Microsoft Defender for Cloud.",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "Front Door",
- "severity": "Medio",
- "text": "Envíe registros de WAF de Azure Front Door a Microsoft Sentinel.",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "cifre los datos en tránsito integrando el producto de seguridad de terceros con comunicaciones de red seguras (SNC) para DIAG (SAP GUI), RFC y SPNEGO para HTTPS",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "service": "SAP",
"severity": "Medio",
- "text": "Defina la configuración de WAF de Azure Application Gateway como código. Mediante el uso de código, puede adoptar más fácilmente una nueva versión del conjunto de reglas y obtener protección adicional.",
- "waf": "Operaciones"
+ "text": "De forma predeterminada, utilice claves administradas por Microsoft para la funcionalidad de cifrado de entidad de seguridad y use claves administradas por el cliente cuando sea necesario.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Utilice directivas de WAF en lugar de la configuración de WAF heredada.",
- "waf": "Operaciones"
+ "checklist": "SAP Checklist",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Filtre el tráfico entrante en los back-end para que solo acepten conexiones de la subred de Application Gateway, por ejemplo, con grupos de seguridad de red.",
+ "checklist": "SAP Checklist",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Para controlar y administrar claves y secretos de cifrado de disco para sistemas operativos Windows y Windows que no son de HANA, use Azure Key Vault. SAP HANA no es compatible con Azure Key Vault, por lo que debe usar métodos alternativos como SAP ABAP o claves SSH.",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
- "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
- "service": "Front Door",
- "severity": "Medio",
- "text": "Asegúrese de que los orígenes solo toman tráfico de la instancia de Azure Front Door.",
+ "checklist": "SAP Checklist",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Personalización de los roles de control de acceso basado en rol (RBAC) para SAP en suscripciones de Azure spoke para evitar cambios accidentales relacionados con la red",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
- "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "service": "SAP",
"severity": "Alto",
- "text": "Debe cifrar el tráfico a los servidores backend.",
+ "text": "Aísle las redes perimetrales y las aplicaciones virtuales de red del resto del patrimonio de SAP, configure Azure Private Link y administre y controle de forma segura los recursos de SAP en Azure",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
- "service": "App Gateway",
- "severity": "Alto",
- "text": "Debe utilizar un firewall de aplicaciones web.",
+ "checklist": "SAP Checklist",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "Considere la posibilidad de usar el software antimalware de Microsoft en Azure para proteger las máquinas virtuales de archivos malintencionados, adware y otras amenazas.",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
- "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Redirigir HTTP a HTTPS",
+ "checklist": "SAP Checklist",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "service": "SAP",
+ "severity": "Bajo",
+ "text": "Para una protección aún más eficaz, considere la posibilidad de usar Microsoft Defender para punto de conexión.",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
- "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Utilice cookies administradas por puerta de enlace para dirigir el tráfico de una sesión de usuario al mismo servidor para su procesamiento",
- "waf": "Operaciones"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "Alto",
- "text": "Habilite el drenaje de conexiones durante las actualizaciones de servicio planificadas para evitar la pérdida de conexión a los miembros existentes del grupo de back-end",
+ "text": "Aísle los servidores de aplicaciones y bases de datos de SAP de Internet o de la red local pasando todo el tráfico a través de la red virtual del centro de conectividad, que está conectada a la red radial mediante el emparejamiento de red virtual. Las redes virtuales emparejadas garantizan que la solución de SAP en Azure esté aislada de la red pública de Internet.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
- "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"severity": "Bajo",
- "text": "Crear páginas de error personalizadas para mostrar una experiencia de usuario personalizada",
- "waf": "Operaciones"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
- "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Edite las solicitudes HTTP y los encabezados de respuesta para facilitar el enrutamiento y el intercambio de información entre el cliente y el servidor",
- "waf": "Seguridad"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Configure Front Door para optimizar el enrutamiento del tráfico web global y el rendimiento del usuario final de primer nivel, así como la confiabilidad a través de una rápida conmutación por error global",
- "waf": "Rendimiento"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Usar el equilibrio de carga de la capa de transporte",
- "waf": "Rendimiento"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
- "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
- "service": "App Gateway",
- "severity": "Medio",
- "text": "Configure el enrutamiento basado en el host o el nombre de dominio para varias aplicaciones web en una sola puerta de enlace",
+ "text": "En el caso de las aplicaciones orientadas a Internet, como SAP Fiori, asegúrese de distribuir la carga según los requisitos de la aplicación mientras se mantienen los niveles de seguridad. Para la seguridad de nivel 7, puede usar un firewall de aplicaciones web (WAF) de terceros disponible en Azure Marketplace.",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
- "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "service": "SAP",
"severity": "Medio",
- "text": "Centralice la administración de certificados SSL para reducir la sobrecarga de cifrado y descifrado de una granja de servidores back-end",
- "waf": "Seguridad"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
- "service": "App Gateway",
- "severity": "Bajo",
- "text": "Uso de Application Gateway para obtener compatibilidad nativa con los protocolos WebSocket y HTTP/2",
+ "text": "Para habilitar la comunicación segura en las soluciones de Azure Monitor para SAP, puede optar por usar un certificado raíz o un certificado de servidor. Le recomendamos encarecidamente que utilice certificados raíz.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "Seguridad"
},
{
@@ -5777,2660 +5406,2593 @@
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que los controladores de dominio ADDS se implementan en la suscripción de identidad en Azure nativo",
- "waf": "Seguridad"
+ "checklist": "Identity Review Checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
+ "severity": "Medio",
+ "text": "Use el token revocable de larga duración, almacene en caché el token y adquiera el token de forma silenciosa mediante la biblioteca de identidades de Microsoft",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "75089c20-990d-4927-b105-885576f76fc2",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
"severity": "Medio",
- "text": "Asegúrese de que los sitios y servicios de ADDS están configurados para mantener las solicitudes de autenticación de los recursos basados en Azure (incluida Azure VMware Solution) locales en Azure",
- "waf": "Seguridad"
+ "text": "Asegúrese de que los flujos de usuario de inicio de sesión estén respaldados y sean resistentes. Asegúrese de que se ha realizado una copia de seguridad del código que usa para iniciar sesión en los usuarios y se puede recuperar. Interfaces resilientes con procesos externos",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que vCenter esté conectado a ADDS para habilitar la autenticación basada en \"cuentas de usuario designadas\"",
- "waf": "Seguridad"
+ "checklist": "Identity Review Checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
+ "severity": "Medio",
+ "text": "Los activos de marca personalizados deben estar alojados en una CDN",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que la conexión de vCenter a ADDS utilice un protocolo seguro (LDAPS)",
- "waf": "Seguridad"
+ "checklist": "Identity Review Checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
+ "severity": "Bajo",
+ "text": "Tener varios proveedores de identidad (es decir, iniciar sesión con sus cuentas de Microsoft, Google, Facebook)",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "Medio",
- "text": "La cuenta de CloudAdmin en vCenter IdP solo se utiliza como una cuenta de emergencia (break-glass)",
- "waf": "Seguridad"
+ "text": "Siga las reglas de la máquina virtual para la alta disponibilidad en el nivel de máquina virtual (discos premium, dos o más en una región, en diferentes zonas de disponibilidad)",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que NSX-Manager esté integrado con un proveedor de identidades externo (LDAPS)",
- "waf": "Seguridad"
+ "checklist": "Identity Review Checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "Medio",
+ "text": "¡No repliques! La replicación puede crear problemas con la sincronización de directorios",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "Medio",
- "text": "¿Se ha creado un modelo RBAC para su uso en VMware vSphere?",
- "waf": "Seguridad"
+ "text": "Tener activo-activo para varias regiones",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"severity": "Medio",
- "text": "Los permisos RBAC deben concederse a grupos ADDS y no a usuarios específicos",
- "waf": "Seguridad"
+ "text": "Adición de stamps de servicio de dominio de Azure AD a regiones y ubicaciones adicionales",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
- "service": "AVS",
- "severity": "Alto",
- "text": "Los permisos de RBAC en el recurso de Azure VMware Solution en Azure están \"bloqueados\" solo para un conjunto limitado de propietarios",
- "waf": "Seguridad"
+ "checklist": "Identity Review Checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
+ "severity": "Medio",
+ "text": "Uso de conjuntos de réplicas para recuperación ante desastres",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que todos los roles personalizados tengan el ámbito de las autorizaciones permitidas de CloudAdmin",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+ "service": "Azure Data Factory",
+ "severity": "Medio",
+ "text": "Aproveche el cuaderno de estrategias de resistencia de FTA para Azure Data Factory",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
- "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
- "service": "AVS",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "Alto",
- "text": "¿Se ha seleccionado el modelo de conectividad de Azure VMware Solution correcto para el caso de uso del cliente en cuestión?",
- "waf": "Rendimiento"
+ "text": "Uso de canalizaciones con redundancia de zona en regiones que admiten zonas de disponibilidad",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que las conexiones de ExpressRoute o VPN desde el entorno local a Azure se supervisan mediante el \"monitor de conexiones\"",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+ "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+ "service": "Azure Data Factory",
+ "severity": "Medio",
+ "text": "Uso de DevOps para realizar copias de seguridad de las plantillas de ARM con la integración de Github/Azure DevOps ",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
- "service": "AVS",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "Medio",
- "text": "Asegúrese de que se crea un monitor de conexión desde un recurso nativo de Azure a una máquina virtual de Azure VMware Solution para supervisar la conexión de ExpressRoute back-end de Azure VMware Solution",
- "waf": "Operaciones"
+ "text": "Asegúrese de replicar las máquinas virtuales de Integration Runtime autohospedadas en otra región ",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
- "service": "AVS",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "Medio",
- "text": "Asegúrese de que se crea un monitor de conexión desde un recurso local a una máquina virtual de Azure VMware Solution para supervisar la conectividad de extremo a extremo",
- "waf": "Operaciones"
+ "text": "Asegúrese de replicar o duplicar la red en la región hermana. Tiene que hacer una copia de la red virtual en otra región",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
- "service": "AVS",
- "severity": "Alto",
- "text": "Cuando se utiliza el servidor de rutas, asegúrese de que no se propaguen más de 1000 rutas desde el servidor de rutas a la puerta de enlace de ExR al entorno local (límite de ARS).",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "description": "Si las canalizaciones de ADF usan Key Vault, no tiene que hacer nada para replicar Key Vault. Key Vault es un servicio administrado y Microsoft se encarga de ello por ti",
+ "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Azure Data Factory",
+ "severity": "Bajo",
+ "text": "Si utiliza la integración de Keyvault, utilice el Acuerdo de Nivel de Servicio de Keyvault para comprender su disponibilidad",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
- "service": "AVS",
- "severity": "Alto",
- "text": "¿Se ha implementado Privileged Identity Management para los roles que administran el recurso de Azure VMware Solution en Azure Portal (no se permiten permisos permanentes)?",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "service": "Azure Monitor",
+ "text": "Reglas de recopilación de datos en Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
- "service": "AVS",
- "severity": "Alto",
- "text": "Los informes de auditoría de Privileged Identity Management deben implementarse para los roles PIM de Azure VMware Solution",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "45901365-d38e-443f-abcb-d868266abca2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Azure Backup",
+ "text": "Comprobar las instancias de copia de seguridad con la fuente de datos subyacente no encontrada",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
- "service": "AVS",
- "severity": "Medio",
- "text": "Si se usa Privileged Identity Management, asegúrese de que se crea una cuenta válida habilitada para Entra ID con un registro SMTP válido para las notificaciones de reemplazo automático de host de Azure VMware Solution. (se requieren permisos permanentes)",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "VM",
+ "text": "Eliminar o archivar servicios no asociados (discos, NIC, direcciones IP, etc.)",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
- "service": "AVS",
- "severity": "Alto",
- "text": "Limite el uso de la cuenta de CloudAdmin solo al acceso de emergencia",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Azure Backup",
+ "text": "Considere un buen equilibrio entre el almacenamiento de recuperación del sitio y la copia de seguridad para aplicaciones que no son críticas",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
- "service": "AVS",
- "severity": "Medio",
- "text": "Cree funciones RBAC personalizadas en vCenter para implementar un modelo de privilegios mínimos dentro de vCenter",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "service": "Azure Monitor",
+ "text": "Compruebe las oportunidades de gasto y ahorro entre las 40 áreas de trabajo de Log Analytics diferentes: use diferentes retenciones y recopilación de datos para áreas de trabajo que no sean de producción: cree un límite diario para el reconocimiento y el tamaño de los niveles: si establece un límite diario, además de crear una alerta cuando se alcance el límite, asegúrese de crear también una regla de alerta para que se le notifique cuando se alcance algún porcentaje (90 %, por ejemplo). - Considere la posibilidad de transformar el espacio de trabajo si es posible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
- "service": "AVS",
- "severity": "Medio",
- "text": "Es un proceso definido para rotar periódicamente las credenciales de administrador de la nube (vCenter) y administrador (NSX)",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Azure Monitor",
+ "text": "Aplique una política de purga de registros y automatización (si es necesario, los registros se pueden mover al almacenamiento en frío)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
- "service": "AVS",
- "severity": "Alto",
- "text": "Uso de un proveedor de identidades centralizado que se usará para las cargas de trabajo (VM) que se ejecutan en Azure VMware Solution",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
+ "text": "Compruebe que los discos son realmente necesarios, si no: eliminar. Si son necesarios, busque niveles de almacenamiento más bajos o use una copia de seguridad:",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
- "service": "AVS",
- "severity": "Medio",
- "text": "¿Se implementa el filtrado de tráfico este-oeste en NSX-T?",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
+ "text": "Considere la posibilidad de mover el almacenamiento no utilizado al nivel inferior, con reglas personalizadas: https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
- "service": "AVS",
- "severity": "Alto",
- "text": "Las cargas de trabajo de Azure VMware Solution no se exponen directamente a Internet. El tráfico se filtra e inspecciona mediante Azure Application Gateway, Azure Firewall o soluciones de terceros",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
+ "text": "Asegúrese de que el asesor está configurado para el tamaño correcto de la máquina virtual ",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
- "service": "AVS",
- "severity": "Alto",
- "text": "La auditoría y el registro se implementan para las solicitudes entrantes de Internet a Azure VMware Solution y a las cargas de trabajo basadas en Azure VMware Solution",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "description": "comprobando la búsqueda de las licencias de categoría de contador en el análisis de costes",
+ "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "service": "VM",
+ "text": "ejecutar el script en todas las máquinas virtuales de Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server: considere la posibilidad de implementar una directiva si las máquinas virtuales de Windows se crean con frecuencia",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
- "service": "AVS",
- "severity": "Medio",
- "text": "La supervisión de sesiones se implementa para las conexiones salientes a Internet desde Azure VMware Solution o cargas de trabajo basadas en Azure VMware Solution para identificar actividades sospechosas o malintencionadas",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "VM",
+ "text": " esto también se puede poner bajo AHUB si ya tiene licencias https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "334fdf91-c234-4182-a652-75269440b4be",
- "service": "AVS",
- "severity": "Medio",
- "text": "¿Está habilitada la protección estándar de DDoS en la subred de puerta de enlace de ExR/VPN en Azure?",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "VM",
+ "text": "Consolide familias de máquinas virtuales reservadas con la opción de flexibilidad (no más de 4-5 familias)",
+ "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
- "service": "AVS",
- "severity": "Medio",
- "text": "Use una estación de trabajo de acceso con privilegios (PAW) dedicada para administrar Azure VMware Solution, vCenter, NSX Manager y HCX Manager",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "service": "VM",
+ "text": "Uso de Azure Reserved Instances: esta característica le permite reservar máquinas virtuales durante un período de 1 o 3 años, lo que proporciona un importante ahorro de costos en comparación con los precios de pago por uso.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
- "service": "AVS",
- "severity": "Medio",
- "text": "Habilitación de la detección avanzada de amenazas (Microsoft Defender for Cloud, también conocida como ASC) para cargas de trabajo que se ejecutan en Azure VMware Solution",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+ "service": "VM",
+ "text": "Solo se pueden reservar discos más grandes => 1 TiB -",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
- "service": "AVS",
- "severity": "Medio",
- "text": "Use Azure ARC for Servers para controlar correctamente las cargas de trabajo que se ejecutan en Azure VMware Solution mediante tecnologías nativas de Azure (Azure ARC for Azure VMware Solution aún no está disponible)",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "service": "VM",
+ "text": "Después de la optimización del tamaño correcto",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
- "service": "AVS",
- "severity": "Bajo",
- "text": "Asegúrese de que las cargas de trabajo de Azure VMware Solution usen suficiente cifrado de datos durante el tiempo de ejecución (como el cifrado de disco invitado y SQL TDE). (El cifrado de vSAN en reposo es el predeterminado)",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Sql/servers",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Azure SQL",
+ "text": "Compruebe si corresponde y aplique la política/cambio https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
- "service": "AVS",
- "severity": "Bajo",
- "text": "Cuando se usa el cifrado en invitado, almacene las claves de cifrado en Azure Key Vault siempre que sea posible",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "VM",
+ "text": "El descuento de la parte de la licencia VM + (ahub + 3YRI) es de alrededor del 70% de descuento",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5ac94222-3e13-4810-9230-81a941741583",
- "service": "AVS",
- "severity": "Medio",
- "text": "Considere la posibilidad de usar la compatibilidad con actualizaciones de seguridad extendidas para las cargas de trabajo que se ejecutan en Azure VMware Solution (Azure VMware Solution es apta para ESU)",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "VM",
+ "text": "Considere la posibilidad de utilizar un VMSS para satisfacer la demanda en lugar de un tamaño fijo",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que se utiliza el método de redundancia de datos de vSAN adecuado (especificación RAID)",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "AKS",
+ "text": "Use el escalador automático de AKS para que coincida con el uso de los clústeres (asegúrese de que los requisitos de los pods coincidan con el escalador)",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d88408f3-7273-44c8-96ba-280214590146",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que la directiva de error de tolerancia esté implementada para satisfacer sus necesidades de almacenamiento de vSAN",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Azure Backup",
+ "text": "Mover los puntos de recuperación al archivo de almacén cuando corresponda (Validar)",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que ha solicitado una cuota suficiente, asegurándose de que ha tenido en cuenta el crecimiento y el requisito de recuperación ante desastres",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.Databricks/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+ "service": "Databricks",
+ "text": "Considere la posibilidad de usar máquinas virtuales de acceso puntual con reserva siempre que sea posible. Considere la posibilidad de la terminación automática de clústeres.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que se comprenden las restricciones de acceso a ESXi, ya que existen límites de acceso que pueden afectar a las soluciones de terceros.",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+ "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+ "service": "Azure Functions",
+ "text": "Funciones - Reutilizar conexiones",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de tener una política en torno a la densidad y la eficiencia del host ESXi, teniendo en cuenta el tiempo de espera para solicitar nuevos nodos",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+ "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "service": "Azure Functions",
+ "text": "Funciones: almacenar datos en caché localmente",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que existe un buen proceso de administración de costos para Azure VMware Solution: se puede usar Azure Cost Management",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Azure Functions",
+ "text": "Funciones - Arranques en frío: utilice la funcionalidad 'Ejecutar desde el paquete'. De esta manera, el código se descarga como un único archivo zip. Esto puede, por ejemplo, resultar en mejoras significativas con las funciones de Javascript, que tienen muchos módulos de nodos. Utilice herramientas específicas del lenguaje para reducir el tamaño del paquete, por ejemplo, aplicaciones Javascript que sacuden el árbol.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
"waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
- "service": "AVS",
- "severity": "Bajo",
- "text": "¿Se usan instancias reservadas de Azure para optimizar el costo de uso de Azure VMware Solution?",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "Azure Functions",
+ "text": "Funciones - Mantén tus funciones calientes",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
- "service": "AVS",
- "severity": "Medio",
- "text": "Tenga en cuenta el uso de Azure Private-Link cuando use otros servicios nativos de Azure",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Azure Functions",
+ "text": "Al usar el escalado automático con diferentes funciones, es posible que haya uno que controle todo el escalado automático para todos los recursos: considere la posibilidad de moverlo a un plan de consumo independiente (y considere un plan superior para la CPU)",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que todos los recursos necesarios residen en las mismas zonas de disponibilidad de Azure",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+ "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+ "service": "Azure Functions",
+ "text": "Las aplicaciones de funciones de un plan determinado se escalan juntas, por lo que cualquier problema con el escalado puede afectar a todas las aplicaciones del plan.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
- "service": "AVS",
- "severity": "Medio",
- "text": "Habilitación de cargas de trabajo de máquina virtual invitada de Microsoft Defender for Cloud for Azure VMware Solution",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+ "service": "Azure Functions",
+ "text": "¿Se me factura por el \"tiempo de espera\"? Esta pregunta se suele formular en el contexto de una función de C# que realiza una operación asincrónica y espera el resultado, por ejemplo, await Task.Delay(1000) o await client. GetAsync('http://google.com'). La respuesta es sí: el segundo cálculo de GB se basa en la hora de inicio y finalización de la función y el uso de memoria durante ese período. Lo que realmente sucede durante ese tiempo en términos de actividad de la CPU no se tiene en cuenta en el cálculo. Una excepción a esta regla es si está utilizando funciones duraderas. No se le facturará por el tiempo empleado en las esperas en las funciones de orquestador.aplique técnicas de modelado de la demanda siempre que sea posible (¿entornos de desarrollo?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
- "service": "AVS",
- "severity": "Medio",
- "text": "Uso de servidores habilitados para Azure Arc para administrar las cargas de trabajo de máquinas virtuales invitadas de Azure VMware Solution",
- "waf": "Seguridad"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Front Door",
+ "text": "Frontdoor: desactivar la página principal predeterminadaEn la configuración de la aplicación de la aplicación, establezca AzureWebJobsDisableHomepage en true. Esto devolverá un 204 (sin contenido) al PoP para que solo se devuelvan los datos del encabezado.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
- "service": "AVS",
- "severity": "Alto",
- "text": "Habilitación del registro de diagnósticos y métricas en Azure VMware Solution",
- "waf": "Operaciones"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Front Door",
+ "text": "Frontdoor: ruta a algo que no devuelve nada. Configure una función, un proxy de función o agregue una ruta en la aplicación web que devuelva 200 (correctamente) y envíe contenido mínimo o nulo. La ventaja de esto es que podrá cerrar la sesión cuando se llame.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
- "service": "AVS",
- "severity": "Medio",
- "text": "Implementación de los agentes de Log Analytics en cargas de trabajo de máquinas virtuales invitadas de Azure VMware Solution",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+ "service": "Storage",
+ "text": "Considere la posibilidad de archivar niveles para los datos menos utilizados",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que dispone de una directiva y una solución de copia de seguridad documentadas e implementadas para las cargas de trabajo de máquina virtual de Azure VMware Solution",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "VM",
+ "text": "Compruebe los tamaños de disco en los que el tamaño no coincida con el nivel (es decir, un disco de 513 GiB pagará un P30 (1 TiB) y considere la posibilidad de cambiar el tamaño",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
- "service": "AVS",
- "severity": "Medio",
- "text": "Uso de Microsoft Defender for Cloud para la supervisión del cumplimiento de las cargas de trabajo que se ejecutan en Azure VMware Solution",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "Storage",
+ "text": "Considere la posibilidad de utilizar un SSD estándar en lugar de Premium o Ultra siempre que sea posible",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
- "service": "AVS",
- "severity": "Medio",
- "text": "¿Se agregan las líneas base de cumplimiento aplicables a Microsoft Defender for Cloud?",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "Storage",
+ "text": "En el caso de las cuentas de almacenamiento, asegúrese de que el nivel elegido no suma cargos por transacción (puede ser más barato pasar al siguiente nivel)",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
- "service": "AVS",
- "severity": "Alto",
- "text": "¿Se evaluó la residencia de datos al seleccionar las regiones de Azure que se usarán para la implementación de Azure VMware Solution?",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "Site Recovery",
+ "text": "Para ASR, considere la posibilidad de usar discos SSD estándar si el RPO/RTO y el rendimiento de replicación lo permiten",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
- "service": "AVS",
- "severity": "Alto",
- "text": "¿Son claras y documentadas las implicaciones del procesamiento de datos (proveedor de servicios / modelo de consumidor de servicios)?",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+ "service": "Storage",
+ "text": "Cuentas de almacenamiento: compruebe el nivel de acceso frecuente o GRS necesario",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "547c1747-dc56-4068-a714-435cd19dd244",
- "service": "AVS",
- "severity": "Medio",
- "text": "Considere la posibilidad de usar CMK (clave administrada por el cliente) para vSAN solo si es necesario por motivos de cumplimiento.",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "VM",
+ "text": "Discos: valide el uso de discos SSD Premium en todas partes: por ejemplo, los que no son de producción podrían cambiar a SSD estándar o SSD Premium bajo demanda ",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
- "service": "AVS",
- "severity": "Alto",
- "text": "Creación de paneles para habilitar la información principal de supervisión de Azure VMware Solution",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "Synapse",
+ "text": "Cree presupuestos para administrar los costos y cree alertas que notifiquen automáticamente a las partes interesadas sobre anomalías en el gasto y riesgos de gasto excesivo.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
- "service": "AVS",
- "severity": "Alto",
- "text": "Creación de alertas de advertencia para umbrales críticos para alertas automáticas sobre el rendimiento de Azure VMware Solution (CPU >80 %, memoria media >80 %, vSAN >70 %)",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "Synapse",
+ "text": "Exporte los datos de costos a una cuenta de almacenamiento para realizar análisis de datos adicionales.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que se crea una alerta crítica para supervisar si el consumo de vSAN es inferior al 75 %, ya que se trata de un umbral de soporte de VMware",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Synapse",
+ "text": "Controle los costos de un grupo de SQL dedicado pausando el recurso cuando no esté en uso.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que las alertas están configuradas para las alertas y notificaciones de Azure Service Health",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+ "service": "Synapse",
+ "text": "Habilite la función de pausa automática de Apache Spark sin servidor y establezca el valor de tiempo de espera en consecuencia.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
- "service": "AVS",
- "severity": "Medio",
- "text": "Configure el registro de Azure VMware Solution para que se envíe a una cuenta de Azure Storage o Azure EventHub para su procesamiento",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Synapse",
+ "text": "Cree varias definiciones de grupo de Apache Spark de varios tamaños.",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
- "service": "AVS",
- "severity": "Bajo",
- "text": "Si se requiere una visión profunda de VMware vSphere: ¿Se utiliza vRealize Operations o vRealize Network Insights en la solución?",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "service": "Synapse",
+ "text": "Compre unidades de confirmación (SCU) de Azure Synapse durante un año con un plan de compra anticipada para ahorrar en los costos de Azure Synapse Analytics.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
- "service": "AVS",
- "severity": "Alto",
- "text": "Asegúrese de que la directiva de almacenamiento de vSAN para las máquinas virtuales NO sea la directiva de almacenamiento predeterminada, ya que esta directiva aplica el aprovisionamiento grueso",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "VM",
+ "text": "Uso de máquinas virtuales de acceso puntual para trabajos interrumpibles: se trata de máquinas virtuales por las que se puede pujar y comprar a un precio reducido, lo que proporciona una solución rentable para cargas de trabajo no críticas.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que las bibliotecas de contenido de vSphere no se coloquen en vSAN, ya que vSAN es un recurso finito",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "VM",
+ "text": "Ajustar el tamaño de todas las máquinas virtuales",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que los repositorios de datos de la solución de copia de seguridad se almacenen fuera del almacenamiento de vSAN. Ya sea en Azure nativo o en un almacén de datos respaldado por un grupo de discos",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "VM",
+ "text": "Intercambiar el tamaño de la máquina virtual con los tamaños normalizados y más recientes",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se administran de forma híbrida mediante Azure Arc para servidores (Arc para Azure VMware Solution está en versión preliminar)",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "Ajustar el tamaño de las máquinas virtuales: comience con la supervisión del uso por debajo del 5 % y, a continuación, trabaje hasta el 40 %",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se supervisan mediante Azure Log Analytics y Azure Monitor",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "La inclusión de una aplicación en contenedores puede mejorar la densidad de la máquina virtual y ahorrar dinero en su escalado",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
- "service": "AVS",
- "severity": "Medio",
- "text": "Inclusión de cargas de trabajo que se ejecutan en Azure VMware Solution en las herramientas de administración de actualizaciones existentes o en Azure Update Management",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Si es necesario para las cargas de trabajo de Windows de AKS, se pueden usar contenedores HostProcess",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
- "service": "AVS",
- "severity": "Medio",
- "text": "Uso de Azure Policy para incorporar cargas de trabajo de Azure VMware Solution en las soluciones de administración, supervisión y seguridad de Azure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Utilice KEDA si ejecuta cargas de trabajo controladas por eventos",
+ "waf": "Rendimiento"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Uso de Dapr para facilitar el desarrollo de microservicios",
"waf": "Operaciones"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se incorporan a Microsoft Defender for Cloud",
- "waf": "Seguridad"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que las copias de seguridad no se almacenen en vSAN, ya que vSAN es un recurso finito",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
- "service": "AVS",
- "severity": "Medio",
- "text": "¿Se han considerado todas las soluciones de recuperación ante desastres y se ha decidido por la mejor solución para su negocio? [SRM/JetStream/Zerto/Veeam/...]",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Uso de la oferta de AKS respaldada por SLA",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
- "service": "AVS",
- "severity": "Medio",
- "text": "Uso de Azure Site Recovery cuando la tecnología de recuperación ante desastres sea IaaS nativa de Azure",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Uso de presupuestos de interrupción en el pod y las definiciones de implementación",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
- "service": "AVS",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
"severity": "Alto",
- "text": "Utilice planes de recuperación automatizados con cualquiera de las soluciones ante desastres, evite las tareas manuales tanto como sea posible",
+ "text": "Si usa un registro privado, configure la replicación de regiones para almacenar imágenes en varias regiones",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8255461e-2aee-4345-9aec-8339248b262d",
- "service": "AVS",
- "severity": "Medio",
- "text": "Usar el par de regiones geopolíticas como entorno secundario de recuperación ante desastres",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Usar una aplicación externa como kubecost para asignar costos a diferentes usuarios",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
- "service": "AVS",
- "severity": "Alto",
- "text": "Utilice 2 espacios de direcciones diferentes entre las regiones, por ejemplo: 10.0.0.0/16 y 192.168.0.0/16 para las diferentes regiones",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Usar el modo de reducción vertical para eliminar/desasignar nodos",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
"severity": "Medio",
- "text": "¿Se usará Global Reach de ExpressRoute para la conectividad entre las nubes privadas de Azure VMware Solution principal y secundaria, o el enrutamiento se realiza a través de aplicaciones virtuales de red?",
- "waf": "Fiabilidad"
+ "text": "Cuando sea necesario, use la GPU de partición de varias instancias en clústeres de AKS",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
- "service": "AVS",
- "severity": "Medio",
- "text": "¿Se han considerado todas las soluciones de copia de seguridad y se ha decidido por la mejor solución para su negocio? [ MABS/CommVault/Metallic.io/Veeam/ . ]",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Si se ejecuta un clúster de desarrollo y pruebas, use NodePool Start/Stop",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
"severity": "Medio",
- "text": "Implemente la solución de copia de seguridad en la misma región que la nube privada de Azure VMware Solution",
- "waf": "Fiabilidad"
+ "text": "Uso de Azure Policy para Kubernetes para garantizar el cumplimiento de clústeres",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"severity": "Medio",
- "text": "Implementación de la solución de copia de seguridad fuera de vSan, en componentes nativos de Azure",
- "waf": "Fiabilidad"
+ "text": "Separe las aplicaciones del plano de control con grupos de nodos de usuario/sistema",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"severity": "Bajo",
- "text": "¿Existe un proceso para solicitar una restauración de los componentes de VMware administrados por la plataforma Azure?",
- "waf": "Fiabilidad"
+ "text": "Agregue taint a su grupo de nodos del sistema para que sea dedicado",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
- "service": "AVS",
- "severity": "Bajo",
- "text": "En el caso de las implementaciones manuales, se deben documentar todas las configuraciones e implementaciones",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
+ "severity": "Medio",
+ "text": "Utilice un registro privado para sus imágenes, como ACR",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
- "service": "AVS",
- "severity": "Bajo",
- "text": "En el caso de las implementaciones manuales, considere la posibilidad de implementar bloqueos de recursos para evitar acciones accidentales en la nube privada de Azure VMware Solution",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
+ "severity": "Medio",
+ "text": "Escanea tus imágenes en busca de vulnerabilidades",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
- "service": "AVS",
- "severity": "Bajo",
- "text": "Para implementaciones automatizadas, implemente una nube privada mínima y escale según sea necesario",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Definición de los requisitos de separación de aplicaciones (espacio de nombres/grupo de nodos/clúster)",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
- "service": "AVS",
- "severity": "Bajo",
- "text": "En el caso de las implementaciones automatizadas, solicite o reserve una cuota antes de iniciar la implementación",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
+ "severity": "Medio",
+ "text": "Almacenamiento de los secretos en Azure Key Vault con el controlador del almacén de secretos de CSI",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
- "service": "AVS",
- "severity": "Bajo",
- "text": "En el caso de la implementación automatizada, asegúrese de que se crean bloqueos de recursos relevantes a través de la automatización o a través de Azure Policy para una gobernanza adecuada",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Si usa entidades de servicio para el clúster, actualice las credenciales periódicamente (por ejemplo, trimestralmente)",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
- "service": "AVS",
- "severity": "Bajo",
- "text": "Implemente nombres comprensibles para las claves de autorización ExR para permitir una fácil identificación del propósito y uso de las claves.",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
+ "severity": "Medio",
+ "text": "Si es necesario, agregue el servicio de administración de claves, etcd, cifrado",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "255461e2-aee3-4553-afc8-339248b262d6",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
"severity": "Bajo",
- "text": "Uso de Key Vault para almacenar secretos y claves de autorización cuando se usan principios de servicio independientes para implementar Azure VMware Solution y ExpressRoute",
- "waf": "Operaciones"
+ "text": "Si es necesario, considere la posibilidad de usar Proceso confidencial para AKS",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
- "service": "AVS",
- "severity": "Bajo",
- "text": "Defina dependencias de recursos para serializar acciones en IaC cuando sea necesario implementar muchos recursos en Azure VMware Solution, ya que Azure VMware Solution solo admite un número limitado de operaciones paralelas.",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
+ "severity": "Medio",
+ "text": "Considere la posibilidad de usar Defender para contenedores",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
- "service": "AVS",
- "severity": "Bajo",
- "text": "Al realizar la configuración automatizada de segmentos de NSX-T con una única puerta de enlace de nivel 1, use las API de Azure Portal en lugar de las API de NSX-Manager",
- "waf": "Operaciones"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Uso de identidades administradas en lugar de entidades de servicio",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
"severity": "Medio",
- "text": "Si tiene la intención de usar el escalado horizontal automatizado, asegúrese de solicitar una cuota suficiente de Azure VMware Solution para las suscripciones que ejecutan Azure VMware Solution",
- "waf": "Rendimiento"
+ "text": "Integración de la autenticación con AAD (mediante la integración administrada)",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
"severity": "Medio",
- "text": "Cuando tenga la intención de usar la reducción horizontal automatizada, asegúrese de tener en cuenta los requisitos de la directiva de almacenamiento antes de realizar dicha acción",
- "waf": "Rendimiento"
+ "text": "Limitar el acceso a admin kubeconfig (get-credentials --admin)",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
"severity": "Medio",
- "text": "Las operaciones de escalado siempre deben serializarse dentro de un único SDDC, ya que solo se puede realizar una operación de escalado a la vez (incluso cuando se utilizan varios clústeres)",
- "waf": "Rendimiento"
+ "text": "Integración de la autorización con RBAC de AAD",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
- "service": "AVS",
- "severity": "Medio",
- "text": "Considerar y validar las operaciones de escalado en soluciones de terceros utilizadas en la arquitectura (compatibles o no)",
- "waf": "Rendimiento"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Uso de espacios de nombres para restringir el privilegio RBAC en Kubernetes",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
"severity": "Medio",
- "text": "Defina y aplique límites máximos de escalado vertical y horizontal para su entorno en las automatizaciones",
- "waf": "Rendimiento"
+ "text": "Para la administración de acceso a identidades de pods, use Azure AD Workload Identity (versión preliminar)",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
"severity": "Medio",
- "text": "Implemente reglas de supervisión para supervisar las operaciones de escalado automatizadas y supervisar el éxito y el fracaso para permitir respuestas adecuadas (automatizadas)",
- "waf": "Operaciones"
+ "text": "En el caso de los inicios de sesión no interactivos de AKS, use kubelogin (versión preliminar)",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "severity": "Alto",
- "text": "Al usar MON, tenga en cuenta los límites de las máquinas virtuales configuradas simultáneamente (límite de MON para HCX [400 - estándar, 1000 - dispositivo más grande])",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
+ "severity": "Medio",
+ "text": "Deshabilitación de cuentas locales de AKS",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "severity": "Alto",
- "text": "Al usar MON, no puede habilitar MON en más de 100 extensiones de red",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Configure, si es necesario, el acceso al clúster Just-In-Time",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
- "service": "AVS",
- "severity": "Medio",
- "text": "Si utiliza una conexión VPN para migraciones, ajuste el tamaño de su MTU en consecuencia.",
- "waf": "Rendimiento"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Configure si es necesario el acceso condicional de AAD para AKS",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e614658d-d457-4e92-9139-b821102cad6e",
- "service": "AVS",
- "severity": "Medio",
- "text": "En el caso de las regiones de baja conectividad que se conectan a Azure (500 Mbps o menos), considere la posibilidad de implementar el dispositivo de optimización de WAN de HCX",
- "waf": "Rendimiento"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "service": "AKS",
+ "severity": "Bajo",
+ "text": "Si es necesario para las cargas de trabajo de Windows AKS, configure gMSA ",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "service": "AKS",
"severity": "Medio",
- "text": "Asegúrese de que las migraciones se inicien desde el dispositivo local y NO desde el dispositivo en la nube (NO realice una migración inversa)",
- "waf": "Fiabilidad"
+ "text": "Para un control más preciso, considere la posibilidad de utilizar una identidad de Kubelet administrada",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "service": "AKS",
"severity": "Medio",
- "text": "Cuando se usa Azure NetApp Files para ampliar el almacenamiento de Azure VMware Solution, considere la posibilidad de usarlo como almacén de datos de VMware en lugar de adjuntarlo directamente a una máquina virtual.",
+ "text": "Si utiliza AGIC, no comparta un AppGW entre clústeres",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "AVS",
- "severity": "Medio",
- "text": "Asegúrese de que se usa una puerta de enlace de ExpressRoute dedicada para soluciones de almacenamiento de datos externos",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "No use el complemento de enrutamiento HTTP de AKS, use en su lugar la entrada NGINX administrada con el complemento de enrutamiento de aplicaciones.",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "service": "AKS",
"severity": "Medio",
- "text": "Asegúrese de que FastPath está habilitado en la puerta de enlace de ExpressRoute que se usa para las soluciones de almacenamiento de datos externos",
- "waf": "Fiabilidad"
+ "text": "En el caso de las cargas de trabajo de Windows, use las redes aceleradas",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
"severity": "Alto",
- "text": "Si utiliza un clúster ampliado, asegúrese de que la solución de recuperación ante desastres seleccionada sea compatible con el proveedor",
+ "text": "Utilice el ALB estándar (en lugar del básico)",
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "AVS",
- "severity": "Alto",
- "text": "Si utiliza un clúster ampliado, asegúrese de que el Acuerdo de Nivel de Servicio proporcionado cumpla sus requisitos",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "AVS",
- "severity": "Alto",
- "text": "Si usa un clúster extendido, asegúrese de que ambos circuitos ExpressRoute están conectados al centro de conectividad.",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "AVS",
- "severity": "Alto",
- "text": "Si usa un clúster extendido, asegúrese de que ambos circuitos ExpressRoute tengan habilitado GlobalReach.",
- "waf": "Fiabilidad"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
- "severity": "Alto",
- "text": "Haga que la configuración de tolerancia ante desastres del sitio se considere y cambie correctamente para su negocio si es necesario.",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "service": "AKS",
+ "severity": "Medio",
+ "text": "Si usa Azure CNI, considere la posibilidad de usar diferentes subredes para NodePools",
+ "waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
"service": "AKS",
- "severity": "Bajo",
- "text": "Si es necesario para las cargas de trabajo de Windows de AKS, se pueden usar contenedores HostProcess",
- "waf": "Fiabilidad"
+ "severity": "Medio",
+ "text": "Use puntos de conexión privados (preferidos) o puntos de conexión de servicio de red virtual para acceder a los servicios PaaS desde el clúster",
+ "waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"service": "AKS",
- "severity": "Bajo",
- "text": "Utilice KEDA si ejecuta cargas de trabajo controladas por eventos",
- "waf": "Rendimiento"
+ "severity": "Alto",
+ "text": "Elija el mejor complemento de red de CNI para sus necesidades (se recomienda Azure CNI)",
+ "waf": "Fiabilidad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"service": "AKS",
- "severity": "Bajo",
- "text": "Uso de Dapr para facilitar el desarrollo de microservicios",
- "waf": "Operaciones"
+ "severity": "Alto",
+ "text": "Si usa CNI de Azure, ajuste el tamaño de la subred en consecuencia teniendo en cuenta el número máximo de pods por nodo",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"service": "AKS",
"severity": "Alto",
- "text": "Uso de la oferta de AKS respaldada por SLA",
- "waf": "Fiabilidad"
+ "text": "Si usa Azure CNI, compruebe el número máximo de pods o nodo (valor predeterminado 30)",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "description": "En el caso de las aplicaciones internas, las organizaciones suelen abrir toda la subred de AKS en sus firewalls. Esto también abre el acceso de red a los nodos y, potencialmente, también a los pods (si se usa Azure CNI). Si las direcciones IP de LoadBalancer están en una subred diferente, solo esta debe estar disponible para los clientes de la aplicación. Otra razón es que si las direcciones IP de la subred de AKS son un recurso escaso, el consumo de sus direcciones IP para los servicios reducirá la escalabilidad máxima del clúster.",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
"service": "AKS",
"severity": "Bajo",
- "text": "Uso de presupuestos de interrupción en el pod y las definiciones de implementación",
- "waf": "Fiabilidad"
+ "text": "Si usa servicios de LoadBalancer de dirección IP privada, use una subred dedicada (no la subred de AKS)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerregistry/registries",
+ "arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "Alto",
- "text": "Si usa un registro privado, configure la replicación de regiones para almacenar imágenes en varias regiones",
+ "text": "Dimensione el rango de direcciones IP del servicio en consecuencia (limitará la escalabilidad del clúster)",
"waf": "Fiabilidad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
"service": "AKS",
"severity": "Bajo",
- "text": "Usar una aplicación externa como kubecost para asignar costos a diferentes usuarios",
- "waf": "Costar"
+ "text": "Si es necesario, agregue su propio complemento CNI",
+ "waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
"service": "AKS",
"severity": "Bajo",
- "text": "Usar el modo de reducción vertical para eliminar/desasignar nodos",
- "waf": "Costar"
+ "text": "Si es necesario, configure la dirección IP pública por nodo en AKS",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
"service": "AKS",
"severity": "Medio",
- "text": "Cuando sea necesario, use la GPU de partición de varias instancias en clústeres de AKS",
- "waf": "Costar"
+ "text": "Use un controlador de entrada para exponer aplicaciones basadas en web en lugar de exponerlas con servicios de tipo LoadBalancer",
+ "waf": "Fiabilidad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
"service": "AKS",
"severity": "Bajo",
- "text": "Si se ejecuta un clúster de desarrollo y pruebas, use NodePool Start/Stop",
- "waf": "Costar"
+ "text": "Uso de Azure NAT Gateway como outboundType para escalar el tráfico de salida",
+ "waf": "Fiabilidad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
"service": "AKS",
"severity": "Medio",
- "text": "Uso de Azure Policy para Kubernetes para garantizar el cumplimiento de clústeres",
- "waf": "Seguridad"
+ "text": "Uso de asignaciones dinámicas de direcciones IP para evitar el agotamiento de direcciones IP de Azure CNI",
+ "waf": "Fiabilidad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
"service": "AKS",
- "severity": "Medio",
- "text": "Separe las aplicaciones del plano de control con grupos de nodos de usuario/sistema",
+ "severity": "Alto",
+ "text": "Filtre el tráfico de salida con AzFW/NVA si sus requisitos de seguridad lo exigen",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
"service": "AKS",
- "severity": "Bajo",
- "text": "Agregue taint a su grupo de nodos del sistema para que sea dedicado",
+ "severity": "Medio",
+ "text": "Si utiliza un punto de conexión de API público, restrinja las direcciones IP que pueden acceder a él",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
"service": "AKS",
- "severity": "Medio",
- "text": "Utilice un registro privado para sus imágenes, como ACR",
+ "severity": "Alto",
+ "text": "Utilice clústeres privados si sus requisitos lo exigen",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerregistry/registries",
+ "arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "Medio",
- "text": "Escanea tus imágenes en busca de vulnerabilidades",
+ "text": "Para los nodos de AKS de Windows 2019 y 2022, se pueden usar directivas de red de Calico ",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
"service": "AKS",
"severity": "Alto",
- "text": "Definición de los requisitos de separación de aplicaciones (espacio de nombres/grupo de nodos/clúster)",
+ "text": "Habilitación de una opción de directiva de red de Kubernetes (Calico/Azure)",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"service": "AKS",
- "severity": "Medio",
- "text": "Almacenamiento de los secretos en Azure Key Vault con el controlador del almacén de secretos de CSI",
+ "severity": "Alto",
+ "text": "Uso de directivas de red de Kubernetes para aumentar la seguridad dentro del clúster",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
"service": "AKS",
"severity": "Alto",
- "text": "Si usa entidades de servicio para el clúster, actualice las credenciales periódicamente (por ejemplo, trimestralmente)",
+ "text": "Uso de un WAF para cargas de trabajo web (interfaces de usuario o API)",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
"service": "AKS",
"severity": "Medio",
- "text": "Si es necesario, agregue el servicio de administración de claves, etcd, cifrado",
+ "text": "Uso de DDoS Standard en la red virtual de AKS",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
"service": "AKS",
"severity": "Bajo",
- "text": "Si es necesario, considere la posibilidad de usar Proceso confidencial para AKS",
+ "text": "Si es necesario, agregue el proxy HTTP de la empresa",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
"service": "AKS",
"severity": "Medio",
- "text": "Considere la posibilidad de usar Defender para contenedores",
+ "text": "Considere la posibilidad de usar una malla de servicios para la administración avanzada de comunicaciones de microservicios",
"waf": "Seguridad"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
"service": "AKS",
"severity": "Alto",
- "text": "Uso de identidades administradas en lugar de entidades de servicio",
- "waf": "Seguridad"
+ "text": "Configurar alertas sobre las métricas más críticas (consulte Container Insights para obtener recomendaciones)",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
"service": "AKS",
- "severity": "Medio",
- "text": "Integración de la autenticación con AAD (mediante la integración administrada)",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Consulte periódicamente Azure Advisor para obtener recomendaciones sobre el clúster",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
"service": "AKS",
- "severity": "Medio",
- "text": "Limitar el acceso a admin kubeconfig (get-credentials --admin)",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Habilitación de la rotación automática de certificados de AKS",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
"service": "AKS",
- "severity": "Medio",
- "text": "Integración de la autorización con RBAC de AAD",
- "waf": "Seguridad"
+ "severity": "Alto",
+ "text": "Tenga un proceso regular para actualizar la versión de Kubernetes periódicamente (trimestralmente, por ejemplo) o use la característica de actualización automática de AKS",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
"service": "AKS",
"severity": "Alto",
- "text": "Uso de espacios de nombres para restringir el privilegio RBAC en Kubernetes",
- "waf": "Seguridad"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
- "service": "AKS",
- "severity": "Medio",
- "text": "Para la administración de acceso a identidades de pods, use Azure AD Workload Identity (versión preliminar)",
- "waf": "Seguridad"
+ "text": "Utilice kured para las actualizaciones de nodos de Linux en caso de que no esté utilizando la actualización de imagen de nodo",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
"service": "AKS",
- "severity": "Medio",
- "text": "En el caso de los inicios de sesión no interactivos de AKS, use kubelogin (versión preliminar)",
- "waf": "Seguridad"
+ "severity": "Alto",
+ "text": "Disponer de un proceso regular para actualizar las imágenes de los nodos del clúster periódicamente (semanalmente, por ejemplo)",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
"service": "AKS",
- "severity": "Medio",
- "text": "Deshabilitación de cuentas locales de AKS",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Considere la posibilidad de implementar aplicaciones o configuraciones de clústeres en varios clústeres",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
"service": "AKS",
"severity": "Bajo",
- "text": "Configure, si es necesario, el acceso al clúster Just-In-Time",
- "waf": "Seguridad"
+ "text": "Considere la posibilidad de usar la invocación de comandos de AKS en clústeres privados",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
"service": "AKS",
"severity": "Bajo",
- "text": "Configure si es necesario el acceso condicional de AAD para AKS",
- "waf": "Seguridad"
+ "text": "En el caso de los eventos planeados, considere la posibilidad de utilizar el drenaje automático de nodos",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
"service": "AKS",
- "severity": "Bajo",
- "text": "Si es necesario para las cargas de trabajo de Windows AKS, configure gMSA ",
- "waf": "Seguridad"
+ "severity": "Alto",
+ "text": "Desarrollar sus propias prácticas de gobernanza para asegurarse de que los operadores no realicen cambios en el nodo RG (también conocido como 'infra RG')",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"service": "AKS",
- "severity": "Medio",
- "text": "Para un control más preciso, considere la posibilidad de utilizar una identidad de Kubelet administrada",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Usar el nombre personalizado de Node RG (también conocido como 'Infra RG')",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
"service": "AKS",
"severity": "Medio",
- "text": "Si utiliza AGIC, no comparta un AppGW entre clústeres",
- "waf": "Fiabilidad"
+ "text": "No use API de Kubernetes obsoletas en los manifiestos de YAML",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
"service": "AKS",
- "severity": "Alto",
- "text": "No use el complemento de enrutamiento HTTP de AKS, use en su lugar la entrada NGINX administrada con el complemento de enrutamiento de aplicaciones.",
- "waf": "Fiabilidad"
+ "severity": "Bajo",
+ "text": "Nodos de Windows de Taint",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"service": "AKS",
- "severity": "Medio",
- "text": "En el caso de las cargas de trabajo de Windows, use las redes aceleradas",
- "waf": "Rendimiento"
+ "severity": "Bajo",
+ "text": "Mantener el nivel de revisión de los contenedores de Windows sincronizado con el nivel de revisión del host",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "description": "A través de la configuración de diagnóstico en el nivel de clúster",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
"service": "AKS",
- "severity": "Alto",
- "text": "Utilice el ALB estándar (en lugar del básico)",
- "waf": "Fiabilidad"
+ "severity": "Bajo",
+ "text": "Envío de registros maestros (también conocidos como registros de API) a Azure Monitor o a la solución de administración de registros que prefiera",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
"service": "AKS",
- "severity": "Medio",
- "text": "Si usa Azure CNI, considere la posibilidad de usar diferentes subredes para NodePools",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Si es necesario, utilice instantáneas de nodePool",
+ "waf": "Costar"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
"service": "AKS",
- "severity": "Medio",
- "text": "Use puntos de conexión privados (preferidos) o puntos de conexión de servicio de red virtual para acceder a los servicios PaaS desde el clúster",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Considere la posibilidad de crear grupos de nodos de acceso puntual para cargas de trabajo no urgentes",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"service": "AKS",
- "severity": "Alto",
- "text": "Elija el mejor complemento de red de CNI para sus necesidades (se recomienda Azure CNI)",
- "waf": "Fiabilidad"
+ "severity": "Bajo",
+ "text": "Considere la posibilidad de utilizar el nodo virtual de AKS para una ráfaga rápida",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"service": "AKS",
"severity": "Alto",
- "text": "Si usa CNI de Azure, ajuste el tamaño de la subred en consecuencia teniendo en cuenta el número máximo de pods por nodo",
- "waf": "Rendimiento"
+ "text": "Supervise las métricas de clúster con Container Insights (u otras herramientas como Prometheus)",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
"service": "AKS",
"severity": "Alto",
- "text": "Si usa Azure CNI, compruebe el número máximo de pods o nodo (valor predeterminado 30)",
- "waf": "Rendimiento"
+ "text": "Almacene y analice los registros del clúster con Container Insights (u otras herramientas como Telegraf/ElasticSearch)",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "description": "En el caso de las aplicaciones internas, las organizaciones suelen abrir toda la subred de AKS en sus firewalls. Esto también abre el acceso de red a los nodos y, potencialmente, también a los pods (si se usa Azure CNI). Si las direcciones IP de LoadBalancer están en una subred diferente, solo esta debe estar disponible para los clientes de la aplicación. Otra razón es que si las direcciones IP de la subred de AKS son un recurso escaso, el consumo de sus direcciones IP para los servicios reducirá la escalabilidad máxima del clúster.",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
"service": "AKS",
- "severity": "Bajo",
- "text": "Si usa servicios de LoadBalancer de dirección IP privada, use una subred dedicada (no la subred de AKS)",
- "waf": "Seguridad"
+ "severity": "Medio",
+ "text": "Supervisar el uso de la CPU y la memoria de los nodos",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
"link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
"service": "AKS",
- "severity": "Alto",
- "text": "Dimensione el rango de direcciones IP del servicio en consecuencia (limitará la escalabilidad del clúster)",
- "waf": "Fiabilidad"
+ "severity": "Medio",
+ "text": "Si usa Azure CNI, supervise el porcentaje de direcciones IP de pod consumidas por nodo",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "description": "La E/S en el disco del sistema operativo es un recurso crítico. Si el sistema operativo de los nodos se limita en la E/S, esto podría dar lugar a un comportamiento impredecible, que normalmente terminaría en que el nodo se declarara NotReady",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
"service": "AKS",
- "severity": "Bajo",
- "text": "Si es necesario, agregue su propio complemento CNI",
- "waf": "Seguridad"
+ "severity": "Medio",
+ "text": "Supervisión de la profundidad de la cola de disco del sistema operativo en los nodos",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
"service": "AKS",
- "severity": "Bajo",
- "text": "Si es necesario, configure la dirección IP pública por nodo en AKS",
- "waf": "Rendimiento"
+ "severity": "Medio",
+ "text": "Si no usa el filtrado de salida con AzFW/NVA, supervise los puertos SNAT asignados por ALB estándar",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
"service": "AKS",
"severity": "Medio",
- "text": "Use un controlador de entrada para exponer aplicaciones basadas en web en lugar de exponerlas con servicios de tipo LoadBalancer",
- "waf": "Fiabilidad"
+ "text": "Suscríbase a las notificaciones de estado de los recursos para el clúster de AKS",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"service": "AKS",
- "severity": "Bajo",
- "text": "Uso de Azure NAT Gateway como outboundType para escalar el tráfico de salida",
- "waf": "Fiabilidad"
+ "severity": "Alto",
+ "text": "Configurar solicitudes y límites en las especificaciones del pod",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
"service": "AKS",
"severity": "Medio",
- "text": "Uso de asignaciones dinámicas de direcciones IP para evitar el agotamiento de direcciones IP de Azure CNI",
- "waf": "Fiabilidad"
+ "text": "Aplicación de cuotas de recursos para espacios de nombres",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"service": "AKS",
"severity": "Alto",
- "text": "Filtre el tráfico de salida con AzFW/NVA si sus requisitos de seguridad lo exigen",
- "waf": "Seguridad"
+ "text": "Asegúrese de que la suscripción tiene suficiente cuota para escalar horizontalmente los grupos de nodos",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"service": "AKS",
"severity": "Medio",
- "text": "Si utiliza un punto de conexión de API público, restrinja las direcciones IP que pueden acceder a él",
- "waf": "Seguridad"
+ "text": "Uso del escalador automático de clústeres",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
"service": "AKS",
- "severity": "Alto",
- "text": "Utilice clústeres privados si sus requisitos lo exigen",
- "waf": "Seguridad"
- },
- {
+ "severity": "Bajo",
+ "text": "Personalización de la configuración de nodos para grupos de nodos de AKS",
+ "waf": "Rendimiento"
+ },
+ {
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
"service": "AKS",
"severity": "Medio",
- "text": "Para los nodos de AKS de Windows 2019 y 2022, se pueden usar directivas de red de Calico ",
- "waf": "Seguridad"
+ "text": "Usar el escalador automático horizontal de pods cuando sea necesario",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "description": "Los nodos más grandes aportarán un mayor rendimiento y características como discos efímeros y redes aceleradas, pero aumentarán el radio de explosión y disminuirán la granularidad de escalado",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
"service": "AKS",
"severity": "Alto",
- "text": "Habilitación de una opción de directiva de red de Kubernetes (Calico/Azure)",
- "waf": "Seguridad"
+ "text": "Considere un tamaño de nodo adecuado, ni demasiado grande ni demasiado pequeño",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
"service": "AKS",
- "severity": "Alto",
- "text": "Uso de directivas de red de Kubernetes para aumentar la seguridad dentro del clúster",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Si se requieren más de 5000 nodos para la escalabilidad, considere la posibilidad de usar un clúster de AKS adicional",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
"service": "AKS",
- "severity": "Alto",
- "text": "Uso de un WAF para cargas de trabajo web (interfaces de usuario o API)",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Considere la posibilidad de suscribirse a eventos de EventGrid para la automatización de AKS",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
"service": "AKS",
- "severity": "Medio",
- "text": "Uso de DDoS Standard en la red virtual de AKS",
- "waf": "Seguridad"
+ "severity": "Bajo",
+ "text": "Para una operación de ejecución prolongada en un clúster de AKS, considere la finalización de eventos",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
"service": "AKS",
"severity": "Bajo",
- "text": "Si es necesario, agregue el proxy HTTP de la empresa",
- "waf": "Seguridad"
+ "text": "Si es necesario, considere la posibilidad de usar Azure Dedicated Hosts para nodos de AKS",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
"service": "AKS",
- "severity": "Medio",
- "text": "Considere la posibilidad de usar una malla de servicios para la administración avanzada de comunicaciones de microservicios",
- "waf": "Seguridad"
+ "severity": "Alto",
+ "text": "Usar discos de sistema operativo efímeros",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
"service": "AKS",
"severity": "Alto",
- "text": "Configurar alertas sobre las métricas más críticas (consulte Container Insights para obtener recomendaciones)",
- "waf": "Operaciones"
+ "text": "En el caso de los discos no efímeros, use IOPS altas y discos de sistema operativo más grandes para los nodos cuando ejecute muchos pods o nodos, ya que requiere un alto rendimiento para ejecutar varios pods y generará registros enormes con umbrales de rotación de registros de AKS predeterminados",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
"service": "AKS",
"severity": "Bajo",
- "text": "Consulte periódicamente Azure Advisor para obtener recomendaciones sobre el clúster",
- "waf": "Operaciones"
+ "text": "Para la opción de almacenamiento de hiperrendimiento, use discos Ultra en AKS",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
"service": "AKS",
- "severity": "Bajo",
- "text": "Habilitación de la rotación automática de certificados de AKS",
- "waf": "Operaciones"
+ "severity": "Medio",
+ "text": "Evite mantener el estado en el clúster y almacene los datos fuera (AzStorage, AzSQL, Cosmos, etc.)",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
"service": "AKS",
- "severity": "Alto",
- "text": "Tenga un proceso regular para actualizar la versión de Kubernetes periódicamente (trimestralmente, por ejemplo) o use la característica de actualización automática de AKS",
- "waf": "Operaciones"
+ "severity": "Medio",
+ "text": "Si usa AzFiles Standard, considere AzFiles Premium o ANF por motivos de rendimiento",
+ "waf": "Rendimiento"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
"checklist": "Azure AKS Review",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
"service": "AKS",
- "severity": "Alto",
- "text": "Utilice kured para las actualizaciones de nodos de Linux en caso de que no esté utilizando la actualización de imagen de nodo",
- "waf": "Operaciones"
+ "severity": "Medio",
+ "text": "Si usa Azure Disks y AZ, considere la posibilidad de tener grupos de nodos dentro de una zona para el disco LRS con VolumeBindingMode:WaitForFirstConsumer para aprovisionar el almacenamiento en la zona correcta o use el disco ZRS para los grupos de nodos que abarquen varias zonas",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+ "service": "AVS",
"severity": "Alto",
- "text": "Disponer de un proceso regular para actualizar las imágenes de los nodos del clúster periódicamente (semanalmente, por ejemplo)",
- "waf": "Operaciones"
+ "text": "Asegúrese de que los controladores de dominio ADDS se implementan en la suscripción de identidad en Azure nativo",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Considere la posibilidad de implementar aplicaciones o configuraciones de clústeres en varios clústeres",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "75089c20-990d-4927-b105-885576f76fc2",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que los sitios y servicios de ADDS están configurados para mantener las solicitudes de autenticación de los recursos basados en Azure (incluida Azure VMware Solution) locales en Azure",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Considere la posibilidad de usar la invocación de comandos de AKS en clústeres privados",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Asegúrese de que vCenter esté conectado a ADDS para habilitar la autenticación basada en \"cuentas de usuario designadas\"",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
- "service": "AKS",
- "severity": "Bajo",
- "text": "En el caso de los eventos planeados, considere la posibilidad de utilizar el drenaje automático de nodos",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que la conexión de vCenter a ADDS utilice un protocolo seguro (LDAPS)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
- "service": "AKS",
- "severity": "Alto",
- "text": "Desarrollar sus propias prácticas de gobernanza para asegurarse de que los operadores no realicen cambios en el nodo RG (también conocido como 'infra RG')",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "La cuenta de CloudAdmin en vCenter IdP solo se utiliza como una cuenta de emergencia (break-glass)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Usar el nombre personalizado de Node RG (también conocido como 'Infra RG')",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Asegúrese de que NSX-Manager esté integrado con un proveedor de identidades externo (LDAPS)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+ "service": "AVS",
"severity": "Medio",
- "text": "No use API de Kubernetes obsoletas en los manifiestos de YAML",
- "waf": "Operaciones"
+ "text": "¿Se ha creado un modelo RBAC para su uso en VMware vSphere?",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Nodos de Windows de Taint",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Los permisos RBAC deben concederse a grupos ADDS y no a usuarios específicos",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Mantener el nivel de revisión de los contenedores de Windows sincronizado con el nivel de revisión del host",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Los permisos de RBAC en el recurso de Azure VMware Solution en Azure están \"bloqueados\" solo para un conjunto limitado de propietarios",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "A través de la configuración de diagnóstico en el nivel de clúster",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Envío de registros maestros (también conocidos como registros de API) a Azure Monitor o a la solución de administración de registros que prefiera",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Asegúrese de que todos los roles personalizados tengan el ámbito de las autorizaciones permitidas de CloudAdmin",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Si es necesario, utilice instantáneas de nodePool",
- "waf": "Costar"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+ "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "¿Se ha seleccionado el modelo de conectividad de Azure VMware Solution correcto para el caso de uso del cliente en cuestión?",
+ "waf": "Rendimiento"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Considere la posibilidad de crear grupos de nodos de acceso puntual para cargas de trabajo no urgentes",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Asegúrese de que las conexiones de ExpressRoute o VPN desde el entorno local a Azure se supervisan mediante el \"monitor de conexiones\"",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Considere la posibilidad de utilizar el nodo virtual de AKS para una ráfaga rápida",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que se crea un monitor de conexión desde un recurso nativo de Azure a una máquina virtual de Azure VMware Solution para supervisar la conexión de ExpressRoute back-end de Azure VMware Solution",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
- "severity": "Alto",
- "text": "Supervise las métricas de clúster con Container Insights (u otras herramientas como Prometheus)",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que se crea un monitor de conexión desde un recurso local a una máquina virtual de Azure VMware Solution para supervisar la conectividad de extremo a extremo",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+ "service": "AVS",
"severity": "Alto",
- "text": "Almacene y analice los registros del clúster con Container Insights (u otras herramientas como Telegraf/ElasticSearch)",
+ "text": "Cuando se utiliza el servidor de rutas, asegúrese de que no se propaguen más de 1000 rutas desde el servidor de rutas a la puerta de enlace de ExR al entorno local (límite de ARS).",
"waf": "Operaciones"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
- "severity": "Medio",
- "text": "Supervisar el uso de la CPU y la memoria de los nodos",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "¿Se ha implementado Privileged Identity Management para los roles que administran el recurso de Azure VMware Solution en Azure Portal (no se permiten permisos permanentes)?",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "Medio",
- "text": "Si usa Azure CNI, supervise el porcentaje de direcciones IP de pod consumidas por nodo",
- "waf": "Operaciones"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Los informes de auditoría de Privileged Identity Management deben implementarse para los roles PIM de Azure VMware Solution",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "La E/S en el disco del sistema operativo es un recurso crítico. Si el sistema operativo de los nodos se limita en la E/S, esto podría dar lugar a un comportamiento impredecible, que normalmente terminaría en que el nodo se declarara NotReady",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+ "service": "AVS",
"severity": "Medio",
- "text": "Supervisión de la profundidad de la cola de disco del sistema operativo en los nodos",
- "waf": "Operaciones"
+ "text": "Si se usa Privileged Identity Management, asegúrese de que se crea una cuenta válida habilitada para Entra ID con un registro SMTP válido para las notificaciones de reemplazo automático de host de Azure VMware Solution. (se requieren permisos permanentes)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Limite el uso de la cuenta de CloudAdmin solo al acceso de emergencia",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+ "service": "AVS",
"severity": "Medio",
- "text": "Si no usa el filtrado de salida con AzFW/NVA, supervise los puertos SNAT asignados por ALB estándar",
- "waf": "Operaciones"
+ "text": "Cree funciones RBAC personalizadas en vCenter para implementar un modelo de privilegios mínimos dentro de vCenter",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+ "service": "AVS",
"severity": "Medio",
- "text": "Suscríbase a las notificaciones de estado de los recursos para el clúster de AKS",
- "waf": "Operaciones"
+ "text": "Es un proceso definido para rotar periódicamente las credenciales de administrador de la nube (vCenter) y administrador (NSX)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+ "service": "AVS",
"severity": "Alto",
- "text": "Configurar solicitudes y límites en las especificaciones del pod",
- "waf": "Operaciones"
+ "text": "Uso de un proveedor de identidades centralizado que se usará para las cargas de trabajo (VM) que se ejecutan en Azure VMware Solution",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+ "service": "AVS",
"severity": "Medio",
- "text": "Aplicación de cuotas de recursos para espacios de nombres",
- "waf": "Operaciones"
+ "text": "¿Se implementa el filtrado de tráfico este-oeste en NSX-T?",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+ "service": "AVS",
"severity": "Alto",
- "text": "Asegúrese de que la suscripción tiene suficiente cuota para escalar horizontalmente los grupos de nodos",
- "waf": "Operaciones"
+ "text": "Las cargas de trabajo de Azure VMware Solution no se exponen directamente a Internet. El tráfico se filtra e inspecciona mediante Azure Application Gateway, Azure Firewall o soluciones de terceros",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "La auditoría y el registro se implementan para las solicitudes entrantes de Internet a Azure VMware Solution y a las cargas de trabajo basadas en Azure VMware Solution",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+ "service": "AVS",
"severity": "Medio",
- "text": "Uso del escalador automático de clústeres",
- "waf": "Rendimiento"
+ "text": "La supervisión de sesiones se implementa para las conexiones salientes a Internet desde Azure VMware Solution o cargas de trabajo basadas en Azure VMware Solution para identificar actividades sospechosas o malintencionadas",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Personalización de la configuración de nodos para grupos de nodos de AKS",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "334fdf91-c234-4182-a652-75269440b4be",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "¿Está habilitada la protección estándar de DDoS en la subred de puerta de enlace de ExR/VPN en Azure?",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+ "service": "AVS",
"severity": "Medio",
- "text": "Usar el escalador automático horizontal de pods cuando sea necesario",
- "waf": "Rendimiento"
+ "text": "Use una estación de trabajo de acceso con privilegios (PAW) dedicada para administrar Azure VMware Solution, vCenter, NSX Manager y HCX Manager",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "Los nodos más grandes aportarán un mayor rendimiento y características como discos efímeros y redes aceleradas, pero aumentarán el radio de explosión y disminuirán la granularidad de escalado",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
- "severity": "Alto",
- "text": "Considere un tamaño de nodo adecuado, ni demasiado grande ni demasiado pequeño",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Habilitación de la detección avanzada de amenazas (Microsoft Defender for Cloud, también conocida como ASC) para cargas de trabajo que se ejecutan en Azure VMware Solution",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Si se requieren más de 5000 nodos para la escalabilidad, considere la posibilidad de usar un clúster de AKS adicional",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Use Azure ARC for Servers para controlar correctamente las cargas de trabajo que se ejecutan en Azure VMware Solution mediante tecnologías nativas de Azure (Azure ARC for Azure VMware Solution aún no está disponible)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+ "service": "AVS",
"severity": "Bajo",
- "text": "Considere la posibilidad de suscribirse a eventos de EventGrid para la automatización de AKS",
- "waf": "Rendimiento"
+ "text": "Asegúrese de que las cargas de trabajo de Azure VMware Solution usen suficiente cifrado de datos durante el tiempo de ejecución (como el cifrado de disco invitado y SQL TDE). (El cifrado de vSAN en reposo es el predeterminado)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+ "service": "AVS",
"severity": "Bajo",
- "text": "Para una operación de ejecución prolongada en un clúster de AKS, considere la finalización de eventos",
- "waf": "Rendimiento"
+ "text": "Cuando se usa el cifrado en invitado, almacene las claves de cifrado en Azure Key Vault siempre que sea posible",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Si es necesario, considere la posibilidad de usar Azure Dedicated Hosts para nodos de AKS",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5ac94222-3e13-4810-9230-81a941741583",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Considere la posibilidad de usar la compatibilidad con actualizaciones de seguridad extendidas para las cargas de trabajo que se ejecutan en Azure VMware Solution (Azure VMware Solution es apta para ESU)",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+ "service": "AVS",
"severity": "Alto",
- "text": "Usar discos de sistema operativo efímeros",
- "waf": "Rendimiento"
+ "text": "Asegúrese de que se utiliza el método de redundancia de datos de vSAN adecuado (especificación RAID)",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d88408f3-7273-44c8-96ba-280214590146",
+ "service": "AVS",
"severity": "Alto",
- "text": "En el caso de los discos no efímeros, use IOPS altas y discos de sistema operativo más grandes para los nodos cuando ejecute muchos pods o nodos, ya que requiere un alto rendimiento para ejecutar varios pods y generará registros enormes con umbrales de rotación de registros de AKS predeterminados",
- "waf": "Rendimiento"
+ "text": "Asegúrese de que la directiva de error de tolerancia esté implementada para satisfacer sus necesidades de almacenamiento de vSAN",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
- "severity": "Bajo",
- "text": "Para la opción de almacenamiento de hiperrendimiento, use discos Ultra en AKS",
- "waf": "Rendimiento"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Asegúrese de que ha solicitado una cuota suficiente, asegurándose de que ha tenido en cuenta el crecimiento y el requisito de recuperación ante desastres",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+ "service": "AVS",
"severity": "Medio",
- "text": "Evite mantener el estado en el clúster y almacene los datos fuera (AzStorage, AzSQL, Cosmos, etc.)",
- "waf": "Rendimiento"
+ "text": "Asegúrese de que se comprenden las restricciones de acceso a ESXi, ya que existen límites de acceso que pueden afectar a las soluciones de terceros.",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+ "service": "AVS",
"severity": "Medio",
- "text": "Si usa AzFiles Standard, considere AzFiles Premium o ANF por motivos de rendimiento",
- "waf": "Rendimiento"
+ "text": "Asegúrese de tener una política en torno a la densidad y la eficiencia del host ESXi, teniendo en cuenta el tiempo de espera para solicitar nuevos nodos",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+ "service": "AVS",
"severity": "Medio",
- "text": "Si usa Azure Disks y AZ, considere la posibilidad de tener grupos de nodos dentro de una zona para el disco LRS con VolumeBindingMode:WaitForFirstConsumer para aprovisionar el almacenamiento en la zona correcta o use el disco ZRS para los grupos de nodos que abarquen varias zonas",
- "waf": "Rendimiento"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
- "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
- "service": "Logic Apps",
- "severity": "Alto",
- "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO",
- "waf": "Fiabilidad"
+ "text": "Asegúrese de que existe un buen proceso de administración de costos para Azure VMware Solution: se puede usar Azure Cost Management",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
- "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "Logic Apps",
- "severity": "Alto",
- "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "¿Se usan instancias reservadas de Azure para optimizar el costo de uso de Azure VMware Solution?",
+ "waf": "Costar"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
- "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Logic Apps",
- "severity": "Alto",
- "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Tenga en cuenta el uso de Azure Private-Link cuando use otros servicios nativos de Azure",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
- "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
- "service": "Logic Apps",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+ "service": "AVS",
"severity": "Alto",
- "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
- "waf": "Fiabilidad"
+ "text": "Asegúrese de que todos los recursos necesarios residen en las mismas zonas de disponibilidad de Azure",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
- "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
- "service": "Logic Apps",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+ "service": "AVS",
"severity": "Medio",
- "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica",
- "waf": "Operaciones"
- },
- {
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ",
- "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
- "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
- "service": "Event Hubs",
- "severity": "Bajo",
- "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "text": "Habilitación de cargas de trabajo de máquina virtual invitada de Microsoft Defender for Cloud for Azure VMware Solution",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Los espacios de nombres de Azure Event Hubs permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Event Hubs para requerir que los clientes envíen y reciban datos con una versión más reciente de TLS. Si un espacio de nombres de Event Hubs requiere una versión mínima de TLS, se producirá un error en las solicitudes realizadas con una versión anterior. ",
- "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
- "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+ "service": "AVS",
"severity": "Medio",
- "text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "text": "Uso de servidores habilitados para Azure Arc para administrar las cargas de trabajo de máquinas virtuales invitadas de Azure VMware Solution",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Al crear un espacio de nombres de Event Hubs, se crea automáticamente una regla de directiva denominada RootManageSharedAccessKey para el espacio de nombres. Esta directiva tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ",
- "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
- "service": "Event Hubs",
- "severity": "Medio",
- "text": "Evite usar la cuenta raíz cuando no sea necesario",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Habilitación del registro de diagnósticos y métricas en Azure VMware Solution",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Las identidades administradas para los recursos de Azure pueden autorizar el acceso a los recursos de Event Hubs mediante credenciales de Azure AD desde aplicaciones que se ejecutan en Azure Virtual Machines (VM), aplicaciones de funciones, conjuntos de escalado de máquinas virtuales y otros servicios. Mediante el uso de identidades administradas para los recursos de Azure junto con la autenticación de Azure AD, puede evitar el almacenamiento de credenciales con las aplicaciones que se ejecutan en la nube. ",
- "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
- "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+ "service": "AVS",
"severity": "Medio",
- "text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Event Hub. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Seguridad"
+ "text": "Implementación de los agentes de Log Analytics en cargas de trabajo de máquinas virtuales invitadas de Azure VMware Solution",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Al crear permisos, proporcione un control específico sobre el acceso de un cliente al Centro de eventos de Azure. Los permisos del Centro de eventos de Azure pueden y deben limitarse al nivel de recurso individual, por ejemplo, grupo de consumidores, entidad del centro de eventos, espacios de nombres del centro de eventos, etc.",
- "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
- "service": "Event Hubs",
- "severity": "Alto",
- "text": "Uso de RBAC de plano de datos con privilegios mínimos",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que dispone de una directiva y una solución de copia de seguridad documentadas e implementadas para las cargas de trabajo de máquina virtual de Azure VMware Solution",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Los registros de recursos del Centro de eventos de Azure incluyen registros operativos, registros de red virtual y registros de Kafka. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para todas las operaciones de acceso al plano de datos (como eventos de envío o recepción) en Event Hubs.",
- "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
- "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+ "service": "AVS",
"severity": "Medio",
- "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para capturar métricas y registros, como registros de recursos, registros de auditoría en tiempo de ejecución y registros de Kafka",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "text": "Uso de Microsoft Defender for Cloud para la supervisión del cumplimiento de las cargas de trabajo que se ejecutan en Azure VMware Solution",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "De forma predeterminada, Azure Event Hub tiene una dirección IP pública y es accesible a través de Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y Azure Event Hubs a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se usan. ",
- "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
- "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+ "service": "AVS",
"severity": "Medio",
- "text": "Considere la posibilidad de usar puntos de conexión privados para acceder al Centro de eventos de Azure y deshabilitar el acceso a la red pública cuando corresponda.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "¿Se agregan las líneas base de cumplimiento aplicables a Microsoft Defender for Cloud?",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Con el firewall IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ",
- "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
- "service": "Event Hubs",
- "severity": "Medio",
- "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres del Centro de eventos de Azure desde direcciones IP o intervalos específicos",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "¿Se evaluó la residencia de datos al seleccionar las regiones de Azure que se usarán para la implementación de Azure VMware Solution?",
"waf": "Seguridad"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "¿Son claras y documentadas las implicaciones del procesamiento de datos (proveedor de servicios / modelo de consumidor de servicios)?",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+ "service": "AVS",
"severity": "Medio",
- "text": "Aproveche el Manual de Resiliencia de los TLC",
- "waf": "Fiabilidad"
+ "text": "Considere la posibilidad de usar CMK (clave administrada por el cliente) para vSAN solo si es necesario por motivos de cumplimiento.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": " Esto se activará automáticamente para un nuevo espacio de nombres EH creado desde el portal con SKU Premium, Dedicado o Estándar en una región habilitada para zonas. Tanto los metadatos de EH como los propios datos de eventos se replican en todas las zonas",
- "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+ "service": "AVS",
"severity": "Alto",
- "text": "Aproveche las zonas de disponibilidad si corresponde regionalmente",
- "waf": "Fiabilidad"
+ "text": "Creación de paneles para habilitar la información principal de supervisión de Azure VMware Solution",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
- "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
- "service": "Event Hubs",
- "severity": "Medio",
- "text": "Usa las SKU Premium o Dedicadas para obtener un rendimiento predecible",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Creación de alertas de advertencia para umbrales críticos para alertas automáticas sobre el rendimiento de Azure VMware Solution (CPU >80 %, memoria media >80 %, vSAN >70 %)",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "La característica integrada de recuperación ante desastres geográfica, cuando está habilitada, garantiza que toda la configuración de un espacio de nombres (Event Hubs, grupos de consumidores y configuración) se replique continuamente desde un espacio de nombres principal a un espacio de nombres secundario, y permite un movimiento de conmutación por error de una sola vez del principal al secundario en cualquier momento. La característica Activo/Pasivo está diseñada para facilitar la recuperación y el abandono de una región de Azure con errores sin tener que cambiar las configuraciones de la aplicación",
- "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+ "service": "AVS",
"severity": "Alto",
- "text": "Planeación de la recuperación ante desastres geográfica mediante la configuración pasiva activa",
- "waf": "Fiabilidad"
+ "text": "Asegúrese de que se crea una alerta crítica para supervisar si el consumo de vSAN es inferior al 75 %, ya que se trata de un umbral de soporte de VMware",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Debe utilizarse para configuraciones de recuperación ante desastres en las que no se puede tolerar una interrupción o pérdida de datos de eventos en la región inactiva. En estos casos, siga las instrucciones de replicación y no use la capacidad de recuperación ante desastres geográfica integrada (activa/pasiva). Con Activo/Activo, mantenga varios centros de eventos en diferentes regiones y espacios de nombres, y los eventos se replicarán entre los centros",
- "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
- "service": "Event Hubs",
- "severity": "Medio",
- "text": "En el caso de las aplicaciones críticas para la empresa, use la configuración Active Active",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Asegúrese de que las alertas están configuradas para las alertas y notificaciones de Azure Service Health",
+ "waf": "Operaciones"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
- "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+ "service": "AVS",
"severity": "Medio",
- "text": "Diseño de centros de eventos resilientes",
- "waf": "Fiabilidad"
+ "text": "Configure el registro de Azure VMware Solution para que se envíe a una cuenta de Azure Storage o Azure EventHub para su procesamiento",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Aplicación de las instrucciones de la prueba comparativa de seguridad en la nube de Microsoft relacionadas con el almacenamiento",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Azure Storage",
- "severity": "Medio",
- "text": "Tenga en cuenta la \"línea base de seguridad de Azure para el almacenamiento\"",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "Si se requiere una visión profunda de VMware vSphere: ¿Se utiliza vRealize Operations o vRealize Network Insights en la solución?",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "De forma predeterminada, Azure Storage tiene una dirección IP pública y es accesible desde Internet. Los puntos de conexión privados permiten exponer de forma segura Azure Storage solo a los recursos de proceso de Azure que necesitan acceso, lo que elimina la exposición a la Internet pública",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+ "service": "AVS",
"severity": "Alto",
- "text": "Considere la posibilidad de usar puntos de conexión privados para Azure Storage",
- "waf": "Seguridad"
+ "text": "Asegúrese de que la directiva de almacenamiento de vSAN para las máquinas virtuales NO sea la directiva de almacenamiento predeterminada, ya que esta directiva aplica el aprovisionamiento grueso",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Las cuentas de almacenamiento recién creadas se crean mediante el modelo de implementación de ARM, de modo que RBAC, auditoría, etc. están habilitados. Asegúrese de que no hay cuentas de almacenamiento antiguas con el modelo de implementación clásica en una suscripción",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+ "service": "AVS",
"severity": "Medio",
- "text": "Asegúrese de que las cuentas de almacenamiento más antiguas no usan el \"modelo de implementación clásica\"",
- "waf": "Seguridad"
+ "text": "Asegúrese de que las bibliotecas de contenido de vSphere no se coloquen en vSAN, ya que vSAN es un recurso finito",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Aproveche Microsoft Defender para obtener información sobre la actividad sospechosa y los errores de configuración.",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Habilitación de Microsoft Defender para todas las cuentas de almacenamiento",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que los repositorios de datos de la solución de copia de seguridad se almacenen fuera del almacenamiento de vSAN. Ya sea en Azure nativo o en un almacén de datos respaldado por un grupo de discos",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "El mecanismo de eliminación temporal permite recuperar blobs eliminados accidentalmente.",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+ "service": "AVS",
"severity": "Medio",
- "text": "Habilitación de la \"eliminación temporal\" para blobs",
- "waf": "Seguridad"
+ "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se administran de forma híbrida mediante Azure Arc para servidores (Arc para Azure VMware Solution está en versión preliminar)",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+ "service": "AVS",
"severity": "Medio",
- "text": "Deshabilitación de la \"eliminación temporal\" de blobs",
- "waf": "Seguridad"
+ "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se supervisan mediante Azure Log Analytics y Azure Monitor",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "La eliminación temporal de contenedores permite recuperar un contenedor después de que se haya eliminado, por ejemplo, recuperarse de una operación de eliminación accidental.",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Habilitación de la \"eliminación temporal\" para los contenedores",
- "waf": "Seguridad"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Considere la posibilidad de deshabilitar de forma selectiva la \"eliminación temporal\" para determinados contenedores de blobs, por ejemplo, si la aplicación debe asegurarse de que la información eliminada se elimina inmediatamente, por ejemplo, por motivos de confidencialidad, privacidad o cumplimiento. ",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+ "service": "AVS",
"severity": "Medio",
- "text": "Deshabilitación de la \"eliminación temporal\" para contenedores",
- "waf": "Seguridad"
+ "text": "Inclusión de cargas de trabajo que se ejecutan en Azure VMware Solution en las herramientas de administración de actualizaciones existentes o en Azure Update Management",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Evita la eliminación accidental de una cuenta de almacenamiento, obligando al usuario a quitar primero el bloqueo de eliminación, antes de la eliminación",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Habilitación de bloqueos de recursos en cuentas de almacenamiento",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Uso de Azure Policy para incorporar cargas de trabajo de Azure VMware Solution en las soluciones de administración, supervisión y seguridad de Azure",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Considere la posibilidad de aplicar directivas de \"retención legal\" o \"retención basada en el tiempo\" para los blobs, de modo que sea imposible eliminar el blob, el contenedor o la cuenta de almacenamiento. Tenga en cuenta que 'imposible' en realidad significa 'imposible'; una vez que una cuenta de almacenamiento contiene un blob inmutable, la única manera de \"deshacerse\" de esa cuenta de almacenamiento es cancelando la suscripción de Azure.",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Considere la posibilidad de blobs inmutables",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que las cargas de trabajo que se ejecutan en Azure VMware Solution se incorporan a Microsoft Defender for Cloud",
"waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Considere la posibilidad de deshabilitar el acceso HTTP/80 sin protección a la cuenta de almacenamiento, de modo que todas las transferencias de datos estén cifradas, protegidas por integridad y el servidor esté autenticado. ",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Requerir HTTPS, es decir, deshabilitar el puerto 80 en la cuenta de almacenamiento",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que las copias de seguridad no se almacenen en vSAN, ya que vSAN es un recurso finito",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Al configurar un dominio personalizado (nombre de host) en una cuenta de almacenamiento, compruebe si necesita TLS/HTTPS; si es así, es posible que tenga que colocar Azure CDN delante de la cuenta de almacenamiento.",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Al aplicar HTTPS (deshabilitar HTTP), compruebe que no usa dominios personalizados (CNAME) para la cuenta de almacenamiento.",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "¿Se han considerado todas las soluciones de recuperación ante desastres y se ha decidido por la mejor solución para su negocio? [SRM/JetStream/Zerto/Veeam/...]",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Requerir HTTPS cuando un cliente usa un token de SAS para acceder a los datos de blobs ayuda a minimizar el riesgo de pérdida de credenciales.",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+ "service": "AVS",
"severity": "Medio",
- "text": "Limitar los tokens de firma de acceso compartido (SAS) solo a las conexiones HTTPS",
- "waf": "Seguridad"
+ "text": "Uso de Azure Site Recovery cuando la tecnología de recuperación ante desastres sea IaaS nativa de Azure",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Los tokens de AAD deben favorecerse sobre las firmas de acceso compartido, siempre que sea posible",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+ "service": "AVS",
"severity": "Alto",
- "text": "Uso de tokens de Azure Active Directory (Azure AD) para el acceso a blobs",
- "waf": "Seguridad"
+ "text": "Utilice planes de recuperación automatizados con cualquiera de las soluciones ante desastres, evite las tareas manuales tanto como sea posible",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Al asignar un rol a un usuario, grupo o aplicación, conceda a esa entidad de seguridad solo los permisos necesarios para que pueda realizar sus tareas. Limitar el acceso a los recursos ayuda a evitar el uso indebido no intencionado y malintencionado de los datos.",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+ "service": "AVS",
"severity": "Medio",
- "text": "Privilegios mínimos en los permisos de IaM",
- "waf": "Seguridad"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Una SAS de delegación de usuarios está protegida con credenciales de Azure Active Directory (Azure AD) y también con los permisos especificados para la SAS. Una SAS de delegación de usuarios es análoga a una SAS de servicio en cuanto a su ámbito y función, pero ofrece ventajas de seguridad sobre la SAS de servicio. ",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Al usar SAS, prefiera \"SAS de delegación de usuarios\" en lugar de SAS basada en claves de cuenta de almacenamiento.",
- "waf": "Seguridad"
+ "text": "Usar el par de regiones geopolíticas como entorno secundario de recuperación ante desastres",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Las claves de la cuenta de almacenamiento (\"claves compartidas\") tienen muy pocas funcionalidades de auditoría. Si bien se puede monitorear quién o cuándo obtuvo una copia de las claves, una vez que las claves están en manos de varias personas, es imposible atribuir el uso a un usuario específico. Confiar únicamente en la autenticación de AAD facilita la vinculación del acceso al almacenamiento a un usuario. ",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+ "service": "AVS",
"severity": "Alto",
- "text": "Considere la posibilidad de deshabilitar las claves de la cuenta de almacenamiento, de modo que solo se admita el acceso a AAD (y la SAS de delegación de usuarios).",
- "waf": "Seguridad"
+ "text": "Utilice 2 espacios de direcciones diferentes entre las regiones, por ejemplo: 10.0.0.0/16 y 192.168.0.0/16 para las diferentes regiones",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Use los datos del registro de actividad para identificar \"cuándo\", \"quién\", \"qué\" y \"cómo\" se está viendo o cambiando la seguridad de la cuenta de almacenamiento (es decir, claves de cuenta de almacenamiento, directivas de acceso, etc.).",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Considere la posibilidad de usar Azure Monitor para auditar las operaciones del plano de control en la cuenta de almacenamiento",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "¿Se usará Global Reach de ExpressRoute para la conectividad entre las nubes privadas de Azure VMware Solution principal y secundaria, o el enrutamiento se realiza a través de aplicaciones virtuales de red?",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Una directiva de expiración de claves le permite establecer un recordatorio para la rotación de las claves de acceso a la cuenta. El recordatorio se muestra si ha transcurrido el intervalo especificado y las teclas aún no se han girado.",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+ "service": "AVS",
"severity": "Medio",
- "text": "Al usar claves de cuenta de almacenamiento, considere la posibilidad de habilitar una \"directiva de expiración de claves\"",
- "waf": "Seguridad"
+ "text": "¿Se han considerado todas las soluciones de copia de seguridad y se ha decidido por la mejor solución para su negocio? [ MABS/CommVault/Metallic.io/Veeam/ . ]",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Una directiva de expiración de SAS especifica un intervalo recomendado durante el cual la SAS es válida. Las directivas de expiración de SAS se aplican a una SAS de servicio o a una SAS de cuenta. Cuando un usuario genera una SAS de servicio o una SAS de cuenta con un intervalo de validez mayor que el intervalo recomendado, verá una advertencia.",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+ "service": "AVS",
"severity": "Medio",
- "text": "Considere la posibilidad de configurar una directiva de expiración de SAS",
- "waf": "Seguridad"
+ "text": "Implemente la solución de copia de seguridad en la misma región que la nube privada de Azure VMware Solution",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Las directivas de acceso almacenadas ofrecen la opción de revocar los permisos de una SAS de servicio sin tener que volver a generar las claves de la cuenta de almacenamiento. ",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+ "service": "AVS",
"severity": "Medio",
- "text": "Considere la posibilidad de vincular SAS a una directiva de acceso almacenada",
- "waf": "Seguridad"
+ "text": "Implementación de la solución de copia de seguridad fuera de vSan, en componentes nativos de Azure",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
- "service": "Azure Storage",
- "severity": "Medio",
- "text": "Considere la posibilidad de configurar el repositorio de código fuente de la aplicación para detectar cadenas de conexión protegidas y claves de cuenta de almacenamiento.",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "¿Existe un proceso para solicitar una restauración de los componentes de VMware administrados por la plataforma Azure?",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Lo ideal es que la aplicación use una identidad administrada para autenticarse en Azure Storage. Si esto no es posible, considere la posibilidad de tener la credencial de almacenamiento (cadena de conexión, clave de cuenta de almacenamiento, SAS, credencial de entidad de servicio) en Azure KeyVault o un servicio equivalente.",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Considere la posibilidad de almacenar cadenas de conexión en Azure KeyVault (en escenarios en los que las identidades administradas no son posibles)",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "En el caso de las implementaciones manuales, se deben documentar todas las configuraciones e implementaciones",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Use los tiempos de expiración a corto plazo en una SAS de servicio SAS ad hoc o en una SAS de cuenta. De esta manera, incluso si una SAS se ve comprometida, es válida solo por un corto tiempo. Esta práctica es especialmente importante si no puede hacer referencia a una directiva de acceso almacenada. Los tiempos de expiración a corto plazo también limitan la cantidad de datos que se pueden escribir en un blob al limitar el tiempo disponible para cargarlo.",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Esfuércese por obtener períodos de validez cortos para SAS ad-hoc",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "En el caso de las implementaciones manuales, considere la posibilidad de implementar bloqueos de recursos para evitar acciones accidentales en la nube privada de Azure VMware Solution",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Al crear una SAS, sea lo más específico y restrictivo posible. Prefiera una SAS para un solo recurso y operación en lugar de una SAS que proporciona un acceso mucho más amplio.",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
- "severity": "Medio",
- "text": "Aplicación de un ámbito limitado a una SAS",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "Para implementaciones automatizadas, implemente una nube privada mínima y escale según sea necesario",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Una SAS puede incluir parámetros en los que las direcciones IP de cliente o los intervalos de direcciones están autorizados a solicitar un recurso mediante la SAS. ",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
- "service": "Azure Storage",
- "severity": "Medio",
- "text": "Considere la posibilidad de definir el ámbito de SAS en una dirección IP de cliente específica, siempre que sea posible",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "En el caso de las implementaciones automatizadas, solicite o reserve una cuota antes de iniciar la implementación",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Una SAS no puede restringir la cantidad de datos que carga un cliente; Dado el modelo de precios de la cantidad de almacenamiento a lo largo del tiempo, podría tener sentido validar si los clientes cargaron contenido de gran tamaño malintencionado.",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+ "service": "AVS",
"severity": "Bajo",
- "text": "Considere la posibilidad de comprobar los datos cargados, después de que los clientes hayan usado una SAS para cargar un archivo. ",
- "waf": "Seguridad"
+ "text": "En el caso de la implementación automatizada, asegúrese de que se crean bloqueos de recursos relevantes a través de la automatización o a través de Azure Policy para una gobernanza adecuada",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Al acceder a Blob Storage a través de SFTP mediante una \"cuenta de usuario local\", no se aplican los controles RBAC \"habituales\". El acceso a blobs a través de NFS o REST puede ser más restrictivo que el acceso SFTP. Desafortunadamente, a partir de principios de 2023, los usuarios locales son la única forma de administración de identidades que actualmente se admite para el punto de conexión SFTP",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "SFTP: Limite la cantidad de \"usuarios locales\" para el acceso SFTP y audite si el acceso es necesario a lo largo del tiempo.",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "Implemente nombres comprensibles para las claves de autorización ExR para permitir una fácil identificación del propósito y uso de las claves.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
- "service": "Azure Storage",
- "severity": "Medio",
- "text": "SFTP: El punto de conexión SFTP no admite ACL similares a POSIX.",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "Uso de Key Vault para almacenar secretos y claves de autorización cuando se usan principios de servicio independientes para implementar Azure VMware Solution y ExpressRoute",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "El almacenamiento es compatible con CORS (Cross-Origin Resource Sharing), es decir, una función HTTP que permite a las aplicaciones web de un dominio diferente relajar la política del mismo origen. Al habilitar CORS, mantenga CorsRules con el mínimo privilegio.",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Evite las políticas de CORS demasiado amplias",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "Defina dependencias de recursos para serializar acciones en IaC cuando sea necesario implementar muchos recursos en Azure VMware Solution, ya que Azure VMware Solution solo admite un número limitado de operaciones paralelas.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Los datos en reposo siempre están cifrados en el lado del servidor y, además, también pueden estar cifrados en el lado del cliente. El cifrado del lado del servidor puede realizarse mediante una clave administrada por la plataforma (predeterminada) o una clave administrada por el cliente. El cifrado del lado cliente puede producirse haciendo que el cliente proporcione una clave de cifrado y descifrado por blob a Azure Storage o controlando completamente el cifrado en el lado cliente. por lo tanto, no depende en absoluto de Azure Storage para obtener garantías de confidencialidad.",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Determine cómo se deben cifrar los datos en reposo. Comprender el modelo de subprocesos para los datos.",
- "waf": "Seguridad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+ "service": "AVS",
+ "severity": "Bajo",
+ "text": "Al realizar la configuración automatizada de segmentos de NSX-T con una única puerta de enlace de nivel 1, use las API de Azure Portal en lugar de las API de NSX-Manager",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+ "service": "AVS",
"severity": "Medio",
- "text": "Determine qué cifrado de plataforma se debe usar o si se debe usar.",
- "waf": "Seguridad"
+ "text": "Si tiene la intención de usar el escalado horizontal automatizado, asegúrese de solicitar una cuota suficiente de Azure VMware Solution para las suscripciones que ejecutan Azure VMware Solution",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+ "service": "AVS",
"severity": "Medio",
- "text": "Determine qué cifrado del lado del cliente se debe usar o si.",
- "waf": "Seguridad"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Aproveche el Explorador de Resource Graph (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para buscar cuentas de almacenamiento que permitan el acceso anónimo a blobs.",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Considere si se necesita acceso público a blobs o si se puede deshabilitar para determinadas cuentas de almacenamiento. ",
- "waf": "Seguridad"
+ "text": "Cuando tenga la intención de usar la reducción horizontal automatizada, asegúrese de tener en cuenta los requisitos de la directiva de almacenamiento antes de realizar dicha acción",
+ "waf": "Rendimiento"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+ "service": "AVS",
"severity": "Medio",
- "text": "Use el token revocable de larga duración, almacene en caché el token y adquiera el token de forma silenciosa mediante la biblioteca de identidades de Microsoft",
- "waf": "Fiabilidad"
+ "text": "Las operaciones de escalado siempre deben serializarse dentro de un único SDDC, ya que solo se puede realizar una operación de escalado a la vez (incluso cuando se utilizan varios clústeres)",
+ "waf": "Rendimiento"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+ "service": "AVS",
"severity": "Medio",
- "text": "Asegúrese de que los flujos de usuario de inicio de sesión estén respaldados y sean resistentes. Asegúrese de que se ha realizado una copia de seguridad del código que usa para iniciar sesión en los usuarios y se puede recuperar. Interfaces resilientes con procesos externos",
- "waf": "Fiabilidad"
+ "text": "Considerar y validar las operaciones de escalado en soluciones de terceros utilizadas en la arquitectura (compatibles o no)",
+ "waf": "Rendimiento"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+ "service": "AVS",
"severity": "Medio",
- "text": "Los activos de marca personalizados deben estar alojados en una CDN",
+ "text": "Defina y aplique límites máximos de escalado vertical y horizontal para su entorno en las automatizaciones",
"waf": "Rendimiento"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
- "severity": "Bajo",
- "text": "Tener varios proveedores de identidad (es decir, iniciar sesión con sus cuentas de Microsoft, Google, Facebook)",
- "waf": "Fiabilidad"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Implemente reglas de supervisión para supervisar las operaciones de escalado automatizadas y supervisar el éxito y el fracaso para permitir respuestas adecuadas (automatizadas)",
+ "waf": "Operaciones"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Medio",
- "text": "Siga las reglas de la máquina virtual para la alta disponibilidad en el nivel de máquina virtual (discos premium, dos o más en una región, en diferentes zonas de disponibilidad)",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Al usar MON, tenga en cuenta los límites de las máquinas virtuales configuradas simultáneamente (límite de MON para HCX [400 - estándar, 1000 - dispositivo más grande])",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "Fiabilidad"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Medio",
- "text": "¡No repliques! La replicación puede crear problemas con la sincronización de directorios",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Al usar MON, no puede habilitar MON en más de 100 extensiones de red",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "Fiabilidad"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+ "service": "AVS",
"severity": "Medio",
- "text": "Tener activo-activo para varias regiones",
- "waf": "Fiabilidad"
+ "text": "Si utiliza una conexión VPN para migraciones, ajuste el tamaño de su MTU en consecuencia.",
+ "waf": "Rendimiento"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+ "service": "AVS",
"severity": "Medio",
- "text": "Adición de stamps de servicio de dominio de Azure AD a regiones y ubicaciones adicionales",
- "waf": "Fiabilidad"
+ "text": "En el caso de las regiones de baja conectividad que se conectan a Azure (500 Mbps o menos), considere la posibilidad de implementar el dispositivo de optimización de WAN de HCX",
+ "waf": "Rendimiento"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+ "service": "AVS",
"severity": "Medio",
- "text": "Uso de conjuntos de réplicas para recuperación ante desastres",
+ "text": "Asegúrese de que las migraciones se inicien desde el dispositivo local y NO desde el dispositivo en la nube (NO realice una migración inversa)",
"waf": "Fiabilidad"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Cuando se usa Azure NetApp Files para ampliar el almacenamiento de Azure VMware Solution, considere la posibilidad de usarlo como almacén de datos de VMware en lugar de adjuntarlo directamente a una máquina virtual.",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que se usa una puerta de enlace de ExpressRoute dedicada para soluciones de almacenamiento de datos externos",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "AVS",
+ "severity": "Medio",
+ "text": "Asegúrese de que FastPath está habilitado en la puerta de enlace de ExpressRoute que se usa para las soluciones de almacenamiento de datos externos",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Si utiliza un clúster ampliado, asegúrese de que la solución de recuperación ante desastres seleccionada sea compatible con el proveedor",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Si utiliza un clúster ampliado, asegúrese de que el Acuerdo de Nivel de Servicio proporcionado cumpla sus requisitos",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Si usa un clúster extendido, asegúrese de que ambos circuitos ExpressRoute están conectados al centro de conectividad.",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Si usa un clúster extendido, asegúrese de que ambos circuitos ExpressRoute tengan habilitado GlobalReach.",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Haga que la configuración de tolerancia ante desastres del sitio se considere y cambie correctamente para su negocio si es necesario.",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
"guid": "65285269-440b-44be-9d3e-0844276d4bdc",
"link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
"service": "Redis",
@@ -8469,528 +8031,966 @@
"waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "severity": "Alto",
- "text": "Seleccione el plan de hospedaje de funciones adecuado en función de los requisitos de su empresa y SLO",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub proporciona cifrado de datos en reposo. Si usa su propia clave, los datos se siguen cifrando con la clave administrada por Microsoft, pero además la clave administrada por Microsoft se cifrará con la clave administrada por el cliente. ",
+ "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+ "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+ "service": "Event Hubs",
+ "severity": "Bajo",
+ "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "severity": "Alto",
- "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (no disponible para el nivel de consumo)",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Los espacios de nombres de Azure Event Hubs permiten a los clientes enviar y recibir datos con TLS 1.0 y versiones posteriores. Para aplicar medidas de seguridad más estrictas, puede configurar el espacio de nombres de Event Hubs para requerir que los clientes envíen y reciban datos con una versión más reciente de TLS. Si un espacio de nombres de Event Hubs requiere una versión mínima de TLS, se producirá un error en las solicitudes realizadas con una versión anterior. ",
+ "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+ "service": "Event Hubs",
+ "severity": "Medio",
+ "text": "Aplicar una versión mínima requerida de Seguridad de la capa de transporte (TLS) para las solicitudes ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Azure Functions",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Al crear un espacio de nombres de Event Hubs, se crea automáticamente una regla de directiva denominada RootManageSharedAccessKey para el espacio de nombres. Esta directiva tiene permisos de administración para todo el espacio de nombres. Se recomienda tratar esta regla como una cuenta raíz administrativa y no usarla en la aplicación. Se recomienda usar AAD como proveedor de autenticación con RBAC. ",
+ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+ "service": "Event Hubs",
"severity": "Medio",
- "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
- "waf": "Fiabilidad"
+ "text": "Evite usar la cuenta raíz cuando no sea necesario",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Azure Functions",
- "severity": "Alto",
- "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
- "waf": "Fiabilidad"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Las identidades administradas para los recursos de Azure pueden autorizar el acceso a los recursos de Event Hubs mediante credenciales de Azure AD desde aplicaciones que se ejecutan en Azure Virtual Machines (VM), aplicaciones de funciones, conjuntos de escalado de máquinas virtuales y otros servicios. Mediante el uso de identidades administradas para los recursos de Azure junto con la autenticación de Azure AD, puede evitar el almacenamiento de credenciales con las aplicaciones que se ejecutan en la nube. ",
+ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+ "service": "Event Hubs",
+ "severity": "Medio",
+ "text": "Siempre que sea posible, la aplicación debe usar una identidad administrada para autenticarse en Azure Event Hub. Si no es así, considere la posibilidad de tener la credencial de almacenamiento (SAS, credencial de entidad de servicio) en Azure Key Vault o en un servicio equivalente",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Azure Functions",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Al crear permisos, proporcione un control específico sobre el acceso de un cliente al Centro de eventos de Azure. Los permisos del Centro de eventos de Azure pueden y deben limitarse al nivel de recurso individual, por ejemplo, grupo de consumidores, entidad del centro de eventos, espacios de nombres del centro de eventos, etc.",
+ "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+ "service": "Event Hubs",
"severity": "Alto",
- "text": "Asegúrese de que \"Siempre activado\" esté habilitado para todas las aplicaciones de funciones que se ejecutan en el plan de App Service",
- "waf": "Fiabilidad"
+ "text": "Uso de RBAC de plano de datos con privilegios mínimos",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Azure Functions",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Los registros de recursos del Centro de eventos de Azure incluyen registros operativos, registros de red virtual y registros de Kafka. Los registros de auditoría en tiempo de ejecución capturan información de diagnóstico agregada para todas las operaciones de acceso al plano de datos (como eventos de envío o recepción) en Event Hubs.",
+ "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+ "service": "Event Hubs",
"severity": "Medio",
- "text": "Empareje una aplicación de funciones con su propia cuenta de almacenamiento. Intente no volver a usar las cuentas de almacenamiento para las aplicaciones de funciones a menos que estén estrechamente acopladas",
- "waf": "Fiabilidad"
+ "text": "Habilite el registro para la investigación de seguridad. Use Azure Monitor para capturar métricas y registros, como registros de recursos, registros de auditoría en tiempo de ejecución y registros de Kafka",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Azure Functions",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "De forma predeterminada, Azure Event Hub tiene una dirección IP pública y es accesible a través de Internet. Los puntos de conexión privados permiten el tráfico entre la red virtual y Azure Event Hubs a través de la red troncal de Microsoft. Además de eso, debe deshabilitar los puntos de conexión públicos si no se usan. ",
+ "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+ "service": "Event Hubs",
"severity": "Medio",
- "text": "Aproveche Azure DevOps o GitHub para optimizar la CI/CD y proteger el código de la aplicación de funciones",
- "waf": "Operaciones"
+ "text": "Considere la posibilidad de usar puntos de conexión privados para acceder al Centro de eventos de Azure y deshabilitar el acceso a la red pública cuando corresponda.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "service": "Azure Monitor",
- "text": "Reglas de recopilación de datos en Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Costar"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Con el firewall IP, puede restringir aún más el punto de conexión público a solo un conjunto de direcciones IPv4 o rangos de direcciones IPv4 en notación CIDR (Classless Inter-Domain Routing). ",
+ "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+ "service": "Event Hubs",
+ "severity": "Medio",
+ "text": "Considere la posibilidad de permitir solo el acceso al espacio de nombres del Centro de eventos de Azure desde direcciones IP o intervalos específicos",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "45901365-d38e-443f-abcb-d868266abca2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Azure Backup",
- "text": "Comprobar las instancias de copia de seguridad con la fuente de datos subyacente no encontrada",
- "waf": "Costar"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+ "service": "Event Hubs",
+ "severity": "Medio",
+ "text": "Aproveche el Manual de Resiliencia de los TLC",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "VM",
- "text": "Eliminar o archivar servicios no asociados (discos, NIC, direcciones IP, etc.)",
- "waf": "Costar"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": " Esto se activará automáticamente para un nuevo espacio de nombres EH creado desde el portal con SKU Premium, Dedicado o Estándar en una región habilitada para zonas. Tanto los metadatos de EH como los propios datos de eventos se replican en todas las zonas",
+ "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+ "service": "Event Hubs",
+ "severity": "Alto",
+ "text": "Aproveche las zonas de disponibilidad si corresponde regionalmente",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Azure Backup",
- "text": "Considere un buen equilibrio entre el almacenamiento de recuperación del sitio y la copia de seguridad para aplicaciones que no son críticas",
- "waf": "Costar"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+ "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+ "service": "Event Hubs",
+ "severity": "Medio",
+ "text": "Usa las SKU Premium o Dedicadas para obtener un rendimiento predecible",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "La característica integrada de recuperación ante desastres geográfica, cuando está habilitada, garantiza que toda la configuración de un espacio de nombres (Event Hubs, grupos de consumidores y configuración) se replique continuamente desde un espacio de nombres principal a un espacio de nombres secundario, y permite un movimiento de conmutación por error de una sola vez del principal al secundario en cualquier momento. La característica Activo/Pasivo está diseñada para facilitar la recuperación y el abandono de una región de Azure con errores sin tener que cambiar las configuraciones de la aplicación",
+ "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+ "service": "Event Hubs",
+ "severity": "Alto",
+ "text": "Planeación de la recuperación ante desastres geográfica mediante la configuración pasiva activa",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Debe utilizarse para configuraciones de recuperación ante desastres en las que no se puede tolerar una interrupción o pérdida de datos de eventos en la región inactiva. En estos casos, siga las instrucciones de replicación y no use la capacidad de recuperación ante desastres geográfica integrada (activa/pasiva). Con Activo/Activo, mantenga varios centros de eventos en diferentes regiones y espacios de nombres, y los eventos se replicarán entre los centros",
+ "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+ "service": "Event Hubs",
+ "severity": "Medio",
+ "text": "En el caso de las aplicaciones críticas para la empresa, use la configuración Active Active",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+ "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+ "service": "Event Hubs",
+ "severity": "Medio",
+ "text": "Diseño de centros de eventos resilientes",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+ "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+ "service": "Logic Apps",
+ "severity": "Alto",
+ "text": "Seleccione el plan de hospedaje de aplicaciones lógicas adecuado en función de los requisitos empresariales y de SLO",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+ "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "Logic Apps",
+ "severity": "Alto",
+ "text": "Proteja las aplicaciones lógicas de errores de región con redundancia de zona y zonas de disponibilidad",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+ "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Logic Apps",
+ "severity": "Alto",
+ "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+ "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+ "service": "Logic Apps",
+ "severity": "Alto",
+ "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+ "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+ "service": "Logic Apps",
+ "severity": "Medio",
+ "text": "Aproveche Azure DevOps o GitHub para simplificar la CI/CD y proteger el código de la aplicación lógica",
+ "waf": "Operaciones"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
+ "severity": "Alto",
+ "text": "Seleccione el plan de hospedaje de funciones adecuado en función de los requisitos de su empresa y SLO",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
+ "severity": "Alto",
+ "text": "Aproveche las zonas de disponibilidad cuando corresponda regionalmente (no disponible para el nivel de consumo)",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Azure Functions",
+ "severity": "Medio",
+ "text": "Considere la posibilidad de una estrategia de recuperación ante desastres entre regiones para cargas de trabajo críticas",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Azure Functions",
+ "severity": "Alto",
+ "text": "Si se implementa en un entorno aislado, use o migre a App Service Environment (ASE) v3",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Azure Functions",
+ "severity": "Alto",
+ "text": "Asegúrese de que \"Siempre activado\" esté habilitado para todas las aplicaciones de funciones que se ejecutan en el plan de App Service",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Azure Functions",
+ "severity": "Medio",
+ "text": "Empareje una aplicación de funciones con su propia cuenta de almacenamiento. Intente no volver a usar las cuentas de almacenamiento para las aplicaciones de funciones a menos que estén estrechamente acopladas",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "Azure Functions",
+ "severity": "Medio",
+ "text": "Aproveche Azure DevOps o GitHub para optimizar la CI/CD y proteger el código de la aplicación de funciones",
+ "waf": "Operaciones"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Si usa certificados TLS administrados por el cliente con Azure Front Door, use la versión de certificado \"más reciente\". Reduzca el riesgo de interrupciones causadas por la renovación manual de certificados",
+ "waf": "Operaciones"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+ "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Asegúrese de que usa la SKU de Application Gateway v2",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+ "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Load Balancer",
+ "severity": "Medio",
+ "text": "Asegúrese de que usa la SKU estándar para los equilibradores de carga de Azure",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+ "service": "Load Balancer",
+ "severity": "Medio",
+ "text": "Asegúrese de que las direcciones IP de front-end de los equilibradores de carga sean con redundancia de zona (a menos que necesite front-end zonal).",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+ "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Application Gateways v2 debe implementarse en subredes con prefijos IP iguales o mayores que /24",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "description": "La administración de proxies inversos en general y WAF en particular está más cerca de la aplicación que de la red, por lo que pertenecen a la misma suscripción que la aplicación. La centralización de Application Gateway y WAF en la suscripción de conectividad puede ser correcta si la administra un solo equipo.",
+ "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Implemente Azure Application Gateway v2 o NVA de asociados que se usan para proxy de conexiones HTTP(S) entrantes dentro de la red virtual de la zona de aterrizaje y con las aplicaciones que protegen.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Utilice una red DDoS o planes de protección IP para todas las direcciones IP públicas en las zonas de aterrizaje de aplicaciones.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+ "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Configure el escalado automático con una cantidad mínima de instancias de dos.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+ "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+ "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Implementación de Application Gateway en zonas de disponibilidad",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Fiabilidad"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Use Azure Front Door con directivas de WAF para entregar y ayudar a proteger aplicaciones HTTP/S globales que abarcan varias regiones de Azure.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Al usar Front Door y Application Gateway para ayudar a proteger las aplicaciones HTTP/S, use directivas de WAF en Front Door. Bloquee Application Gateway para recibir tráfico solo de Front Door.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
- "service": "Azure Monitor",
- "text": "Compruebe las oportunidades de gasto y ahorro entre las 40 áreas de trabajo de Log Analytics diferentes: use diferentes retenciones y recopilación de datos para áreas de trabajo que no sean de producción: cree un límite diario para el reconocimiento y el tamaño de los niveles: si establece un límite diario, además de crear una alerta cuando se alcance el límite, asegúrese de crear también una regla de alerta para que se le notifique cuando se alcance algún porcentaje (90 %, por ejemplo). - Considere la posibilidad de transformar el espacio de trabajo si es posible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "microsoft.network/trafficManagerProfiles",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Traffic Manager",
+ "severity": "Alto",
+ "text": "Use el Administrador de tráfico para entregar aplicaciones globales que abarquen protocolos distintos de HTTP/S.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Azure Monitor",
- "text": "Aplique una política de purga de registros y automatización (si es necesario, los registros se pueden mover al almacenamiento en frío)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "Costar"
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
+ "severity": "Bajo",
+ "text": "Si los usuarios solo necesitan acceso a aplicaciones internas, ¿se ha considerado Microsoft Entra ID Application Proxy como una alternativa a Azure Virtual Desktop (AVD)?",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "VM",
- "text": "Compruebe que los discos son realmente necesarios, si no: eliminar. Si son necesarios, busque niveles de almacenamiento más bajos o use una copia de seguridad:",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "Costar"
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
+ "severity": "Medio",
+ "text": "Para reducir el número de puertos de firewall abiertos para las conexiones entrantes en la red, considere la posibilidad de usar el proxy de aplicación de identificador de Microsoft Entra para proporcionar a los usuarios remotos acceso seguro y autenticado a las aplicaciones internas.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
- "text": "Considere la posibilidad de mover el almacenamiento no utilizado al nivel inferior, con reglas personalizadas: https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Implemente la directiva de WAF para Front Door en modo de \"Prevención\" para que el firewall de aplicaciones web tome las medidas adecuadas para permitir o denegar el tráfico.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "VM",
- "text": "Asegúrese de que el asesor está configurado para el tamaño correcto de la máquina virtual ",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Evite combinar Azure Traffic Manager y Azure Front Door.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "description": "comprobando la búsqueda de las licencias de categoría de contador en el análisis de costes",
- "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
- "service": "VM",
- "text": "ejecutar el script en todas las máquinas virtuales de Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server: considere la posibilidad de implementar una directiva si las máquinas virtuales de Windows se crean con frecuencia",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Use el mismo nombre de dominio en Azure Front Door y en su origen. Los nombres de host no coincidentes pueden causar errores sutiles.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "VM",
- "text": " esto también se puede poner bajo AHUB si ya tiene licencias https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+ "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "Front Door",
+ "severity": "Bajo",
+ "text": "Deshabilite los sondeos de estado cuando solo haya un origen en un grupo de origen de Azure Front Door.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "VM",
- "text": "Consolide familias de máquinas virtuales reservadas con la opción de flexibilidad (no más de 4-5 familias)",
- "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Seleccione puntos de conexión de sondeo de estado correctos para Azure Front Door. Considere la posibilidad de crear puntos de conexión de estado que comprueben todas las dependencias de la aplicación.",
+ "waf": "Fiabilidad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
- "service": "VM",
- "text": "Uso de Azure Reserved Instances: esta característica le permite reservar máquinas virtuales durante un período de 1 o 3 años, lo que proporciona un importante ahorro de costos en comparación con los precios de pago por uso.",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+ "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "Front Door",
+ "severity": "Bajo",
+ "text": "Use sondeos de estado de HEAD con Azure Front Door para reducir el tráfico que Front Door envía a la aplicación.",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "service": "VM",
- "text": "Solo se pueden reservar discos más grandes => 1 TiB -",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+ "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "Load Balancer",
+ "severity": "Alto",
+ "text": "Use Azure NAT Gateway en lugar de las reglas de salida de Load Balancer para mejorar la escalabilidad de SNAT",
+ "waf": "Fiabilidad"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+ "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Use certificados TLS administrados con Azure Front Door. Reduzca los costos operativos y el riesgo de interrupciones debido a las renovaciones de certificados.",
+ "waf": "Operaciones"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Defina la configuración de WAF de Azure Front Door como código. Mediante el uso de código, puede adoptar más fácilmente una nueva versión del conjunto de reglas y obtener protección adicional.",
+ "waf": "Operaciones"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Use TLS de un extremo a otro con Azure Front Door. Use TLS para las conexiones de los clientes a Front Door y de Front Door al origen.",
+ "waf": "Seguridad"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Use el redireccionamiento de HTTP a HTTPS con Azure Front Door. Apoye a los clientes más antiguos redirigiéndolos a una solicitud HTTPS automáticamente.",
+ "waf": "Seguridad"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Habilite el WAF de Azure Front Door. Proteja su aplicación de una variedad de ataques.",
+ "waf": "Seguridad"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Ajuste el WAF de Azure Front Door para su carga de trabajo configurando el WAF en modo de detección para reducir y corregir las detecciones de falsos positivos.",
+ "waf": "Seguridad"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Habilite la característica de inspección del cuerpo de la solicitud habilitada en la directiva WAF de Azure Front Door.",
+ "waf": "Seguridad"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Habilite los conjuntos de reglas predeterminadas de WAF de Azure Front Door. Los conjuntos de reglas predeterminados detectan y bloquean ataques comunes.",
+ "waf": "Seguridad"
+ },
+ {
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Habilite el conjunto de reglas de protección contra bots de WAF de Azure Front Door. Las reglas de bots detectan bots buenos y malos.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
- "service": "VM",
- "text": "Después de la optimización del tamaño correcto",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Use la versión más reciente del conjunto de reglas de Azure Front Door WAF. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Sql/servers",
- "checklist": "Cost Optimization Checklist",
- "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Azure SQL",
- "text": "Compruebe si corresponde y aplique la política/cambio https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Agregue la limitación de velocidad al WAF de Azure Front Door. La limitación de velocidad bloquea a los clientes que envían accidental o intencionalmente grandes cantidades de tráfico en un corto período de tiempo.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "VM",
- "text": "El descuento de la parte de la licencia VM + (ahub + 3YRI) es de alrededor del 70% de descuento",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Use un umbral alto para los límites de frecuencia de WAF de Azure Front Door. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "VM",
- "text": "Considere la posibilidad de utilizar un VMSS para satisfacer la demanda en lugar de un tamaño fijo",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+ "service": "Front Door",
+ "severity": "Bajo",
+ "text": "Si no espera tráfico de todas las regiones geográficas, utilice filtros geográficos para bloquear el tráfico de países no esperados.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Cost Optimization Checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "AKS",
- "text": "Use el escalador automático de AKS para que coincida con el uso de los clústeres (asegúrese de que los requisitos de los pods coincidan con el escalador)",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Especifique la ubicación desconocida (ZZ) al filtrar geográficamente el tráfico con el WAF de Azure Front Door. Evite bloquear accidentalmente solicitudes legítimas cuando las direcciones IP no puedan coincidir geográficamente.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Azure Backup",
- "text": "Mover los puntos de recuperación al archivo de almacén cuando corresponda (Validar)",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+ "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Habilite el conjunto de reglas de protección contra bots de WAF de Azure Application Gateway. Las reglas de bots detectan bots buenos y malos.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Databricks/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
- "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
- "service": "Databricks",
- "text": "Considere la posibilidad de usar máquinas virtuales de acceso puntual con reserva siempre que sea posible. Considere la posibilidad de la terminación automática de clústeres.",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Habilite la característica de inspección del cuerpo de la solicitud habilitada en la directiva WAF de Azure Application Gateway.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
- "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
- "service": "Azure Functions",
- "text": "Funciones - Reutilizar conexiones",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Ajuste el WAF de Azure Application Gateway en modo de detección para la carga de trabajo. Reduzca las detecciones de falsos positivos.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
- "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "service": "Azure Functions",
- "text": "Funciones: almacenar datos en caché localmente",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
- "waf": "Costar"
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Implemente la directiva de WAF para Application Gateway en modo \"Prevención\".",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Azure Functions",
- "text": "Funciones - Arranques en frío: utilice la funcionalidad 'Ejecutar desde el paquete'. De esta manera, el código se descarga como un único archivo zip. Esto puede, por ejemplo, resultar en mejoras significativas con las funciones de Javascript, que tienen muchos módulos de nodos. Utilice herramientas específicas del lenguaje para reducir el tamaño del paquete, por ejemplo, aplicaciones Javascript que sacuden el árbol.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Agregue la limitación de velocidad al WAF de Azure Application Gateway. La limitación de velocidad bloquea a los clientes que envían accidental o intencionalmente grandes cantidades de tráfico en un corto período de tiempo.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "Azure Functions",
- "text": "Funciones - Mantén tus funciones calientes",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Use un umbral alto para los límites de velocidad de WAF de Azure Application Gateway. Los umbrales de límite de velocidad altos evitan el bloqueo del tráfico legítimo, a la vez que proporcionan protección contra un número extremadamente alto de solicitudes que podrían sobrecargar su infraestructura. ",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Azure Functions",
- "text": "Al usar el escalado automático con diferentes funciones, es posible que haya uno que controle todo el escalado automático para todos los recursos: considere la posibilidad de moverlo a un plan de consumo independiente (y considere un plan superior para la CPU)",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+ "service": "App Gateway",
+ "severity": "Bajo",
+ "text": "Si no espera tráfico de todas las regiones geográficas, utilice filtros geográficos para bloquear el tráfico de países no esperados.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
- "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
- "service": "Azure Functions",
- "text": "Las aplicaciones de funciones de un plan determinado se escalan juntas, por lo que cualquier problema con el escalado puede afectar a todas las aplicaciones del plan.",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Especifique la ubicación desconocida (ZZ) al filtrar geográficamente el tráfico con el WAF de Azure Application Gateway. Evite bloquear accidentalmente solicitudes legítimas cuando las direcciones IP no puedan coincidir geográficamente.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
- "service": "Azure Functions",
- "text": "¿Se me factura por el \"tiempo de espera\"? Esta pregunta se suele formular en el contexto de una función de C# que realiza una operación asincrónica y espera el resultado, por ejemplo, await Task.Delay(1000) o await client. GetAsync('http://google.com'). La respuesta es sí: el segundo cálculo de GB se basa en la hora de inicio y finalización de la función y el uso de memoria durante ese período. Lo que realmente sucede durante ese tiempo en términos de actividad de la CPU no se tiene en cuenta en el cálculo. Una excepción a esta regla es si está utilizando funciones duraderas. No se le facturará por el tiempo empleado en las esperas en las funciones de orquestador.aplique técnicas de modelado de la demanda siempre que sea posible (¿entornos de desarrollo?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Use la versión más reciente del conjunto de reglas de WAF de Azure Application Gateway. Las actualizaciones del conjunto de reglas se actualizan periódicamente para tener en cuenta el panorama actual de amenazas.",
+ "waf": "Seguridad"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Front Door",
- "text": "Frontdoor: desactivar la página principal predeterminadaEn la configuración de la aplicación de la aplicación, establezca AzureWebJobsDisableHomepage en true. Esto devolverá un 204 (sin contenido) al PoP para que solo se devuelvan los datos del encabezado.",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de Azure Application Gateway.",
+ "waf": "Operaciones"
},
{
"arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"service": "Front Door",
- "text": "Frontdoor: ruta a algo que no devuelve nada. Configure una función, un proxy de función o agregue una ruta en la aplicación web que devuelva 200 (correctamente) y envíe contenido mínimo o nulo. La ventaja de esto es que podrá cerrar la sesión cuando se llame.",
- "waf": "Costar"
+ "severity": "Medio",
+ "text": "Agregue la configuración de diagnóstico para guardar los registros de WAF de Azure Front Door.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
- "service": "Storage",
- "text": "Considere la posibilidad de archivar niveles para los datos menos utilizados",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Envíe registros de WAF de Azure Application Gateway a Microsoft Sentinel.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "VM",
- "text": "Compruebe los tamaños de disco en los que el tamaño no coincida con el nivel (es decir, un disco de 513 GiB pagará un P30 (1 TiB) y considere la posibilidad de cambiar el tamaño",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Envíe registros de WAF de Azure Front Door a Microsoft Sentinel.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "Storage",
- "text": "Considere la posibilidad de utilizar un SSD estándar en lugar de Premium o Ultra siempre que sea posible",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Defina la configuración de WAF de Azure Application Gateway como código. Mediante el uso de código, puede adoptar más fácilmente una nueva versión del conjunto de reglas y obtener protección adicional.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "Storage",
- "text": "En el caso de las cuentas de almacenamiento, asegúrese de que el nivel elegido no suma cargos por transacción (puede ser más barato pasar al siguiente nivel)",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Utilice las políticas de WAF en lugar de la configuración de WAF heredada.",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "Site Recovery",
- "text": "Para ASR, considere la posibilidad de usar discos SSD estándar si el RPO/RTO y el rendimiento de replicación lo permiten",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Filtre el tráfico entrante en los back-end para que solo acepten conexiones de la subred de Application Gateway, por ejemplo, con grupos de seguridad de red.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
- "service": "Storage",
- "text": "Cuentas de almacenamiento: compruebe el nivel de acceso frecuente o GRS necesario",
- "waf": "Costar"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+ "service": "Front Door",
+ "severity": "Medio",
+ "text": "Asegúrese de que los orígenes solo reciben tráfico de la instancia de Azure Front Door.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "VM",
- "text": "Discos: valide el uso de discos SSD Premium en todas partes: por ejemplo, los que no son de producción podrían cambiar a SSD estándar o SSD Premium bajo demanda ",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Debe cifrar el tráfico a los servidores backend.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "Synapse",
- "text": "Cree presupuestos para administrar los costos y cree alertas que notifiquen automáticamente a las partes interesadas sobre anomalías en el gasto y riesgos de gasto excesivo.",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Debe utilizar un firewall de aplicaciones web.",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "Synapse",
- "text": "Exporte los datos de costos a una cuenta de almacenamiento para realizar análisis de datos adicionales.",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Redirigir HTTP a HTTPS",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Synapse",
- "text": "Controle los costos de un grupo de SQL dedicado pausando el recurso cuando no esté en uso.",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+ "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Utilice cookies administradas por puerta de enlace para dirigir el tráfico de una sesión de usuario al mismo servidor para su procesamiento",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
- "service": "Synapse",
- "text": "Habilite la función de pausa automática de Apache Spark sin servidor y establezca el valor de tiempo de espera en consecuencia.",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Habilite el drenaje de conexiones durante las actualizaciones de servicio planeadas para evitar la pérdida de conexión con los miembros existentes del grupo de back-end",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Synapse",
- "text": "Cree varias definiciones de grupo de Apache Spark de varios tamaños.",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+ "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+ "service": "App Gateway",
+ "severity": "Bajo",
+ "text": "Cree páginas de error personalizadas para mostrar una experiencia de usuario personalizada",
+ "waf": "Operaciones"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "service": "Synapse",
- "text": "Compre unidades de confirmación (SCU) de Azure Synapse durante un año con un plan de compra anticipada para ahorrar en los costos de Azure Synapse Analytics.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+ "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Edite las solicitudes HTTP y los encabezados de respuesta para facilitar el enrutamiento y el intercambio de información entre el cliente y el servidor",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "VM",
- "text": "Uso de máquinas virtuales de acceso puntual para trabajos interrumpibles: se trata de máquinas virtuales por las que se puede pujar y comprar a un precio reducido, lo que proporciona una solución rentable para cargas de trabajo no críticas.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Configure Front Door para optimizar el enrutamiento del tráfico web global y el rendimiento y la confiabilidad del usuario final de primer nivel a través de una rápida conmutación por error global",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "VM",
- "text": "Ajustar el tamaño de todas las máquinas virtuales",
- "waf": "Costar"
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Uso del equilibrio de carga de la capa de transporte",
+ "waf": "Rendimiento"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "VM",
- "text": "Intercambiar el tamaño de la máquina virtual con los tamaños normalizados y más recientes",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+ "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Configure el enrutamiento basado en el host o el nombre de dominio para varias aplicaciones web en una sola puerta de enlace",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "Ajustar el tamaño de las máquinas virtuales: comience con la supervisión del uso por debajo del 5 % y, a continuación, trabaje hasta el 40 %",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+ "service": "App Gateway",
+ "severity": "Medio",
+ "text": "Centralice la administración de certificados SSL para reducir la sobrecarga de cifrado y descifrado de una granja de servidores backend",
+ "waf": "Seguridad"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "La inclusión de una aplicación en contenedores puede mejorar la densidad de la máquina virtual y ahorrar dinero en su escalado",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Costar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+ "service": "App Gateway",
+ "severity": "Bajo",
+ "text": "Uso de Application Gateway para obtener compatibilidad nativa con los protocolos WebSocket y HTTP/2",
+ "waf": "Seguridad"
}
],
"metadata": {
"name": "WAF checklist",
- "timestamp": "August 05, 2024"
+ "timestamp": "August 08, 2024"
},
"severities": [
{
@@ -9005,7 +9005,7 @@
],
"status": [
{
- "description": "Esta comprobación aún no se ha examinado",
+ "description": "Este control aún no se ha examinado",
"name": "No verificado"
},
{
diff --git a/checklists/waf_checklist.ja.json b/checklists/waf_checklist.ja.json
index 98fa01c14..000155a97 100644
--- a/checklists/waf_checklist.ja.json
+++ b/checklists/waf_checklist.ja.json
@@ -1,113 +1,33 @@
{
"items": [
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "severity": "高い",
- "text": "2 つのレプリカで読み取り操作の可用性を 99.9% にする",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "severity": "中程度",
- "text": "3 つのレプリカで読み取り/書き込み操作の可用性を 99.9% に向上させる",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
- "service": "Cognitive Search",
- "severity": "高い",
- "text": "読み取りレプリカや書き込みレプリカを有効にすることでアベイラビリティーゾーンを活用する",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
- "service": "Cognitive Search",
- "severity": "中程度",
- "text": "リージョンの冗長性については、地理的リージョン間で検索インデックスをレプリケートする自動化された方法が提供されないため、検索用に 2 つ以上のリージョンにサービスを手動で作成します",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
- "service": "Cognitive Search",
- "severity": "中程度",
- "text": "複数のサービス間でデータを同期するには、複数のサービスでコンテンツを更新するためにインデクサーを使用するか、複数のサービスでコンテンツの更新をプッシュするために REST API を使用する",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
"severity": "中程度",
- "text": "Azure Traffic Manager を使用して要求を調整する",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
- "service": "Cognitive Search",
- "severity": "高い",
- "text": "Azure Cognitive Search インデックスをバックアップおよび復元します。このサンプル コードを使用して、インデックス定義とスナップショットを一連の Json ファイルにバックアップします",
+ "text": "フレキシブル サーバーの活用",
"waf": "確実"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
- "service": "Redis",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
"severity": "高い",
- "text": "Azure Cache for Redis のゾーン冗長を有効にします。Azure Cache for Redis では、Premium レベルと Enterprise レベルでゾーン冗長構成がサポートされています。ゾーン冗長キャッシュでは、同じリージョン内の異なる Azure Availability Zones にノードを配置できます。これにより、データセンターや AZ の停止が単一障害点として排除され、キャッシュの全体的な可用性が向上します。",
- "waf": "確実"
- },
- {
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
- "service": "Redis",
- "severity": "中程度",
- "text": "Azure Cache for Redis インスタンスのデータ永続化を構成します。キャッシュ データはメモリに格納されるため、まれに複数のノードで計画外の障害が発生すると、すべてのデータがドロップされる可能性があります。データの完全な損失を回避するために、Redis 永続化では、メモリ内データのスナップショットを定期的に取得し、ストレージ アカウントに格納できます。",
- "waf": "確実"
- },
- {
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
- "service": "Redis",
- "severity": "中程度",
- "text": "geo 冗長ストレージ アカウントを使用して Azure Cache for Redis データを保持するか、geo 冗長性を使用できない場合はゾーン冗長を使用します",
+ "text": "Availability Zones (地域的に適用可能な場合) を活用する",
"waf": "確実"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
- "service": "Redis",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
"severity": "中程度",
- "text": "Premium Azure Cache for Redis インスタンスのパッシブ geo レプリケーションを構成します。geo レプリケーションは、2 つ以上の Azure Cache for Redis インスタンス (通常は 2 つの Azure リージョンにまたがる) をリンクするためのメカニズムです。geo レプリケーションは、主にリージョン間のディザスター リカバリー用に設計されています。2 つの Premium レベルのキャッシュ インスタンスは、プライマリ キャッシュへの読み取りと書き込みを提供する方法で geo レプリケーションを介して接続され、そのデータはセカンダリ キャッシュにレプリケートされます。",
+ "text": "リージョン間の DR シナリオでのデータイン レプリケーションの活用",
"waf": "確実"
},
{
@@ -270,7401 +190,7843 @@
"waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
- "service": "AKS",
- "severity": "低い",
- "text": "AKS Windows ワークロードで必要な場合は、HostProcess コンテナーを使用できます",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "severity": "高い",
+ "text": "2 つのレプリカで読み取り操作の可用性を 99.9% にする",
"waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
- "service": "AKS",
- "severity": "低い",
- "text": "イベント ドリブン ワークロードを実行する場合は KEDA を使用します",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "severity": "中程度",
+ "text": "3 つのレプリカで読み取り/書き込み操作の可用性を 99.9% に向上させる",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
- "service": "AKS",
- "severity": "低い",
- "text": "Dapr を使用してマイクロサービス開発を容易にする",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+ "service": "Cognitive Search",
+ "severity": "高い",
+ "text": "読み取りレプリカや書き込みレプリカを有効にすることでアベイラビリティーゾーンを活用する",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
- "service": "AKS",
- "severity": "高い",
- "text": "SLA でサポートされる AKS オファリングを使用する",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+ "service": "Cognitive Search",
+ "severity": "中程度",
+ "text": "リージョンの冗長性については、地理的リージョン間で検索インデックスをレプリケートする自動化された方法が提供されないため、検索用に 2 つ以上のリージョンにサービスを手動で作成します",
"waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "低い",
- "text": "ポッドとデプロイ定義でのディスラプション バジェットの使用",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+ "service": "Cognitive Search",
+ "severity": "中程度",
+ "text": "複数のサービス間でデータを同期するには、複数のサービスでコンテンツを更新するためにインデクサーを使用するか、複数のサービスでコンテンツの更新をプッシュするために REST API を使用する",
"waf": "確実"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
- "severity": "高い",
- "text": "プライベート レジストリを使用する場合は、複数のリージョンにイメージを格納するようにリージョン レプリケーションを構成します",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+ "service": "Cognitive Search",
+ "severity": "中程度",
+ "text": "Azure Traffic Manager を使用して要求を調整する",
"waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
- "service": "AKS",
- "severity": "低い",
- "text": "kubecost などの外部アプリケーションを使用して、さまざまなユーザーにコストを割り当てます",
- "waf": "費用"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+ "service": "Cognitive Search",
+ "severity": "高い",
+ "text": "Azure Cognitive Search インデックスをバックアップおよび復元します。このサンプル コードを使用して、インデックス定義とスナップショットを一連の Json ファイルにバックアップします",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
- "service": "AKS",
- "severity": "低い",
- "text": "スケールダウンモードを使用してノードを削除/割り当て解除する",
- "waf": "費用"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "共鳴可能なAIのためのメタプロンプトガードレールに従う",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
- "service": "AKS",
- "severity": "中程度",
- "text": "必要に応じて、AKS クラスターで複数インスタンスの分割 GPU を使用する",
- "waf": "費用"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+ "link": "https://github.com/Azure-Samples/AI-Gateway",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "APIM や AI Central などのソリューションを使用したゲートウェイ パターンを検討して、レート制限、負荷分散、認証、ログ記録を改善します",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
- "service": "AKS",
- "severity": "低い",
- "text": "Dev/Test クラスターを実行している場合は、NodePool Start/Stop を使用します。",
- "waf": "費用"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "AOAI インスタンスの監視を有効にする",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
- "service": "AKS",
- "severity": "中程度",
- "text": "Azure Policy for Kubernetes を使用してクラスターのコンプライアンスを確保する",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "リソースに対して実行されたアクション (サブスクリプション キーの再生成など) によって作成されたアクティビティ ログのエントリや、1 時間に 10 を超えるエラー数などのメトリックしきい値によって作成されたアクティビティ ログのエントリなど、イベントを通知するアラートを作成します",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "トークンの使用状況を監視して、容量によるサービスの中断を防ぎます",
+ "waf": "オペレーショナルエクセレンス"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "ユーザー/システムノードプールを使用してコントロールプレーンからアプリケーションを分離する",
- "waf": "安全"
+ "text": "処理された推論トークン、生成された完了トークンなどのメトリックを観察し、レート制限を監視します",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+ "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+ "service": "Azure OpenAI",
"severity": "低い",
- "text": "システム ノードプールにテイントを追加して専用にする",
- "waf": "安全"
+ "text": "診断が十分でない場合は、Azure OpenAI の前で Azure API Management などのゲートウェイを使用して、受信プロンプトと送信応答の両方をログに記録することを検討してください (許可されている場合)",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
- "service": "AKS",
- "severity": "中程度",
- "text": "イメージにはプライベート レジストリ (ACR など) を使用する",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+ "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "コードとしてのインフラストラクチャを使用して、Azure OpenAI Service、モデル デプロイ、およびすべての関連リソースをデプロイします",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
- "severity": "中程度",
- "text": "イメージをスキャンして脆弱性を検出する",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "API キーの代わりにマネージド ID で Microsoft Entra 認証を使用する",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "アプリの分離要件を定義する (名前空間/ノードプール/クラスター)",
- "waf": "安全"
+ "text": "入力と正しい答えを持つ既知のゴールデンデータセットを使用して、システムのパフォーマンス/精度を評価します。PromptFlowの機能を評価に活用します。",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
- "service": "AKS",
- "severity": "中程度",
- "text": "CSI シークレット ストア ドライバーを使用して Azure Key Vault にシークレットを格納する",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "68889535-e327-4897-b31b-67d67be5962a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "プロビジョニング済みスループットモデルの使用状況の評価",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "クラスターにサービス プリンシパルを使用する場合は、資格情報を定期的に (四半期ごとなど) 更新します",
- "waf": "安全"
+ "text": "Azure AI コンテンツの安全性を確認して実装する",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
- "service": "AKS",
- "severity": "中程度",
- "text": "必要に応じて、キー管理サービスの etcd 暗号化を追加します",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "トークンと1分あたりのレスポンスに基づいてシステムのスループットを定義および評価し、要件に合わせます",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
- "service": "AKS",
- "severity": "低い",
- "text": "必要に応じて、Confidential Compute for AKS の使用を検討してください",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "トークンサイズ、ストリーミングオプションを制限することにより、システムのレイテンシーを改善します",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "Defender for Containers の使用を検討する",
- "waf": "安全"
+ "text": "弾力性の要求を見積もり、優先順位に基づいて同期要求とバッチ要求の分離を決定します。優先度が高い場合は同期アプローチを使用し、優先度が低い場合はキューを使用した非同期バッチ処理が推奨されます",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "サービス プリンシパルの代わりにマネージド ID を使用するUse managed identities instead of Service Principals",
- "waf": "安全"
+ "text": "消費者からの推定需要に基づくトークン消費要件のベンチマーク。プロビジョニングされたスループット ユニットのデプロイを使用している場合は、Azure OpenAI ベンチマーク ツールを使用してスループットを検証することを検討してください",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "認証と AAD の統合 (マネージド統合を使用)",
- "waf": "安全"
+ "text": "プロビジョニングされたスループットユニット (PTU) を使用している場合は、オーバーフローリクエストに対して Token-Per Minute (TPM) デプロイメントをデプロイすることを検討してください。ゲートウェイを使用して、PTU の制限に達したときに要求を TPM デプロイにルーティングします。",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
- "service": "AKS",
- "severity": "中程度",
- "text": "管理者 kubeconfig へのアクセスを制限する (get-credentials --admin)",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "適切なタスクに適したモデルを選択してください。速度、応答の品質、出力の複雑さの間で適切なトレードオフを持つモデルを選択する",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "承認と AAD RBAC の統合",
- "waf": "安全"
+ "text": "微調整によってモデルのパフォーマンスが向上したかどうかを知るための微調整を行わずに、パフォーマンスのベースラインを設定する",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
- "service": "AKS",
- "severity": "高い",
- "text": "Kubernetes で RBAC 特権を制限するために名前空間を使用する",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
+ "severity": "低い",
+ "text": "複数のOAIインスタンスを複数のリージョンにデプロイする",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "APIM のようなゲートウェイ パターンを使用した再試行とヘルスチェックの実装",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "ポッド ID アクセス管理の場合は、Azure AD ワークロード ID (プレビュー) を使用します",
- "waf": "安全"
+ "text": "ワークロードに対してTPMとRPMの適切なクォータがあることを確認します",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+ "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "AKS 非対話型ログインの場合は、kubelogin (プレビュー) を使用します",
- "waf": "安全"
+ "text": "HAIツールキットガイダンスの考慮事項を確認し、それらの相互作用の実践をslutionに適用します",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "AKS ローカル アカウントを無効にする",
- "waf": "安全"
+ "text": "ファインチューニングが採用されている場合は、リージョン間で個別の微調整モデルをデプロイします",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+ "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "重要なデータを定期的にバックアップおよびレプリケートして、データの損失やシステム障害が発生した場合のデータの可用性と回復性を確保します。Azure のバックアップおよびディザスター リカバリー サービスを活用して、データを保護します。",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "Azure AI Search サービス レベルは、SLA を持つために選択する必要があります",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+ "link": "https://learn.microsoft.com/purview/purview",
+ "service": "Azure OpenAI",
"severity": "低い",
- "text": "必要に応じて Just-In-Time クラスター アクセスを構成する",
+ "text": "データと機密性を分類し、埋め込みを生成する前に Microsoft Purview でラベル付けし、生成された埋め込みを同じ感度と分類で処理するようにしてください",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "低い",
- "text": "必要に応じて AKS の AAD 条件付きアクセスを構成する",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "SSE/ディスク暗号化(オプションのBYOKを使用)を使用してRAGに使用されるデータを暗号化",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
- "service": "AKS",
- "severity": "低い",
- "text": "Windows AKS ワークロードで必要な場合は、gMSA を構成します",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+ "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "データソース間で転送されるデータ、Retrieval-Augmented Generation(RAG)およびLLM通信に使用されるAI検索にTLSが適用されていることを確認します",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
- "service": "AKS",
- "severity": "中程度",
- "text": "より細かく制御するには、マネージドKubelet Identityの使用を検討してください",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "RBAC を使用して、Azure OpenAI サービスへのアクセスを管理します。ユーザーに適切な権限を割り当て、ユーザーの役割と責任に基づいてアクセスを制限します",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "AGIC を使用している場合は、クラスター間で AppGW を共有しないでください",
- "waf": "確実"
+ "text": "データの暗号化、マスキング、または編集技術を実装して、機密データを非表示にしたり、非本番環境で難読化された値に置き換えたり、テストやトラブルシューティングの目的でデータを共有する場合",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "AKS HTTP ルーティング アドオンを使用せず、代わりにアプリケーション ルーティング アドオンでマネージド NGINX イングレスを使用します。",
- "waf": "確実"
+ "text": "Azure Defender を利用して、セキュリティの脅威を検出して対応し、監視とアラートのメカニズムを設定して、疑わしいアクティビティや侵害を特定します。Azure Sentinel を活用して高度な脅威の検出と対応を実現",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+ "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "Windows ワークロードの場合は、高速ネットワークを使用します",
- "waf": "パフォーマンス"
+ "text": "コンプライアンス規制を遵守するためのデータ保持および廃棄ポリシーを確立します。不要になったデータに対して安全な削除方法を実装し、データの保持と廃棄活動の監査証跡を維持します",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "標準のALBを使用する(基本的なALBとは対照的)",
- "waf": "確実"
+ "text": "Content Safety を使用した Prompt シールドと接地検出の実装",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
- "service": "AKS",
- "severity": "中程度",
- "text": "Azure CNI を使用する場合は、NodePool に異なるサブネットを使用することを検討してください",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+ "link": "https://learn.microsoft.com/azure/compliance/",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "GDPRやHIPAAなどの関連するデータ保護規制への準拠を確保するには、プライバシー制御を実装し、データ処理活動に必要な同意または許可を取得します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "プライベート エンドポイント (推奨) または Virtual Network サービス エンドポイントを使用して、クラスターから PaaS サービスにアクセスする",
+ "text": "データセキュリティのベストプラクティス、データの安全な取り扱いの重要性、データ侵害に関連する潜在的なリスクについて、従業員を教育します。データセキュリティプロトコルに熱心に従うように促します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "要件に最適な CNI ネットワーク プラグインを選択する (Azure CNI を推奨)",
- "waf": "確実"
+ "text": "運用データを開発データやテストデータから分離します。本番環境では実際の機密データのみを使用し、開発環境やテスト環境では匿名化されたデータや合成データを利用します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "高い",
- "text": "Azure CNI を使用する場合は、ノードあたりのポッドの最大数を考慮して、サブネットのサイズを適切に設定します",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "データの機密性のレベルが異なる場合は、レベルごとに個別のインデックスを作成することを検討してください。たとえば、一般的なデータ用に 1 つのインデックスを作成し、機密データ用に別のインデックスを作成し、それぞれ異なるアクセス プロトコルで管理することができます",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "高い",
- "text": "Azure CNI を使用している場合は、最大ポッド数/ノード (既定値は 30) を確認します",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "内部アプリの場合、組織は多くの場合、ファイアウォールで AKS サブネット全体を開きます。これにより、ノードへのネットワーク アクセスも開かれ、場合によってはポッドへのネットワーク アクセスも開かれます (Azure CNI を使用している場合)。LoadBalancer の IP が別のサブネットにある場合は、この IP のみをアプリ クライアントで使用できる必要があります。もう 1 つの理由は、AKS サブネット内の IP アドレスが希少なリソースである場合、その IP アドレスをサービスに使用すると、クラスターの最大スケーラビリティが低下することです。",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
- "service": "AKS",
- "severity": "低い",
- "text": "プライベート IP LoadBalancer サービスを使用する場合は、(AKS サブネットではなく) 専用サブネットを使用します",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "分離をさらに一歩進めて、機密性の高いデータセットをサービスの異なるインスタンスに配置します。各インスタンスは、独自のRBACポリシーのセットで制御できます",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "それに応じて、サービスの IP アドレス範囲のサイズを設定します (クラスターのスケーラビリティが制限されます)。",
- "waf": "確実"
+ "text": "機密情報から生成された埋め込みとベクトルは、それ自体が機密性が高いことを認識します。このデータには、ソースマテリアルと同じ保護対策を提供する必要があります",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
- "service": "AKS",
- "severity": "低い",
- "text": "必要に応じて、独自のCNIプラグインを追加します",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "埋め込みとベクトルを持つデータストアに RBAC を適用し、ロールのアクセス要件に基づいてアクセスのスコープを設定します",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
- "service": "AKS",
- "severity": "低い",
- "text": "必要に応じて、AKS でノードごとにパブリック IP を構成する",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "AI サービスのプライベート エンドポイントを構成して、ネットワーク内のサービス アクセスを制限します",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
- "service": "AKS",
- "severity": "中程度",
- "text": "イングレス コントローラーを使用して、LoadBalancer タイプのサービスで公開する代わりに、Web ベースのアプリを公開します",
- "waf": "確実"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "Azure Firewall と UDR を使用して受信と送信のトラフィック制御を厳密に適用し、外部統合ポイントを制限します",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
- "service": "AKS",
- "severity": "低い",
- "text": "エグレス トラフィックをスケーリングするために Azure NAT Gateway を outboundType として使用する",
- "waf": "確実"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "ネットワークのセグメンテーションとアクセス制御を実装して、LLMアプリケーションへのアクセスを許可されたユーザーとシステムのみに制限し、横方向の移動を防ぎます",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+ "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "Azure CNI IP の枯渇を回避するために IP の動的割り当てを使用する",
- "waf": "確実"
+ "text": "LLMLingua や gprtrim などのプロンプト圧縮ツールを使用します",
+ "waf": "コストの最適化"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "セキュリティ要件で義務付けられている場合は、AzFW/NVA を使用してエグレス トラフィックをフィルター処理します",
+ "text": "LLM アプリケーションで使用される API とエンドポイントが、マネージド ID、API キー、OAuth などの認証および承認メカニズムで適切に保護され、不正アクセスを防止します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "パブリック API エンドポイントを使用している場合は、アクセスできる IP アドレスを制限します",
+ "text": "多要素認証などの強力なエンドユーザー認証メカニズムを適用して、LLMアプリケーションおよび関連するネットワークリソースへの不正アクセスを防止します",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
- "service": "AKS",
- "severity": "高い",
- "text": "要件で必要な場合は、プライベート クラスターを使用します",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "ネットワーク監視ツールを実装して、疑わしいアクティビティや悪意のあるアクティビティのネットワークトラフィックを検出および分析します。ロギングを有効にしてネットワークイベントをキャプチャし、セキュリティインシデントが発生した場合のフォレンジック分析を容易にします",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "Windows 2019 および 2022 AKS ノードでは、Calico ネットワーク ポリシーを使用できます",
+ "text": "セキュリティ監査と侵入テストを実施して、LLMアプリケーションのネットワークインフラストラクチャのネットワークセキュリティの弱点または脆弱性を特定して対処します",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
- "severity": "高い",
- "text": "Kubernetes ネットワーク ポリシー オプションを有効にする (Calico/Azure)",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "service": "Azure OpenAI",
+ "severity": "低い",
+ "text": "Azure AI Services は、管理を改善するために適切にタグ付けされています",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "高い",
- "text": "Kubernetesネットワークポリシーを使用してクラスタ内のセキュリティを強化",
- "waf": "安全"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "service": "Azure OpenAI",
+ "severity": "低い",
+ "text": "Azure AI Service アカウントは、組織の名前付け規則に従います",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "Web ワークロード (UI または API) に WAF を使用するUse a WAF for a web workloads (UI or API)",
- "waf": "安全"
+ "text": "Azure AI サービス リソースの診断ログを有効にする必要がある",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
- "service": "AKS",
- "severity": "中程度",
- "text": "AKS Virtual Network で DDoS Standard を使用するUse DDoS Standard in the AKS Virtual Network",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "セキュリティのため、キーアクセス(ローカル認証)を無効にすることをお勧めします。 キーベースのアクセスを無効にすると、Microsoft Entra IDが唯一のアクセス方法になり、最小限の特権原則ときめ細かな制御を維持できます。",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
- "service": "AKS",
- "severity": "低い",
- "text": "必要に応じて、会社の HTTP プロキシを追加します",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "Azure Key Vault を使用して、キーを安全に保存および管理します。LLM アプリケーションのコード内で機密性の高いキーをハードコーディングしたり埋め込んだりすることを避け、マネージド ID を使用して Azure Key Vault から安全に取得します",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
- "service": "AKS",
- "severity": "中程度",
- "text": "高度なマイクロサービス通信管理にサービスメッシュの使用を検討する",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "Azure Key Vault に格納されているキーを定期的にローテーションして期限切れにすることで、不正アクセスのリスクを最小限に抑えます。",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+ "link": "https://github.com/openai/tiktoken",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "最も重要なメトリックに関するアラートを構成します (推奨事項については、「Container Insights」を参照してください)",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
- "service": "AKS",
- "severity": "低い",
- "text": "Azure Advisor でクラスターの推奨事項を定期的に確認する",
- "waf": "オペレーションズ"
+ "text": "tiktokenを使用して、会話モードでのトークン最適化のためのトークンサイズを理解します",
+ "waf": "コストの最適化"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
- "service": "AKS",
- "severity": "低い",
- "text": "AKS 自動証明書のローテーションを有効にする",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+ "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "安全なコーディング手法に従って、インジェクション攻撃、クロスサイトスクリプティング(XSS)、セキュリティ設定の誤りなどの一般的な脆弱性を防止します",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+ "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "kubernetes のバージョンを定期的に (四半期ごとなど) アップグレードする定期的なプロセスを行うか、AKS 自動アップグレード機能を使用します",
- "waf": "オペレーションズ"
+ "text": "LLM ライブラリとその他のシステム コンポーネントを定期的に更新し、パッチを適用するプロセスを設定します",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+ "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "service": "Azure OpenAI",
"severity": "高い",
- "text": "ノードイメージのアップグレードを使用していない場合は、Linuxノードのアップグレードにkuredを使用します",
- "waf": "オペレーションズ"
+ "text": "Azure OpenAI またはその他の LLM の利用規約、ポリシー、ガイダンス、および許可されたユース ケースを順守する",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
- "service": "AKS",
- "severity": "高い",
- "text": "クラスタノードイメージを定期的に(毎週など)アップグレードする定期的なプロセスを用意します",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "基本モデルと微調整されたモデルおよびトークンのステップサイズのコストの違いを理解する",
+ "waf": "コストの最適化"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
- "service": "AKS",
- "severity": "低い",
- "text": "アプリケーションまたはクラスター構成を複数のクラスターにデプロイするために gitop を検討してください",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "可能であれば、呼び出しごとのオーバーヘッドを最小限に抑え、全体的なコストを削減できるバッチ要求。バッチサイズを確実に最適化する",
+ "waf": "コストの最適化"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
- "service": "AKS",
- "severity": "低い",
- "text": "プライベート クラスターで AKS コマンド呼び出しを使用することを検討する",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "モデルの使用状況を監視するコスト追跡システムを設定し、その情報を使用してモデルの選択とプロンプトのサイズを通知します",
+ "waf": "コストの最適化"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
- "service": "AKS",
- "severity": "低い",
- "text": "計画されたイベントの場合は、ノードの自動ドレインの使用を検討してください",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "166cd072-af9b-4141-a898-a535e737897e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "モデル応答あたりのトークン数に上限を設定します。サイズを最適化して、有効な応答に十分な大きさになるようにします",
+ "waf": "コストの最適化"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
- "service": "AKS",
- "severity": "高い",
- "text": "独自のガバナンスプラクティスを開発して、ノードRG(別名「インフラRG」)のオペレーターによって変更が実行されないようにします",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "信頼性のための AI 検索の設定に関するガイダンスを確認します",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "低い",
- "text": "カスタムノードRG(別名「インフラRG」)名を使用",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+ "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "AI Search Vector ストレージの計画と管理",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "非推奨の Kubernetes API を YAML マニフェストで使用しないでください",
- "waf": "オペレーションズ"
+ "text": "LLMOpsプラクティスを適用して、GenAIアプリケーションのライフサイクル管理を自動化します",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
- "service": "AKS",
- "severity": "低い",
- "text": "Windows ノードのテイント",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "請求モデルの使用状況の評価 - PAYG と PTU の比較",
+ "waf": "コストの最適化"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
- "service": "AKS",
- "severity": "低い",
- "text": "Windows コンテナーのパッチ レベルをホストのパッチ レベルと同期させる",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+ "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "モデルバージョンを切り替える際のプロンプトとアプリケーションの品質を評価する",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "クラスタレベルでの診断設定経由",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
- "severity": "低い",
- "text": "マスター ログ (API ログ) を Azure Monitor または任意のログ管理ソリューションに送信する",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "GenAIアプリを評価、監視、改良して、接地性、関連性、精度、一貫性、流暢さなどの機能を確認します。",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
- "severity": "低い",
- "text": "必要に応じて、nodePool スナップショットを使用します",
- "waf": "費用"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "さまざまな検索パラメーターに基づいて Azure AI Search の結果を評価する",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
- "severity": "低い",
- "text": "時間的制約のないワークロードのスポット ノード プールを検討する",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "精度を向上させる方法としてモデルの微調整を検討するのは、データを使用してプロンプトエンジニアリングやRAGなどの他の基本的なアプローチを試した場合のみです",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
- "severity": "低い",
- "text": "クイック バーストのために AKS 仮想ノードを検討する",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "プロンプトエンジニアリング手法を使用して、LLM応答の精度を向上させる",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
- "severity": "高い",
- "text": "Container Insights (または Prometheus などの他のツール) を使用してクラスター メトリックを監視する",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "GenAIアプリケーションをレッドチーム化",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
- "severity": "高い",
- "text": "Container Insights(またはTelegraf/ElasticSearchなどの他のツール)を使用してクラスターログを保存および分析します",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+ "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "service": "Azure OpenAI",
+ "severity": "中程度",
+ "text": "エンドユーザーにLLM応答のスコアリングオプションを提供し、これらのスコアを追跡します。",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
- "severity": "中程度",
- "text": "ノードの CPU とメモリの使用率を監視する",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
+ "severity": "高い",
+ "text": "クォータ管理の実践を検討する",
+ "waf": "コストの最適化"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+ "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "service": "Azure OpenAI",
"severity": "中程度",
- "text": "Azure CNI を使用している場合は、ノードごとに消費されるポッド IP の割合を監視します",
- "waf": "オペレーションズ"
+ "text": "APIM ベースのゲートウェイなどのロード バランサー ソリューションを使用して、サービスやリージョン間で負荷と容量を分散します",
+ "waf": "オペレーショナルエクセレンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "OS ディスクの I/O は重要なリソースです。ノード内の OS が I/O で調整されると、予期しない動作が発生し、通常はノードが NotReady と宣言される可能性があります",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
"severity": "中程度",
- "text": "ノード内の OS ディスク キューの深さを監視する",
- "waf": "オペレーションズ"
+ "text": "有効期間の長い取り消し可能なトークンを使用し、トークンをキャッシュし、Microsoft ID ライブラリを使用してサイレントに取得します",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
"severity": "中程度",
- "text": "AzFW/NVA でエグレス フィルター処理を使用しない場合は、標準の ALB によって割り当てられた SNAT ポートを監視します",
- "waf": "オペレーションズ"
+ "text": "サインイン ユーザー フローがバックアップされ、回復性があることを確認します。ユーザーのサインインに使用するコードがバックアップされ、回復可能であることを確認します。外部プロセスとの回復力のあるインターフェース",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
"severity": "中程度",
- "text": "AKS クラスターのリソース正常性通知をサブスクライブするSubscribe to resource health notifications for your AKS cluster",
- "waf": "オペレーションズ"
+ "text": "カスタムブランドアセットはCDNでホストする必要がある",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "高い",
- "text": "ポッド仕様で要求と制限を構成する",
- "waf": "オペレーションズ"
+ "checklist": "Identity Review Checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
+ "severity": "低い",
+ "text": "複数のIDプロバイダーを持っている(つまり、Microsoft、Google、Facebookアカウントでログインする)",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "中程度",
- "text": "名前空間のリソースクォータを適用する",
- "waf": "オペレーションズ"
+ "text": "VM レベルでの高可用性に関する VM ルールに従う (Premium ディスク、リージョン内の 2 つ以上、異なる可用性ゾーン内)",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
- "severity": "高い",
- "text": "サブスクリプションにノードプールをスケールアウトするのに十分なクォータがあることを確認する",
- "waf": "オペレーションズ"
+ "checklist": "Identity Review Checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "中程度",
+ "text": "複製しないでください!レプリケーションにより、ディレクトリ同期に関する問題が発生する可能性があります",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "中程度",
- "text": "Cluster Autoscaler を使用する",
- "waf": "パフォーマンス"
+ "text": "マルチリージョンのアクティブ/アクティブを持つ",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
- "severity": "低い",
- "text": "AKS ノード プールのノード構成をカスタマイズする",
- "waf": "パフォーマンス"
+ "checklist": "Identity Review Checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
+ "severity": "中程度",
+ "text": "Azure AD Domain Service スタンプを追加のリージョンと場所に追加する",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "Identity Review Checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"severity": "中程度",
- "text": "必要に応じてHorizontal Pod Autoscalerを使用します",
- "waf": "パフォーマンス"
+ "text": "DR にレプリカ セットを使用する",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "ノードが大きくなると、パフォーマンスが向上し、エフェメラル ディスクや高速ネットワークなどの機能が提供されますが、爆発半径が大きくなり、スケーリングの粒度が低下します",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
"severity": "高い",
- "text": "大きすぎず小さすぎない適切なノードサイズを検討してください",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
- "severity": "低い",
- "text": "スケーラビリティのために 5,000 を超えるノードが必要な場合は、追加の AKS クラスターの使用を検討してください",
- "waf": "パフォーマンス"
+ "text": "ビジネスとSLOの要件に基づいて適切な関数ホスティングプランを選択します",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
- "severity": "低い",
- "text": "AKS 自動化のために EventGrid イベントをサブスクライブすることを検討する",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
+ "severity": "高い",
+ "text": "リージョンで適用可能な場合は Availability Zones を活用します (従量課金レベルでは使用できません)",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
- "severity": "低い",
- "text": "AKS クラスターで実行時間の長い操作を行う場合は、イベントの終了を検討してください",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Azure Functions",
+ "severity": "中程度",
+ "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
- "severity": "低い",
- "text": "必要に応じて、AKS ノードに Azure Dedicated Hosts を使用することを検討してください",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Azure Functions",
"severity": "高い",
- "text": "エフェメラル OS ディスクを使用する",
- "waf": "パフォーマンス"
+ "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Azure Functions",
"severity": "高い",
- "text": "非エフェメラル ディスクの場合、複数のポッドを実行するには高いパフォーマンスが必要であり、既定の AKS ログ ローテーションしきい値で巨大なログが生成されるため、多くのポッド/ノードを実行する場合は、ノードに高い IOPS とより大きな OS ディスクを使用します",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
- "severity": "低い",
- "text": "ハイパー パフォーマンス ストレージ オプションの場合は、AKS 上の Ultra Disks を使用します",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
- "severity": "中程度",
- "text": "クラスター内に状態を保持することは避け、外部 (AzStorage、AzSQL、Cosmos など) にデータを格納します",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
- "severity": "中程度",
- "text": "AzFiles Standard を使用する場合は、パフォーマンス上の理由から AzFiles Premium や ANF を検討してください",
- "waf": "パフォーマンス"
+ "text": "App Service プランで実行されているすべての関数アプリで \"Always On\" が有効になっていることを確認する",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Azure Functions",
"severity": "中程度",
- "text": "Azure ディスクと AZ を使用する場合は、適切なゾーンにストレージをプロビジョニングするために VolumeBindingMode:WaitForFirstConsumer を使用して LRS ディスクのゾーン内にノードプールを配置するか、複数のゾーンにまたがるノードプールに ZRS ディスクを使用することを検討してください",
- "waf": "パフォーマンス"
+ "text": "関数アプリを独自のストレージ アカウントにペアリングします。Function Apps のストレージ アカウントは、緊密に結合されていない限り、再利用しないようにしてください",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "Azure Functions",
"severity": "中程度",
- "text": "Azure Center for SAP solutions (ACSS) は、SAP を Azure 上のトップレベルのワークロードにする Azure オファリングです。ACSS は、SAP システムを Azure 上の統合ワークロードとして作成および実行し、イノベーションのためのよりシームレスな基盤を提供するエンドツーエンドのソリューションです。新規と既存の Azure ベースの SAP システムの両方の管理機能を利用できます。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+ "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、関数アプリのコードを保護します",
"waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
- "service": "SAP",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
"severity": "中程度",
- "text": "Azure では、Linux と Windows での SAP デプロイの自動化がサポートされています。SAP Deployment Automation Framework は、SAP 環境をデプロイ、インストール、および保守できるオープンソースのオーケストレーション ツールです。",
- "training": "https://github.com/Azure/sap-automation",
- "waf": "オペレーションズ"
+ "text": "Azure Bot Service の信頼性サポートの推奨事項に従う",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
- "service": "SAP",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
"severity": "中程度",
- "text": "運用データベースのポイントインタイム リカバリを、RTOを満たす任意の時点および時間枠で実行します。ポイント・イン・タイム・リカバリには、通常、DBMSレイヤー上またはSAPを介してデータを削除するオペレーター・エラーが含まれます",
+ "text": "ローカル データ所在地とリージョン コンプライアンスを備えたボットのデプロイ",
"waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
- "service": "SAP",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
"severity": "中程度",
- "text": "バックアップと復旧の時間をテストして、災害発生後にすべてのシステムを同時に復元するための RTO 要件を満たしていることを確認します。",
+ "text": "Azure Bot Service は、グローバル サービスとリージョン サービスの両方に対してアクティブ/アクティブ モードで実行されます。停止が発生した場合、エラーを検出したり、サービスを管理したりする必要はありません。Azure Bot Service は、複数リージョンの地理的アーキテクチャで自動フェールオーバーと自動復旧を自動的に実行します。EU ボット リージョン サービスの場合、Azure Bot Service は、冗長性を確保するために、アクティブ/アクティブ レプリケーションを備えたヨーロッパ内の 2 つの完全なリージョンを提供します。グローバル ボット サービスの場合、使用可能なすべてのリージョン/地域をグローバル フットプリントとして提供できます。",
"waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "SAP",
- "severity": "高い",
- "text": "ペアのリージョン間で Standard Storage をレプリケートすることはできますが、Standard Storage を使用してデータベースや仮想ハード ディスクを格納することはできません。バックアップは、使用するペアのリージョン間でのみレプリケートできます。その他のすべてのデータについては、SQL Server Always On や SAP HANA システム レプリケーションなどのネイティブ DBMS 機能を使用してレプリケーションを実行します。SAP アプリケーション層には、Site Recovery、rsync または robocopy、およびその他のサードパーティ ソフトウェアを組み合わせて使用します。",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "確実"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "service": "Azure Monitor",
+ "text": "Azure Monitor のデータ収集ルール - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Availability Zones を使用して高可用性を実現する場合は、SAP アプリケーション サーバーとデータベース サーバー間の待機時間を考慮する必要があります。待機時間が長いゾーンでは、SAP アプリケーション サーバーとデータベース サーバーが常に同じゾーンで実行されていることを確認するための運用手順を実施する必要があります。",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "45901365-d38e-443f-abcb-d868266abca2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Azure Backup",
+ "text": "基になるデータソースが見つからないバックアップインスタンスを確認する",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "SAP",
- "severity": "高い",
- "text": "オンプレミスからプライマリおよびセカンダリの Azure ディザスター リカバリー リージョンへの ExpressRoute 接続を設定します。また、ExpressRoute を使用する代わりに、オンプレミスからプライマリおよびセカンダリの Azure ディザスター リカバリー リージョンへの VPN 接続を設定することも検討してください。",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "VM",
+ "text": "関連づけられていないサービス(ディスク、NIC、IPアドレスなど)を削除またはアーカイブする",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "SAP",
- "severity": "低い",
- "text": "証明書、シークレット、キーなどのキー コンテナーの内容をリージョン間でレプリケートして、DR リージョン内のデータの暗号化を解除できるようにします。",
- "waf": "確実"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Azure Backup",
+ "text": "ミッション クリティカルでないアプリケーションの Site Recovery ストレージとバックアップのバランスを考慮する",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
- "service": "SAP",
- "severity": "中程度",
- "text": "プライマリ仮想ネットワークとディザスター リカバリー仮想ネットワークをピアリングします。たとえば、HANA システム レプリケーションの場合、SAP HANA DB 仮想ネットワークは、ディザスター リカバリー サイトの SAP HANA DB 仮想ネットワークにピアリングする必要があります。",
- "waf": "確実"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "service": "Azure Monitor",
+ "text": "40 の異なるログ分析ワークスペース間で支出と節約の機会を確認する - 非運用ワークスペースに異なる保持とデータ収集を使用する - 認識と階層サイズ設定のための日次上限を作成する - 日次上限を設定する場合は、上限に達したときにアラートを作成するだけでなく、ある割合 (90% など) に達したときに通知されるアラート ルールも作成してください。- 可能であればワークスペースの変革を検討する - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
- "service": "SAP",
- "severity": "低い",
- "text": "SAP デプロイに Azure NetApp Files ストレージを使用する場合は、少なくとも、Premium レベルの 2 つのリージョンに 2 つの Azure NetApp Files アカウントを作成します。",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
- "waf": "確実"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Azure Monitor",
+ "text": "ログのパージポリシーと自動化を適用する(必要に応じて、ログをコールドストレージに移動できます)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
- "severity": "高い",
- "text": "ネイティブのデータベースレプリケーションテクノロジーを使用して、HAペアでデータベースを同期する必要があります。",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
+ "text": "ディスクが本当に必要かどうかを確認し、必要でない場合は削除します。必要な場合は、下位のストレージ階層を見つけるか、バックアップを使用します。",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
- "service": "SAP",
- "severity": "高い",
- "text": "プライマリ仮想ネットワーク (VNet) の CIDR は、DR サイトの VNet の CIDR と競合したり重複したりしないようにする必要があります",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
+ "text": "未使用のストレージを下位階層に移動し、カスタマイズされたルールを使用することを検討する - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
- "service": "SAP",
- "severity": "高い",
- "text": "Site Recovery を使用して、アプリケーション サーバーを DR サイトにレプリケートします。Site Recovery は、セントラル サービス クラスター VM を DR サイトにレプリケートする場合にも役立ちます。DR を呼び出すときは、DR サイトで Linux Pacemaker クラスターを再構成する必要があります (たとえば、VIP または SBD の置き換え、corosync.conf の実行など)。",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
+ "text": "advisor が VM の適切なサイズ設定用に構成されていることを確認する",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
- "severity": "高い",
- "text": "単一障害点に対する SAP ソフトウェアの可用性を検討します。これには、SAP NetWeaver や SAP S/4HANA アーキテクチャ、SAP ABAP、ASCS + SCS で使用される DBMS などのアプリケーション内の単一障害点が含まれます。また、SAP Web ディスパッチャなどの他のツールも必要です。",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "description": "コスト分析でメーターカテゴリライセンスを検索して確認してください",
+ "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "service": "VM",
+ "text": "すべての Windows VM でスクリプトを実行する https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM が頻繁に作成される場合は、ポリシーの実装を検討してください",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP および SAP データベースの場合は、自動フェールオーバー クラスターの実装を検討してください。Windows では、Windows Server フェールオーバー クラスタリングがフェールオーバーをサポートします。Linux では、Linux Pacemaker や、SIOS Protection Suite や Veritas InfoScale などのサードパーティツールがフェイルオーバーをサポートしています。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "VM",
+ "text": "これは、すでにライセンスを持っている場合は、AHUBの下に置くこともできます https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
- "severity": "高い",
- "text": "Azure では、プライマリ VM とセカンダリ VM が DBMS データのストレージを共有するアーキテクチャはサポートされていません。DBMSレイヤーの場合、一般的なアーキテクチャパターンは、プライマリおよびセカンダリVMが使用するストレージスタックとは異なるストレージスタックを使用して、データベースを同時にレプリケートすることです。",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "VM",
+ "text": "予約済み VM ファミリを柔軟性オプションで統合する (4 から 5 ファミリ以下)",
+ "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
- "service": "SAP",
- "severity": "高い",
- "text": "DBMS データとトランザクション/REDO ログ ファイルは、Azure でサポートされているブロック ストレージまたは Azure NetApp Files に格納されます。Azure Files または Azure Premium Files は、SAP ワークロードでの DBMS データや再実行ログ ファイルのストレージとしてはサポートされていません。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "service": "VM",
+ "text": "Azure 予約インスタンスを利用する: この機能を使用すると、VM を 1 年または 3 年間予約できるため、PAYG 価格と比較して大幅なコスト削減が実現します。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
- "service": "SAP",
- "severity": "高い",
- "text": "Windows の Azure 共有ディスクは、ASCS + SCS コンポーネントと特定の高可用性シナリオに使用できます。フェールオーバー クラスターは、SAP アプリケーション層コンポーネントと DBMS 層に対して個別に設定します。現在、Azure では、SAP アプリケーション レイヤー コンポーネントと DBMS レイヤーを 1 つのフェールオーバー クラスターに結合する高可用性アーキテクチャはサポートされていません。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+ "service": "VM",
+ "text": "より大きなディスクのみ予約できます => 1 TiB -",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP アプリケーション レイヤー コンポーネント (ASCS) と DBMS レイヤーのほとんどのフェールオーバー クラスターでは、フェールオーバー クラスターの仮想 IP アドレスが必要です。 Azure Load Balancer は、他のすべてのケースで仮想 IP アドレスを処理する必要があります。設計原則の 1 つは、クラスター構成ごとに 1 つのロード バランサーを使用することです。ロード バランサーの Standard バージョン (Standard Load Balancer SKU) を使用することをお勧めします。",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "service": "VM",
+ "text": "適切なサイズ最適化の後",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
- "service": "SAP",
- "severity": "高い",
- "text": "ロードバランサーでフローティング IP が有効になっていることを確認します",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Sql/servers",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Azure SQL",
+ "text": "該当するかどうかを確認し、ポリシー/変更 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations を適用します",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "SAP",
- "severity": "高い",
- "text": "高可用性インフラストラクチャをデプロイする前に、選択したリージョンに応じて、Azure 可用性セットと可用性ゾーンのどちらを使用してデプロイするかを決定します。",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "VM",
+ "text": "VM +ライセンス部分の割引(ahub + 3YRI)は約70%の割引です",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP コンポーネント (セントラル サービス、アプリケーション サーバー、データベース) のアプリケーションのインフラストラクチャ SLA を満たす場合は、すべてのコンポーネントに対して同じ高可用性オプション (VM、可用性セット、可用性ゾーン) を選択する必要があります。",
- "waf": "確実"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "VM",
+ "text": "需要に合わせて、フラットなサイジングではなく、VMSS の使用を検討してください",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
- "severity": "高い",
- "text": "同じ可用性セット内に異なるロールのサーバーを混在させないでください。セントラル サービス VM、データベース VM、アプリケーション VM を独自の可用性セットに保持する",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "確実"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "AKS",
+ "text": "AKS オートスケーラーを使用してクラスターの使用量に一致させる (ポッドの要件がスケーラーと一致していることを確認する)",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
- "service": "SAP",
- "severity": "中程度",
- "text": "近接通信配置グループを使用しない限り、Azure 可用性ゾーン内に Azure 可用性セットをデプロイすることはできません。",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "waf": "確実"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Azure Backup",
+ "text": "該当する場合は、復旧ポイントを vault-archive に移動します (検証)",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
- "severity": "高い",
- "text": "可用性セットを作成するときは、使用可能な障害ドメインと更新ドメインの最大数を使用します。たとえば、1 つの可用性セットに 2 つ以上の VM をデプロイする場合は、Azure の計画メンテナンスに加えて、潜在的な物理ハードウェア障害、ネットワークの停止、または停電の影響を制限するために、最大数の障害ドメイン (3 つ) と十分な更新ドメインを使用します。障害ドメインの既定の数は 2 であり、後でオンラインで変更することはできません。",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Databricks/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+ "service": "Databricks",
+ "text": "可能な場合は、フォールバックでスポット VM を使用することを検討してください。クラスターの自動終了を検討してください。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "高い",
- "text": "可用性セットのデプロイで Azure 近接通信配置グループを使用する場合は、3 つの SAP コンポーネント (セントラル サービス、アプリケーション サーバー、データベース) をすべて同じ近接通信配置グループに含める必要があります。",
- "waf": "確実"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+ "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+ "service": "Azure Functions",
+ "text": "関数 - 接続の再利用",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP SID ごとに 1 つの近接配置グループを使用します。グループは、Availability Zones や Azure リージョンにまたがっていません",
- "waf": "確実"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+ "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "service": "Azure Functions",
+ "text": "関数 - データをローカルにキャッシュする",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
- "severity": "高い",
- "text": "オペレーティング システムに応じて、次のいずれかのサービスを使用して SAP セントラル サービス クラスターを実行します。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Azure Functions",
+ "text": "関数 - コールド スタート - 「パッケージから実行」機能を使用します。このようにして、コードは単一のzipファイルとしてダウンロードされます。これにより、たとえば、多くのノードモジュールを持つJavascript関数が大幅に改善される可能性があります。言語固有のツールを使用してパッケージサイズを縮小します (ツリーを揺るがす Javascript アプリケーションなど)。",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
- "service": "SAP",
- "severity": "中程度",
- "text": "現在、Azure では、同じ Linux Pacemaker クラスターでの ASCS と DB HA の組み合わせはサポートされていません。それらを個々のクラスターに分離します。ただし、最大 5 つの複数のセントラル サービス クラスターを 1 つの VM のペアに結合できます。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "Azure Functions",
+ "text": "関数 - 関数を暖かく保つ",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
- "severity": "中程度",
- "text": "両方の VM を高可用性ペアの可用性セットまたは可用性ゾーンにデプロイします。これらの VM は、同じサイズで、同じストレージ構成を持つ必要があります。",
- "waf": "確実"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Azure Functions",
+ "text": "さまざまな関数で自動スケーリングを使用する場合、すべてのリソースのすべての自動スケーリングを駆動する 1 つが存在する可能性があるため、別の従量課金プランに移行することを検討してください (また、CPU のより高いプランを検討してください)",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure では、Red Hat Enterprise Linux (RHEL) で実行されている同じ高可用性クラスターへの SAP HANA インスタンスと ASCS/SCS インスタンスと ERS インスタンスのインストールと構成がサポートされています。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+ "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+ "service": "Azure Functions",
+ "text": "特定のプランの関数アプリはすべて一緒にスケーリングされるため、スケーリングに関する問題はプラン内のすべてのアプリに影響を与える可能性があります。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
- "severity": "高い",
- "text": "Premium マネージド SSD ですべての運用システムを実行し、Azure NetApp Files または Ultra Disk Storage を使用します。少なくとも、OS ディスクは Premium レベルにすることで、パフォーマンスの向上と最高の SLA を実現できます。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "確実"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+ "service": "Azure Functions",
+ "text": "「待機時間」に対して請求されますか?この質問は、通常、非同期操作を実行して結果を待機する C# 関数のコンテキストで尋ねられます (例: await Task.Delay(1000) や await client)。GetAsync('http://google.com') です。答えはイエスです-GB秒の計算は、関数の開始時刻と終了時刻、およびその期間のメモリ使用量に基づいています。その間に CPU アクティビティに関して実際に何が起こるかは、計算には考慮されません。この規則の 1 つの例外は、永続関数を使用している場合です。オーケストレーター関数で待機に費やされた時間に対しては課金されません。可能な場合は、デマンド シェーピング技術を適用します (開発環境?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP HANA on Azure は、SAP によって認定された種類のストレージでのみ実行する必要があります。該当する場合は、特定のボリュームを特定のディスク構成で実行する必要があることに注意してください。これらの構成には、書き込みアクセラレータの有効化と Premium Storage の使用が含まれます。また、ストレージ上で稼働するファイル システムが、マシン上で稼働する DBMS と互換性があることを確認する必要もあります。",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
- "waf": "確実"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Front Door",
+ "text": "Frontdoor - 既定のホームページをオフにするアプリのアプリケーション設定で、AzureWebJobsDisableHomepage を true に設定します。これにより、PoPに204(No Content)が返されるため、ヘッダーデータのみが返されます。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP ワークロードに使用するストレージの種類に応じて、高可用性を構成することを検討してください。Azure で使用できる一部のストレージ サービスは Azure Site Recovery でサポートされていないため、高可用性の構成が異なる場合があります。",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
- "waf": "確実"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Front Door",
+ "text": "Frontdoor - 何も返さないものへのルーティング。関数、関数プロキシを設定するか、200 (OK) を返し、コンテンツを送信しない、または最小限のコンテンツを送信 するルートを Web アプリに追加します。これの利点は、呼び出されたときにログアウトできることです。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
- "severity": "高い",
- "text": "さまざまなネイティブ Azure ストレージ サービス (Azure Files、Azure NetApp Files、Azure Shared Disk など) は、リージョンによっては利用できない場合があります。そのため、フェールオーバー後に DR リージョンで同様の SAP 設定を行うには、それぞれのストレージ サービスが DR サイトで提供されていることを確認します。",
- "waf": "確実"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+ "service": "Storage",
+ "text": "使用頻度の低いデータの階層のアーカイブを検討する",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP システムのスタート/ストップを自動化してコストを管理します。",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "VM",
+ "text": "サイズが階層と一致しない場合は、ディスク サイズを確認します (つまり、513 GiB のディスクは P30 (1TiB) を支払います) と、サイズ変更を検討してください",
"waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "低い",
- "text": "SAP HANA で Azure Premium Storage を使用する場合は、Azure Standard SSD ストレージを使用して、コスト意識の高いストレージ ソリューションを選択できます。ただし、Standard SSD または Standard HDD Azure Storage を選択すると、個々の VM の SLA に影響することに注意してください。また、非運用環境など、I/O スループットが低く待機時間が短いシステムでは、下位のシリーズ VM を使用できます。",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "Storage",
+ "text": "可能な場合は、Premium や Ultra ではなく Standard SSD の使用を検討してください",
"waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "低い",
- "text": "低コストの代替構成 (多目的) として、非運用環境の HANA データベース サーバー VM に低パフォーマンスの SKU を選択できます。ただし、E シリーズなどの一部の VM の種類は、HANA 認定 (SAP HANA Hardware Directory) されていないか、ストレージ待機時間を 1 ミリ秒未満にできないことに注意することが重要です。",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "Storage",
+ "text": "ストレージ アカウントの場合は、選択したレベルによってトランザクション料金が加算されていないことを確認します (次のレベルに移動する方が安くなる可能性があります)",
"waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
- "service": "SAP",
- "severity": "高い",
- "text": "管理グループ、サブスクリプション、リソース グループ、およびリソースに RBAC モデルを適用する",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "安全"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "Site Recovery",
+ "text": "ASR の場合、RPO/RTO とレプリケーション スループットで許可されている場合は、Standard SSD ディスクの使用を検討してください",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
- "severity": "中程度",
- "text": "Cloud Connector を介して SAP クラウド アプリケーションからオンプレミス (IaaS を含む) に ID を転送するためのプリンシパル伝達を適用する",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
- "waf": "安全"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+ "service": "Storage",
+ "text": "ストレージ アカウント: 必要なホット層や GRS を確認する",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAML を使用して Azure AD で SAP Analytics Cloud、SAP Cloud Platform、Business by Design、SAP Qualtrics、SAP C4C などの SAP SaaS アプリケーションに SSO を実装します。",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "VM",
+ "text": "ディスク - あらゆる場所で Premium SSD ディスクの使用を検証: たとえば、非運用環境を Standard SSD またはオンデマンド Premium SSD にスワップできます",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAML を使用して、SAP Fiori や SAP Web GUI などの SAP NetWeaver ベースの Web アプリケーションに SSO を実装します。",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "Synapse",
+ "text": "予算を作成してコストを管理し、支出の異常や過剰支出のリスクを関係者に自動的に通知するアラートを作成します。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAML を使用して、SAP Fiori や SAP Web GUI などの SAP NetWeaver ベースの Web アプリケーションに SSO を実装します。",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "Synapse",
+ "text": "追加のデータ分析のために、コスト データをストレージ アカウントにエクスポートします。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP NetWeaver SSO またはパートナーソリューションを使用して、SAP GUI への SSO を実装できます。",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Synapse",
+ "text": "専用 SQL プールのコストを制御するには、リソースが使用されていないときに一時停止します。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP GUI および Web ブラウザアクセスの SSO には、設定とメンテナンスが容易なため、SNC/Kerberos/SPNEGO (シンプルで保護された GSSAPI ネゴシエーションメカニズム) を実装します。X.509 クライアント証明書を使用した SSO の場合は、SAP SSO ソリューションのコンポーネントである SAP セキュアログインサーバーを検討してください。",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+ "service": "Synapse",
+ "text": "サーバーレス Apache Spark の自動一時停止機能を有効にし、それに応じてタイムアウト値を設定します。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP GUI および Web ブラウザアクセスの SSO には、設定とメンテナンスが容易なため、SNC/Kerberos/SPNEGO (シンプルで保護された GSSAPI ネゴシエーションメカニズム) を実装します。X.509 クライアント証明書を使用した SSO の場合は、SAP SSO ソリューションのコンポーネントである SAP セキュアログインサーバーを検討してください。",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Synapse",
+ "text": "さまざまなサイズの複数の Apache Spark プール定義を作成します。",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
- "service": "SAP",
- "severity": "中程度",
- "text": "OAuth for SAP NetWeaver を使用して SSO を実装し、サードパーティまたはカスタムアプリケーションが SAP NetWeaver OData サービスにアクセスできるようにします。",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "service": "Synapse",
+ "text": "Azure Synapse Analytics のコストを節約するために、事前購入プランで Azure Synapse コミット ユニット (SCU) を 1 年間購入します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP HANAへのSSOの実装",
- "waf": "安全"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure AD は、RISE でホストされている SAP システムの ID プロバイダーであると考えてください。詳細については、「サービスと Azure AD の統合」を参照してください。",
- "waf": "安全"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP にアクセスするアプリケーションでは、プリンシパル伝搬を使用して SSO を確立することができます。",
- "waf": "安全"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP Identity Authentication Service (IAS) を必要とする SAP BTP サービスまたは SaaS ソリューションを使用している場合は、SAP Cloud Identity Authentication Services と Azure AD の間に SSO を実装して、それらの SAP サービスにアクセスすることを検討してください。この統合により、SAP IAS はプロキシ ID プロバイダーとして機能し、認証要求を中央ユーザー ストアおよび ID プロバイダーとして Azure AD に転送できます。",
- "waf": "安全"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP BTP への SSO の実装",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "VM",
+ "text": "中断可能なジョブにスポット VM を使用する: これらは、割引価格で入札および購入できる VM であり、重要でないワークロードにコスト効率の高いソリューションを提供します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP SuccessFactors を使用している場合は、Azure AD の自動ユーザー プロビジョニングの使用を検討してください。この統合により、SAP SuccessFactors に新しい従業員を追加するときに、Azure AD でユーザー アカウントを自動的に作成できます。 必要に応じて、Microsoft 365 または Azure AD でサポートされているその他の SaaS アプリケーションでユーザー アカウントを作成できます。 SAP SuccessFactors へのメール アドレスの書き戻しを使用します。",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "VM",
+ "text": "すべての VM の適切なサイズ設定",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
- "severity": "中程度",
- "text": "既存の管理グループ ポリシーを SAP サブスクリプションに適用する",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "VM",
+ "text": "正規化されたサイズと最新のサイズでサイズをスワップする VM",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "高い",
- "text": "緊密に結合されたアプリケーションを同じSAPサブスクリプションに統合し、ルーティングと管理の複雑さを回避",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "VM の適切なサイズ設定 - 使用率を 5% 未満で監視することから始めて、その後 40% まで作業します",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "高い",
- "text": "サブスクリプションをスケール ユニットとして活用し、リソースをスケーリングし、環境ごとにサブスクリプションをデプロイすることを検討してください。サンドボックス、非製品、製品",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "アプリケーションをコンテナー化すると、VM の密度が向上し、スケーリングにかかるコストを節約できます",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
- "severity": "高い",
- "text": "サブスクリプションのプロビジョニングの一環としてクォータを確実に増やす (例: サブスクリプション内で使用可能な VM コアの合計数)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "AKS Windows ワークロードで必要な場合は、HostProcess コンテナーを使用できます",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
"severity": "低い",
- "text": "クォータ API は、Azure サービスのクォータを表示および管理するために使用できる REST API です。必要に応じて使用を検討してください。",
- "waf": "オペレーションズ"
+ "text": "イベント ドリブン ワークロードを実行する場合は KEDA を使用します",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
- "severity": "高い",
- "text": "可用性ゾーンにデプロイする場合は、クォータが承認されたら、VM のゾーン デプロイが使用可能であることを確認します。必要なサブスクリプション、VM シリーズ、CPU の数、可用性ゾーンを含むサポート リクエストを送信します。",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "Dapr を使用してマイクロサービス開発を容易にする",
"waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
"severity": "高い",
- "text": "必要なサービスと機能が、選択した展開リージョン内で利用可能であることを確認します。ANF、ゾーンなど",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
- "waf": "オペレーションズ"
+ "text": "SLA でサポートされる AKS オファリングを使用する",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
- "severity": "中程度",
- "text": "コストの分類とリソースのグループ化 (BillTo、部門 (または部署)、環境 (運用、ステージ、開発)、層 (Web 層、アプリケーション層)、アプリケーション所有者、プロジェクト名) に Azure リソース タグを活用します",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "ポッドとデプロイ定義でのディスラプション バジェットの使用",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
"severity": "高い",
- "text": "Azure Backup サービスを使用して HANA データベースを保護するのに役立ちます。",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "text": "プライベート レジストリを使用する場合は、複数のリージョンにイメージを格納するようにリージョン レプリケーションを構成します",
"waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
- "severity": "中程度",
- "text": "HANA、Oracle、または DB2 データベースに Azure NetApp Files をデプロイする場合は、Azure アプリケーション整合性スナップショット ツール (AzAcSnap) を使用して、アプリケーション整合性スナップショットを作成します。AzAcSnap は Oracle データベースもサポートしています。個々の VM ではなく、中央の VM で AzAcSnap を使用することを検討してください。",
- "waf": "確実"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "kubecost などの外部アプリケーションを使用して、さまざまなユーザーにコストを割り当てます",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
- "severity": "高い",
- "text": "オペレーティングシステムと SAP システムの間でタイムゾーンが一致していることを確認します。",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "スケールダウンモードを使用してノードを削除/割り当て解除する",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
"severity": "中程度",
- "text": "異なるアプリケーション サービスを同じクラスターにグループ化しないでください。たとえば、DRBDとセントラルサービスクラスタを同じクラスタに組み合わせないでください。ただし、同じ Pacemaker クラスターを使用して、約 5 つの異なるセントラル サービス (マルチ SID クラスター) を管理できます。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "確実"
+ "text": "必要に応じて、AKS クラスターで複数インスタンスの分割 GPU を使用する",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
"severity": "低い",
- "text": "スヌーズ モデルで開発/テスト システムを実行して、Azure の実行コストを節約および最適化することを検討してください。",
+ "text": "Dev/Test クラスターを実行している場合は、NodePool Start/Stop を使用します。",
"waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
- "severity": "中程度",
- "text": "お客様の SAP 資産を管理することでお客様と提携する場合は、Azure Lighthouse をご検討ください。Azure Lighthouse を使用すると、マネージド サービス プロバイダーは Azure ネイティブ ID サービスを使用して、顧客の環境に対する認証を行うことができます。顧客はいつでもアクセスを取り消し、サービスプロバイダーの行動を監査できるため、制御を顧客の手に委ねることができます。",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "Azure Policy for Kubernetes を使用してクラスターのコンプライアンスを確保する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"severity": "中程度",
- "text": "Azure Update Manager を使用して、1 つまたは複数の VM で利用可能な更新プログラムの状態を確認し、定期的な修正プログラムの適用をスケジュールすることを検討します。",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
- "waf": "オペレーションズ"
+ "text": "ユーザー/システムノードプールを使用してコントロールプレーンからアプリケーションを分離する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"severity": "低い",
- "text": "SAP Landscape Management (LaMa) を使用して SAP Basis の運用を最適化および管理します。Azure 用の SAP LaMa コネクタを使用して、SAP システムの再配置、コピー、複製、更新を行います。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
- "waf": "オペレーションズ"
+ "text": "システム ノードプールにテイントを追加して専用にする",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
"severity": "中程度",
- "text": "Azure Monitor for SAP solutions を使用して、Azure 上の SAP ワークロード (SAP HANA、高可用性 SUSE クラスター、SQL システム) を監視します。Azure Monitor for SAP solutions を SAP Solution Manager で補完することを検討してください。",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "オペレーションズ"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP の VM 拡張機能チェックを実行します。VM Extension for SAP では、仮想マシン (VM) の割り当てられたマネージド ID を使用して、VM の監視および構成データにアクセスします。このチェックにより、SAP アプリケーションのすべてのパフォーマンス メトリックが、基になる Azure Extension for SAP からのものであることが確認されます。",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
- "waf": "オペレーションズ"
+ "text": "イメージにはプライベート レジストリ (ACR など) を使用する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
"severity": "中程度",
- "text": "アクセス制御とコンプライアンス レポートに Azure Policy を使用します。Azure Policy には、一貫したポリシーの遵守と迅速な違反検出を保証するために、組織全体の設定を適用する機能が用意されています。",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "オペレーションズ"
+ "text": "イメージをスキャンして脆弱性を検出する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Network Watcher の接続モニターを使用して、SAP データベースとアプリケーション サーバーの待機時間メトリックを監視します。または、Azure Monitor を使用してネットワーク待機時間の測定値を収集して表示します。",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "アプリの分離要件を定義する (名前空間/ノードプール/クラスター)",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
"severity": "中程度",
- "text": "プロビジョニングされた Azure インフラストラクチャで SAP HANA の品質チェックを実行して、プロビジョニングされた VM が SAP HANA on Azure のベスト プラクティスに準拠していることを確認します。",
- "waf": "オペレーションズ"
+ "text": "CSI シークレット ストア ドライバーを使用して Azure Key Vault にシークレットを格納する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
"severity": "高い",
- "text": "Azure サブスクリプションごとに、ゾーン デプロイの前に Azure 可用性ゾーンで待機時間テストを実行して、SAP on Azure のデプロイ用に待機時間の短いゾーンを選択します。",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "パフォーマンス"
+ "text": "クラスターにサービス プリンシパルを使用する場合は、資格情報を定期的に (四半期ごとなど) 更新します",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
"severity": "中程度",
- "text": "回復性レポートを実行して、プロビジョニングされた Azure インフラストラクチャ (コンピューティング、データベース、ネットワーク、ストレージ、Site Recovery) 全体の構成が、Cloud Adaption Framework for Azure によって定義された構成に準拠していることを確認します。",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
- "waf": "確実"
+ "text": "必要に応じて、キー管理サービスの etcd 暗号化を追加します",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP 用 Microsoft Sentinel ソリューションを使用して脅威保護を実装します。このソリューションを使用して、SAPシステムを監視し、ビジネスロジック層とアプリケーション層全体で高度な脅威を検出します。",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "必要に応じて、Confidential Compute for AKS の使用を検討してください",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
"severity": "中程度",
- "text": "Azure のタグ付けを利用して、リソースを論理的にグループ化して追跡し、デプロイを自動化し、最も重要なこととして、発生したコストを可視化できます。",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
- "waf": "オペレーションズ"
+ "text": "Defender for Containers の使用を検討する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
- "severity": "低い",
- "text": "待機時間の影響を受けやすいアプリケーションには、VM 間の待機時間の監視を使用します。",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "サービス プリンシパルの代わりにマネージド ID を使用するUse managed identities instead of Service Principals",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
"severity": "中程度",
- "text": "Azure Site Recovery の監視を使用して、SAP アプリケーション サーバーのディザスター リカバリー サービスの正常性を維持します。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "確実"
+ "text": "認証と AAD の統合 (マネージド統合を使用)",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
"severity": "中程度",
- "text": "すべてのデータベース・ファイル・システムおよび実行可能プログラムをウイルス対策スキャンから除外します。これらを含めると、パフォーマンスの問題が発生する可能性があります。除外リストの規範的な詳細については、データベースベンダーに確認してください。たとえば、ウイルス対策スキャンから/oracle//sapdataを除外することをお薦めします。",
- "waf": "パフォーマンス"
+ "text": "管理者 kubeconfig へのアクセスを制限する (get-credentials --admin)",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
- "severity": "低い",
- "text": "移行後に、HANA以外のデータベースの完全なデータベース統計を収集することを検討してください。たとえば、SAP ノート 1020260 - Oracle 統計の配信を実装します。",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "承認と AAD RBAC の統合",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP on Azure を使用するすべての Oracle デプロイには、Oracle Automatic Storage Management (ASM) の使用を検討してください。",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "Kubernetes で RBAC 特権を制限するために名前空間を使用する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
"severity": "中程度",
- "text": "Oracle を実行している SAP on Azure の場合、SQL スクリプトのコレクションは、パフォーマンスの問題の診断に役立ちます。 自動ワークロード・リポジトリ(AWR)レポートには、Oracleシステムの問題を診断するための貴重な情報が含まれています。AWRレポートは、複数のセッションで実行し、ピーク時間を選択して、分析を広範囲にカバーすることをお薦めします。",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
- "waf": "パフォーマンス"
+ "text": "ポッド ID アクセス管理の場合は、Azure AD ワークロード ID (プレビュー) を使用します",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
- "severity": "高い",
- "text": "Azure Site Recovery の監視を使用して、SAP アプリケーション サーバーのディザスター リカバリー サービスの正常性を維持します。",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "AKS 非対話型ログインの場合は、kubelogin (プレビュー) を使用します",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
"severity": "中程度",
- "text": "HTTP/S アプリを安全に配信するには、Application Gateway v2 を使用し、WAF の保護とポリシーが有効になっていることを確認します。",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "text": "AKS ローカル アカウントを無効にする",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure への移行中に仮想マシンの DNS または仮想名が変更されない場合、バックグラウンド DNS と仮想名によって SAP ランドスケープ内の多くのシステム インターフェイスが接続され、お客様は、開発者が時間の経過と共に定義するインターフェイスに気付くことがあります。移行後に仮想名または DNS 名が変更されると、さまざまなシステム間で接続の問題が発生するため、このような問題を防ぐために DNS エイリアスを保持することをお勧めします。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "必要に応じて Just-In-Time クラスター アクセスを構成する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "必要に応じて AKS の AAD 条件付きアクセスを構成する",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "Windows AKS ワークロードで必要な場合は、gMSA を構成します",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "service": "AKS",
"severity": "中程度",
- "text": "異なる DNS ゾーンを使用して、各環境 (サンドボックス、開発、運用前、運用) を互いに区別します。例外は、独自の VNet を使用する SAP デプロイの場合です。ここでは、プライベート DNS ゾーンは必要ない場合があります。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "オペレーションズ"
+ "text": "より細かく制御するには、マネージドKubelet Identityの使用を検討してください",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "service": "AKS",
"severity": "中程度",
- "text": "ローカルとグローバルの VNet ピアリングは接続を提供し、複数の Azure リージョンにまたがる SAP デプロイのランディング ゾーン間の接続を確保するための推奨されるアプローチです",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+ "text": "AGIC を使用している場合は、クラスター間で AppGW を共有しないでください",
"waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
"severity": "高い",
- "text": "SAP アプリケーションと SAP データベース サーバー間の NVA のデプロイはサポートされていません",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "パフォーマンス"
+ "text": "AKS HTTP ルーティング アドオンを使用せず、代わりにアプリケーション ルーティング アドオンでマネージド NGINX イングレスを使用します。",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "service": "AKS",
"severity": "中程度",
- "text": "Azure リージョンとオンプレミスの場所をまたいだグローバルなトランジット接続が必要な新規ネットワーク、大規模ネットワーク、またはグローバル ネットワークでの Azure デプロイに Virtual WAN を使用します。このアプローチでは、Azure ネットワークの推移的なルーティングを手動で設定する必要はなく、SAP on Azure デプロイの標準に従うことができます。",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "waf": "オペレーションズ"
+ "text": "Windows ワークロードの場合は、高速ネットワークを使用します",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
- "severity": "中程度",
- "text": "パートナーの NVA が使用されている場合にのみ、リージョン間でネットワーク仮想アプライアンス (NVA) をデプロイすることを検討してください。ネイティブ NVA が存在する場合、リージョン間または VNet 間の NVA は必要ありません。パートナーのネットワーク テクノロジと NVA をデプロイする場合は、ベンダーのガイダンスに従って、Azure ネットワークと競合する構成を確認します。",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "標準のALBを使用する(基本的なALBとは対照的)",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "service": "AKS",
"severity": "中程度",
- "text": "Virtual WAN は、仮想 WAN ベースのトポロジのスポーク VNet 間の接続を管理し (ユーザー定義ルーティング (UDR) または NVA を設定する必要はありません)、同じ仮想ハブ内の VNet 間トラフィックの最大ネットワーク スループットは 50 ギガビット/秒です。必要に応じて、SAP ランディング ゾーンは VNet ピアリングを使用して他のランディング ゾーンに接続し、この帯域幅の制限を克服できます。",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
- "waf": "オペレーションズ"
+ "text": "Azure CNI を使用する場合は、NodePool に異なるサブネットを使用することを検討してください",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP ワークロードを実行している VM へのパブリック IP の割り当てはお勧めしません。",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "プライベート エンドポイント (推奨) または Virtual Network サービス エンドポイントを使用して、クラスターから PaaS サービスにアクセスする",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "高い",
- "text": "ASRの設定時にDR側でIPアドレスを予約することを検討してください",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "オペレーションズ"
+ "text": "要件に最適な CNI ネットワーク プラグインを選択する (Azure CNI を推奨)",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "高い",
- "text": "運用サイトと DR サイトで重複する IP アドレス範囲を使用しないでください。",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "オペレーションズ"
+ "text": "Azure CNI を使用する場合は、ノードあたりのポッドの最大数を考慮して、サブネットのサイズを適切に設定します",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure では 1 つの VNet に複数の委任されたサブネットを作成できますが、Azure NetApp Files の VNet に存在できる委任されたサブネットは 1 つだけです。Azure NetApp Files に複数の委任されたサブネットを使用すると、新しいボリュームを作成しようとしても失敗します。",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "Azure CNI を使用している場合は、最大ポッド数/ノード (既定値は 30) を確認します",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルター処理 (組織で必要な場合) を管理します",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "内部アプリの場合、組織は多くの場合、ファイアウォールで AKS サブネット全体を開きます。これにより、ノードへのネットワーク アクセスも開かれ、場合によってはポッドへのネットワーク アクセスも開かれます (Azure CNI を使用している場合)。LoadBalancer の IP が別のサブネットにある場合は、この IP のみをアプリ クライアントで使用できる必要があります。もう 1 つの理由は、AKS サブネット内の IP アドレスが希少なリソースである場合、その IP アドレスをサービスに使用すると、クラスターの最大スケーラビリティが低下することです。",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "プライベート IP LoadBalancer サービスを使用する場合は、(AKS サブネットではなく) 専用サブネットを使用します",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
- "severity": "中程度",
- "text": "Application Gateway、SAP Web Dispatcher、およびその他のサードパーティ サービスの比較に示すように、Application Gateway が SAP Web アプリのリバース プロキシとして機能する場合、Application Gateway と Web Application Firewall には制限があります。",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "それに応じて、サービスの IP アドレス範囲のサイズを設定します (クラスターのスケーラビリティが制限されます)。",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン全体でグローバル保護を提供します。",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "必要に応じて、独自のCNIプラグインを追加します",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Front Door と Application Gateway を使用して HTTP/S アプリケーションを保護する場合は、Azure Front Door の Web アプリケーション ファイアウォール ポリシーを利用します。Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信します。",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "必要に応じて、AKS でノードごとにパブリック IP を構成する",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "service": "AKS",
"severity": "中程度",
- "text": "Web アプリケーション ファイアウォールを使用して、インターネットに公開されているトラフィックをスキャンします。別のオプションとして、ロード バランサーや、Application Gateway やサードパーティ ソリューションなどのファイアウォール機能が組み込まれているリソースと共に使用することもできます。",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "安全"
+ "text": "イングレス コントローラーを使用して、LoadBalancer タイプのサービスで公開する代わりに、Web ベースのアプリを公開します",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure リージョンとオンプレミスの場所をまたいだグローバルなトランジット接続が必要な新規ネットワーク、大規模ネットワーク、またはグローバル ネットワークでの Azure デプロイに Virtual WAN を使用します。このアプローチでは、Azure ネットワークの推移的なルーティングを手動で設定する必要はなく、SAP on Azure デプロイの標準に従うことができます。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "エグレス トラフィックをスケーリングするために Azure NAT Gateway を outboundType として使用する",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "service": "AKS",
"severity": "中程度",
- "text": "データ漏えいを防ぐには、Azure Private Link を使用して、Azure Blob Storage、Azure Files、Azure Data Lake Storage Gen2、Azure Data Factory などのサービスとしてのプラットフォーム リソースに安全にアクセスします。Azure プライベート エンドポイントは、VNet と Azure Storage、Azure Backup などのサービス間のトラフィックをセキュリティで保護するのにも役立ちます。VNet とプライベート エンドポイント対応サービス間のトラフィックは、Microsoft グローバル ネットワークを経由するため、パブリック インターネットへの公開は防止されます。",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
- "waf": "安全"
+ "text": "Azure CNI IP の枯渇を回避するために IP の動的割り当てを使用する",
+ "waf": "確実"
},
{
- "checklist": "SAP Checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "service": "AKS",
"severity": "高い",
- "text": "SAP アプリケーションと DBMS レイヤーで使用される VM で Azure 高速ネットワークが有効になっていることを確認します。",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "パフォーマンス"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Load Balancer の内部デプロイが Direct Server Return (DSR) を使用するように設定されていることを確認します。この設定 (フローティング IP の有効化) により、DBMS レイヤーの高可用性構成に内部ロード バランサー構成が使用されている場合の待機時間が短縮されます。",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "text": "セキュリティ要件で義務付けられている場合は、AzFW/NVA を使用してエグレス トラフィックをフィルター処理します",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "service": "AKS",
"severity": "中程度",
- "text": "アプリケーション セキュリティ グループ (ASG) と NSG 規則を使用して、SAP アプリケーション層と DBMS 層の間にネットワーク セキュリティのアクセス制御リストを定義できます。ASG は、仮想マシンをグループ化してセキュリティの管理に役立てます。",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "text": "パブリック API エンドポイントを使用している場合は、アクセスできる IP アドレスを制限します",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "service": "AKS",
"severity": "高い",
- "text": "ピアリングされていない異なる Azure VNet への SAP アプリケーション レイヤーと SAP DBMS の配置はサポートされていません。",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "パフォーマンス"
+ "text": "要件で必要な場合は、プライベート クラスターを使用します",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "中程度",
- "text": "SAP アプリケーションで最適なネットワーク待機時間を実現するには、Azure 近接通信配置グループの使用を検討してください。",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
- "waf": "パフォーマンス"
+ "text": "Windows 2019 および 2022 AKS ノードでは、Calico ネットワーク ポリシーを使用できます",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "高い",
- "text": "オンプレミスと Azure の間で分割された SAP アプリケーション サーバー レイヤーと DBMS レイヤーを実行することは、まったくサポートされていません。どちらのレイヤーも、オンプレミスまたは Azure に完全に存在する必要があります。",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "パフォーマンス"
+ "text": "Kubernetes ネットワーク ポリシー オプションを有効にする (Calico/Azure)",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "高い",
- "text": "SAP システムのデータベース管理システム (DBMS) レイヤーとアプリケーション レイヤーを異なる VNet でホストし、それらを VNet ピアリングに接続することは、レイヤー間の過剰なネットワーク トラフィックによって生成される可能性があるため、お勧めしません。Azure 仮想ネットワーク内のサブネットを使用して、SAP アプリケーション レイヤーと DBMS レイヤーを分離することをお勧めします。",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "費用"
+ "text": "Kubernetesネットワークポリシーを使用してクラスタ内のセキュリティを強化",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "高い",
- "text": "Linux ゲスト・オペレーティング・システムで Load Balancer を使用する場合は、Linux ネットワーク・パラメーター net.ipv4.tcp_timestamps が 0 に設定されていることを確認します。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "パフォーマンス"
+ "text": "Web ワークロード (UI または API) に WAF を使用するUse a WAF for a web workloads (UI or API)",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "service": "AKS",
"severity": "中程度",
- "text": "SAP RISE/ECS デプロイの場合、仮想ピアリングは、お客様の既存の Azure 環境との接続を確立するための推奨される方法です。SAP vnet と顧客 VNet の両方がネットワーク セキュリティ グループ (NSG) で保護され、vnet ピアリングを介した SAP ポートとデータベース ポートでの通信が可能になります",
+ "text": "AKS Virtual Network で DDoS Standard を使用するUse DDoS Standard in the AKS Virtual Network",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
- "severity": "高い",
- "text": "Azure VM の SAP HANA データベースのバックアップを確認します。",
- "waf": "費用"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "必要に応じて、会社の HTTP プロキシを追加します",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "service": "AKS",
"severity": "中程度",
- "text": "Site Recovery の組み込み監視 (SAP で使用されている場合) を確認します。",
- "waf": "費用"
+ "text": "高度なマイクロサービス通信管理にサービスメッシュの使用を検討する",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "service": "AKS",
"severity": "高い",
- "text": "SAP HANA システム ランドスケープの監視に関するガイダンスを確認します。",
+ "text": "最も重要なメトリックに関するアラートを構成します (推奨事項については、「Container Insights」を参照してください)",
"waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Linux VM のバックアップ戦略で Oracle Database を確認します。",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "Azure Advisor でクラスターの推奨事項を定期的に確認する",
"waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
- "severity": "中程度",
- "text": "SQL Server 2016 での Azure Blob Storage の使用を確認します。",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "AKS 自動証明書のローテーションを有効にする",
"waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure VM の自動バックアップ v2 の使用を確認します。",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "kubernetes のバージョンを定期的に (四半期ごとなど) アップグレードする定期的なプロセスを行うか、AKS 自動アップグレード機能を使用します",
"waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "service": "AKS",
"severity": "高い",
- "text": "Premium ディスク使用時の M シリーズの書き込みアクセラレータの有効化 (V1)",
+ "text": "ノードイメージのアップグレードを使用していない場合は、Linuxノードのアップグレードにkuredを使用します",
"waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
- "severity": "中程度",
- "text": "可用性ゾーンの待機時間をテストします。",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "クラスタノードイメージを定期的に(毎週など)アップグレードする定期的なプロセスを用意します",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
- "service": "SAP",
- "severity": "中程度",
- "text": "すべての SAP コンポーネントに対して SAP EarlyWatch Alert を有効化します。",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "アプリケーションまたはクラスター構成を複数のクラスターにデプロイするために gitop を検討してください",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP ABAPMeter report /SSA/CAT を使用して、SAP アプリケーション サーバーからデータベース サーバー間の待機時間を確認します。",
- "training": "https://me.sap.com/notes/0002879613",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "プライベート クラスターで AKS コマンド呼び出しを使用することを検討する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
- "severity": "中程度",
- "text": "CCMS を使用した SQL Server のパフォーマンス監視を確認します。",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "計画されたイベントの場合は、ノードの自動ドレインの使用を検討してください",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP アプリケーション レイヤー VM と DBMS VM 間のネットワーク待機時間をテストします (NIPING)。",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "独自のガバナンスプラクティスを開発して、ノードRG(別名「インフラRG」)のオペレーターによって変更が実行されないようにします",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP HANA Studio アラートを確認します。",
- "waf": "パフォーマンス"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "カスタムノードRG(別名「インフラRG」)名を使用",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
+ "service": "AKS",
"severity": "中程度",
- "text": "HANA_Configuration_Minichecks を使用して SAP HANA ヘルスチェックを実行します。",
- "waf": "パフォーマンス"
+ "text": "非推奨の Kubernetes API を YAML マニフェストで使用しないでください",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure、オンプレミス、またはその他のクラウド環境で Windows VM と Linux VM を実行している場合は、Azure Automation の更新管理センターを使用して、セキュリティ パッチを含むオペレーティング システムの更新プログラムを管理できます。",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "Windows ノードのテイント",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
- "severity": "中程度",
- "text": "SAP は、SAP システムを保護するために即時のアクションを必要とする非常に重要なセキュリティ パッチまたはホット フィックスをリリースしているため、SAP セキュリティ OSS ノートを定期的に確認してください。",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "Windows コンテナーのパッチ レベルをホストのパッチ レベルと同期させる",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "クラスタレベルでの診断設定経由",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+ "service": "AKS",
"severity": "低い",
- "text": "SQL Server 上の SAP システムではアカウントを使用しないため、SQL Server 上の SAP システム管理者アカウントを無効にすることができます。元のシステム管理者アカウントを無効にする前に、システム管理者権限を持つ別のユーザーがサーバーにアクセスできることを確認してください。",
- "waf": "安全"
+ "text": "マスター ログ (API ログ) を Azure Monitor または任意のログ管理ソリューションに送信する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "高い",
- "text": "xp_cmdshellを無効にします。SQL Server 機能xp_cmdshell、SQL Server 内部オペレーティング システムのコマンド シェルを有効にします。これは、セキュリティ監査における潜在的なリスクです。",
- "training": "https://me.sap.com/notes/3019299/E",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "必要に応じて、nodePool スナップショットを使用します",
+ "waf": "費用"
},
{
- "checklist": "SAP Checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "高い",
- "text": "Azure 上の SAP HANA データベース サーバーの暗号化では、SAP HANA ネイティブ暗号化テクノロジが使用されます。さらに、Azure で SQL Server を使用している場合は、Transparent Data Encryption (TDE) を使用してデータとログ ファイルを保護し、バックアップも暗号化されるようにします。",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "時間的制約のないワークロードのスポット ノード プールを検討する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Storage の暗号化は、すべての Azure Resource Manager とクラシック ストレージ アカウントに対して有効になっており、無効にすることはできません。データは既定で暗号化されるため、Azure Storage 暗号化を使用するためにコードやアプリケーションを変更する必要はありません。",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "クイック バーストのために AKS 仮想ノードを検討する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
"severity": "高い",
- "text": "Azure Key Vault を使用してシークレットと資格情報を格納する",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "安全"
+ "text": "Container Insights (または Prometheus などの他のツール) を使用してクラスター メトリックを監視する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "SAP",
- "severity": "中程度",
- "text": "デプロイが成功したら、Azure リソースを LOCK して、承認されていない変更から保護することをお勧めします。また、カスタマイズされた Azure ポリシー (Custome ロール) を使用して、サブスクリプションごとに LOCK の制約とルールを適用することもできます。",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
+ "severity": "高い",
+ "text": "Container Insights(またはTelegraf/ElasticSearchなどの他のツール)を使用してクラスターログを保存および分析します",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+ "service": "AKS",
"severity": "中程度",
- "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "安全"
+ "text": "ノードの CPU とメモリの使用率を監視する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
- "service": "SAP",
- "severity": "高い",
- "text": "既存の要件、規制、コンプライアンス制御 (内部/外部) に基づいて、必要な Azure ポリシーと Azure RBAC ロールを決定します",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
- "waf": "安全"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "高い",
- "text": "SAP 環境でMicrosoft Defender for Endpointを有効にする場合は、すべてのサーバーを対象とするのではなく、DBMS サーバー上のデータとログ ファイルを除外することをお勧めします。ターゲット ファイルを除外する場合は、DBMS ベンダーの推奨事項に従ってください。",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "Azure CNI を使用している場合は、ノードごとに消費されるポッド IP の割合を監視します",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
- "service": "SAP",
- "severity": "高い",
- "text": "Microsoft Defender for Cloud の Just-In-Time アクセス権を持つ SAP 管理者カスタム ロールを委任します。",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "OS ディスクの I/O は重要なリソースです。ノード内の OS が I/O で調整されると、予期しない動作が発生し、通常はノードが NotReady と宣言される可能性があります",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "ノード内の OS ディスク キューの深さを監視する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "低い",
- "text": "サードパーティのセキュリティ製品を DIAG (SAP GUI)、RFC、および SPNEGO for HTTPS のセキュアネットワーク通信 (SNC) と統合することにより、転送中のデータを暗号化します。",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "AzFW/NVA でエグレス フィルター処理を使用しない場合は、標準の ALB によって割り当てられた SNAT ポートを監視します",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+ "service": "AKS",
"severity": "中程度",
- "text": "プリンシパル暗号化機能には既定で Microsoft マネージド キーを使用し、必要に応じてカスタマー マネージド キーを使用します。",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "安全"
+ "text": "AKS クラスターのリソース正常性通知をサブスクライブするSubscribe to resource health notifications for your AKS cluster",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"severity": "高い",
- "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "安全"
+ "text": "ポッド仕様で要求と制限を構成する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
- "service": "SAP",
- "severity": "高い",
- "text": "HANA 以外の Windows オペレーティング システムと Windows 以外のオペレーティング システムのディスク暗号化キーとシークレットを制御および管理するには、Azure Key Vault を使用します。SAP HANA は Azure Key Vault ではサポートされていないため、SAP ABAP キーや SSH キーなどの代替方法を使用する必要があります。",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "名前空間のリソースクォータを適用する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "AKS",
"severity": "高い",
- "text": "SAP on Azure スポーク サブスクリプションのロールベースのアクセス制御 (RBAC) ロールをカスタマイズして、偶発的なネットワーク関連の変更を回避します",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
- "waf": "安全"
+ "text": "サブスクリプションにノードプールをスケールアウトするのに十分なクォータがあることを確認する",
+ "waf": "オペレーションズ"
},
{
- "checklist": "SAP Checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
- "service": "SAP",
- "severity": "高い",
- "text": "DMZ と NVA を SAP 資産の残りの部分から分離し、Azure Private Link を構成し、SAP on Azure リソースを安全に管理および制御します",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "Cluster Autoscaler を使用する",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+ "service": "AKS",
"severity": "低い",
- "text": "Azure で Microsoft マルウェア対策ソフトウェアを使用して、悪意のあるファイル、アドウェア、その他の脅威から仮想マシンを保護することを検討してください。",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
- "waf": "安全"
+ "text": "AKS ノード プールのノード構成をカスタマイズする",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
- "service": "SAP",
- "severity": "低い",
- "text": "さらに強力な保護を行うには、Microsoft Defender for Endpointの使用を検討してください。",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "必要に応じてHorizontal Pod Autoscalerを使用します",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "ノードが大きくなると、パフォーマンスが向上し、エフェメラル ディスクや高速ネットワークなどの機能が提供されますが、爆発半径が大きくなり、スケーリングの粒度が低下します",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+ "service": "AKS",
"severity": "高い",
- "text": "仮想ネットワーク ピアリングによってスポーク ネットワークに接続されているハブ仮想ネットワークを介してすべてのトラフィックを渡すことで、SAP アプリケーションとデータベース サーバーをインターネットまたはオンプレミス ネットワークから分離します。ピアリングされた仮想ネットワークにより、SAP on Azure ソリューションがパブリック インターネットから分離されることが保証されます。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
- "waf": "安全"
+ "text": "大きすぎず小さすぎない適切なノードサイズを検討してください",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+ "service": "AKS",
"severity": "低い",
- "text": "SAP Fiori などのインターネットに接続するアプリケーションの場合は、セキュリティレベルを維持しながら、アプリケーション要件ごとに負荷を分散してください。レイヤー 7 セキュリティについては、Azure Marketplace で入手できるサードパーティの Web アプリケーション ファイアウォール (WAF) を使用できます。",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
- "waf": "安全"
+ "text": "スケーラビリティのために 5,000 を超えるノードが必要な場合は、追加の AKS クラスターの使用を検討してください",
+ "waf": "パフォーマンス"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
- "service": "SAP",
- "severity": "中程度",
- "text": "Azure Monitor for SAP solutions でセキュリティで保護された通信を有効にするには、ルート証明書またはサーバー証明書のいずれかを使用することを選択できます。ルート証明書を使用することを強くお勧めします。",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "AKS 自動化のために EventGrid イベントをサブスクライブすることを検討する",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
- "service": "AVS",
- "severity": "高い",
- "text": "ADDS ドメイン コントローラーがネイティブ Azure の ID サブスクリプションにデプロイされていることを確認する",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "AKS クラスターで実行時間の長い操作を行う場合は、イベントの終了を検討してください",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "75089c20-990d-4927-b105-885576f76fc2",
- "service": "AVS",
- "severity": "中程度",
- "text": "Azure ベースのリソース (Azure VMware Solution を含む) からの認証要求を Azure にローカルに保持するように ADDS サイトとサービスが構成されていることを確認します",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "必要に応じて、AKS ノードに Azure Dedicated Hosts を使用することを検討してください",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
"severity": "高い",
- "text": "vCenterがADDに接続されていることを確認し、「名前付きユーザーアカウント」に基づく認証を有効にします",
- "waf": "安全"
+ "text": "エフェメラル OS ディスクを使用する",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
- "service": "AVS",
- "severity": "中程度",
- "text": "vCenter から ADDS への接続でセキュア プロトコル (LDAPS) が使用されていることを確認します",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
- "service": "AVS",
- "severity": "中程度",
- "text": "vCenter IdP の CloudAdmin アカウントは、緊急アカウント(非常用アカウント)としてのみ使用されます",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "AKS",
"severity": "高い",
- "text": "NSX-Manager が外部 ID プロバイダ (LDAPS) と統合されていることを確認します。",
- "waf": "安全"
+ "text": "非エフェメラル ディスクの場合、複数のポッドを実行するには高いパフォーマンスが必要であり、既定の AKS ログ ローテーションしきい値で巨大なログが生成されるため、多くのポッド/ノードを実行する場合は、ノードに高い IOPS とより大きな OS ディスクを使用します",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
- "service": "AVS",
- "severity": "中程度",
- "text": "VMware vSphere 内で使用するために RBAC モデルが作成されているか",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+ "service": "AKS",
+ "severity": "低い",
+ "text": "ハイパー パフォーマンス ストレージ オプションの場合は、AKS 上の Ultra Disks を使用します",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+ "service": "AKS",
"severity": "中程度",
- "text": "RBAC アクセス許可は、特定のユーザーではなく、ADDS グループに付与する必要があります",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
- "service": "AVS",
- "severity": "高い",
- "text": "Azure の Azure VMware Solution リソースに対する RBAC アクセス許可は、限られた所有者のセットのみに \"ロックダウン\" されます",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
- "service": "AVS",
- "severity": "高い",
- "text": "すべてのカスタム ロールのスコープが CloudAdmin で許可された承認で設定されていることを確認する",
- "waf": "安全"
+ "text": "クラスター内に状態を保持することは避け、外部 (AzStorage、AzSQL、Cosmos など) にデータを格納します",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
- "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
- "service": "AVS",
- "severity": "高い",
- "text": "お客様のユース ケースに適した Azure VMware Solution 接続モデルが選択されているか",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "AzFiles Standard を使用する場合は、パフォーマンス上の理由から AzFiles Premium や ANF を検討してください",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
- "service": "AVS",
- "severity": "高い",
- "text": "オンプレミスから Azure への ExpressRoute または VPN 接続が \"接続モニター\" を使用して監視されていることを確認する",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+ "service": "AKS",
+ "severity": "中程度",
+ "text": "Azure ディスクと AZ を使用する場合は、適切なゾーンにストレージをプロビジョニングするために VolumeBindingMode:WaitForFirstConsumer を使用して LRS ディスクのゾーン内にノードプールを配置するか、複数のゾーンにまたがるノードプールに ZRS ディスクを使用することを検討してください",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure VMware Solution バックエンドの ExpressRoute 接続を監視するために、Azure ネイティブ リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します",
+ "text": "Azure Center for SAP solutions (ACSS) は、SAP を Azure 上のトップレベルのワークロードにする Azure オファリングです。ACSS は、SAP システムを Azure 上の統合ワークロードとして作成および実行し、イノベーションのためのよりシームレスな基盤を提供するエンドツーエンドのソリューションです。新規と既存の Azure ベースの SAP システムの両方の管理機能を利用できます。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "service": "SAP",
"severity": "中程度",
- "text": "エンド 2 エンドの接続を監視するために、オンプレミス リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します",
+ "text": "Azure では、Linux と Windows での SAP デプロイの自動化がサポートされています。SAP Deployment Automation Framework は、SAP 環境をデプロイ、インストール、および保守できるオープンソースのオーケストレーション ツールです。",
+ "training": "https://github.com/Azure/sap-automation",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
- "service": "AVS",
- "severity": "高い",
- "text": "ルート サーバーを使用する場合は、ルート サーバーから ExR ゲートウェイ、オンプレミスに伝達されるルートが 1000 を超えないようにします (ARS 制限)。",
- "waf": "オペレーションズ"
+ "checklist": "SAP Checklist",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "運用データベースのポイントインタイム リカバリを、RTOを満たす任意の時点および時間枠で実行します。ポイント・イン・タイム・リカバリには、通常、DBMSレイヤー上またはSAPを介してデータを削除するオペレーター・エラーが含まれます",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
- "service": "AVS",
- "severity": "高い",
- "text": "Azure Portal で Azure VMware Solution リソースを管理するロールに対して Privileged Identity Management が実装されていますか (永続的なアクセス許可は許可されません)",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "バックアップと復旧の時間をテストして、災害発生後にすべてのシステムを同時に復元するための RTO 要件を満たしていることを確認します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "SAP",
"severity": "高い",
- "text": "Privileged Identity Management 監査レポートは、Azure VMware Solution PIM ロールに対して実装する必要がある",
- "waf": "安全"
+ "text": "ペアのリージョン間で Standard Storage をレプリケートすることはできますが、Standard Storage を使用してデータベースや仮想ハード ディスクを格納することはできません。バックアップは、使用するペアのリージョン間でのみレプリケートできます。その他のすべてのデータについては、SQL Server Always On や SAP HANA システム レプリケーションなどのネイティブ DBMS 機能を使用してレプリケーションを実行します。SAP アプリケーション層には、Site Recovery、rsync または robocopy、およびその他のサードパーティ ソフトウェアを組み合わせて使用します。",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"severity": "中程度",
- "text": "Privileged Identity Management を使用している場合は、Azure VMware Solution のホストの自動置換通知用の有効な SMTP レコードを使用して、有効な Entra ID が有効なアカウントが作成されていることを確認します。(常任許可が必要)",
- "waf": "安全"
+ "text": "Azure Availability Zones を使用して高可用性を実現する場合は、SAP アプリケーション サーバーとデータベース サーバー間の待機時間を考慮する必要があります。待機時間が長いゾーンでは、SAP アプリケーション サーバーとデータベース サーバーが常に同じゾーンで実行されていることを確認するための運用手順を実施する必要があります。",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "SAP",
"severity": "高い",
- "text": "CloudAdmin アカウントの使用を緊急アクセスのみに制限する",
- "waf": "安全"
+ "text": "オンプレミスからプライマリおよびセカンダリの Azure ディザスター リカバリー リージョンへの ExpressRoute 接続を設定します。また、ExpressRoute を使用する代わりに、オンプレミスからプライマリおよびセカンダリの Azure ディザスター リカバリー リージョンへの VPN 接続を設定することも検討してください。",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
- "service": "AVS",
- "severity": "中程度",
- "text": "vCenter Server でカスタム RBAC ロールを作成して、vCenter 内に最小特権モデルを実装します",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "証明書、シークレット、キーなどのキー コンテナーの内容をリージョン間でレプリケートして、DR リージョン内のデータの暗号化を解除できるようにします。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "service": "SAP",
"severity": "中程度",
- "text": "cloudadmin (vCenter) と admin (NSX) の資格情報を定期的にローテーションするように定義されたプロセスです。",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
- "service": "AVS",
- "severity": "高い",
- "text": "一元化された ID プロバイダーを使用して、Azure VMware Solution で実行されているワークロード (VM) に使用する",
- "waf": "安全"
+ "text": "プライマリ仮想ネットワークとディザスター リカバリー仮想ネットワークをピアリングします。たとえば、HANA システム レプリケーションの場合、SAP HANA DB 仮想ネットワークは、ディザスター リカバリー サイトの SAP HANA DB 仮想ネットワークにピアリングする必要があります。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
- "service": "AVS",
- "severity": "中程度",
- "text": "East-West トラフィック フィルタリングは NSX-T 内に実装されていますか",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "SAP デプロイに Azure NetApp Files ストレージを使用する場合は、少なくとも、Premium レベルの 2 つのリージョンに 2 つの Azure NetApp Files アカウントを作成します。",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"severity": "高い",
- "text": "Azure VMware Solution 上のワークロードは、インターネットに直接公開されません。トラフィックは、Azure Application Gateway、Azure Firewall、またはサード パーティのソリューションによってフィルター処理され、検査されます",
- "waf": "安全"
+ "text": "ネイティブのデータベースレプリケーションテクノロジーを使用して、HAペアでデータベースを同期する必要があります。",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "service": "SAP",
"severity": "高い",
- "text": "監査とログ記録は、Azure VMware Solution および Azure VMware Solution ベースのワークロードへの受信インターネット要求に対して実装されます",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
- "service": "AVS",
- "severity": "中程度",
- "text": "セッション監視は、疑わしい/悪意のあるアクティビティを特定するために、Azure VMware Solution または Azure VMware Solution ベースのワークロードからの送信インターネット接続に実装されます",
- "waf": "安全"
+ "text": "プライマリ仮想ネットワーク (VNet) の CIDR は、DR サイトの VNet の CIDR と競合したり重複したりしないようにする必要があります",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "334fdf91-c234-4182-a652-75269440b4be",
- "service": "AVS",
- "severity": "中程度",
- "text": "Azure の ExR/VPN Gateway サブネットで DDoS Standard 保護が有効になっているか",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "Site Recovery を使用して、アプリケーション サーバーを DR サイトにレプリケートします。Site Recovery は、セントラル サービス クラスター VM を DR サイトにレプリケートする場合にも役立ちます。DR を呼び出すときは、DR サイトで Linux Pacemaker クラスターを再構成する必要があります (たとえば、VIP または SBD の置き換え、corosync.conf の実行など)。",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
- "service": "AVS",
- "severity": "中程度",
- "text": "専用の特権アクセス ワークステーション (PAW) を使用して、Azure VMware Solution、vCenter、NSX Manager、HCX Manager を管理する",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "単一障害点に対する SAP ソフトウェアの可用性を検討します。これには、SAP NetWeaver や SAP S/4HANA アーキテクチャ、SAP ABAP、ASCS + SCS で使用される DBMS などのアプリケーション内の単一障害点が含まれます。また、SAP Web ディスパッチャなどの他のツールも必要です。",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
- "service": "AVS",
- "severity": "中程度",
- "text": "Azure VMware Solution で実行されているワークロードに対して Advanced Threat Detection (Microsoft Defender for Cloud 別名 ASC) を有効にする",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "SAP および SAP データベースの場合は、自動フェールオーバー クラスターの実装を検討してください。Windows では、Windows Server フェールオーバー クラスタリングがフェールオーバーをサポートします。Linux では、Linux Pacemaker や、SIOS Protection Suite や Veritas InfoScale などのサードパーティツールがフェイルオーバーをサポートしています。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
- "service": "AVS",
- "severity": "中程度",
- "text": "Azure ARC for Servers を使用して、Azure ネイティブ テクノロジを使用して Azure VMware Solution で実行されているワークロードを適切に管理します (Azure ARC for Azure VMware Solution はまだ利用できません)",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "Azure では、プライマリ VM とセカンダリ VM が DBMS データのストレージを共有するアーキテクチャはサポートされていません。DBMSレイヤーの場合、一般的なアーキテクチャパターンは、プライマリおよびセカンダリVMが使用するストレージスタックとは異なるストレージスタックを使用して、データベースを同時にレプリケートすることです。",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
- "service": "AVS",
- "severity": "低い",
- "text": "Azure VMware Solution 上のワークロードで、実行時に十分なデータ暗号化 (ゲスト内ディスク暗号化や SQL TDE など) が使用されるようにします。(保存時の vSAN 暗号化がデフォルトです)",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "DBMS データとトランザクション/REDO ログ ファイルは、Azure でサポートされているブロック ストレージまたは Azure NetApp Files に格納されます。Azure Files または Azure Premium Files は、SAP ワークロードでの DBMS データや再実行ログ ファイルのストレージとしてはサポートされていません。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
- "service": "AVS",
- "severity": "低い",
- "text": "ゲスト内暗号化を使用する場合は、可能な場合は Azure Key Vault に暗号化キーを格納します",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "Windows の Azure 共有ディスクは、ASCS + SCS コンポーネントと特定の高可用性シナリオに使用できます。フェールオーバー クラスターは、SAP アプリケーション層コンポーネントと DBMS 層に対して個別に設定します。現在、Azure では、SAP アプリケーション レイヤー コンポーネントと DBMS レイヤーを 1 つのフェールオーバー クラスターに結合する高可用性アーキテクチャはサポートされていません。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5ac94222-3e13-4810-9230-81a941741583",
- "service": "AVS",
- "severity": "中程度",
- "text": "Azure VMware Solution で実行されているワークロードには、拡張セキュリティ更新プログラムのサポートの使用を検討してください (Azure VMware Solution は ESU の対象です)",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "SAP アプリケーション レイヤー コンポーネント (ASCS) と DBMS レイヤーのほとんどのフェールオーバー クラスターでは、フェールオーバー クラスターの仮想 IP アドレスが必要です。 Azure Load Balancer は、他のすべてのケースで仮想 IP アドレスを処理する必要があります。設計原則の 1 つは、クラスター構成ごとに 1 つのロード バランサーを使用することです。ロード バランサーの Standard バージョン (Standard Load Balancer SKU) を使用することをお勧めします。",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "service": "SAP",
"severity": "高い",
- "text": "適切な vSAN データ冗長化方式(RAID 仕様)が使用されていることを確認します。",
+ "text": "ロードバランサーでフローティング IP が有効になっていることを確認します",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d88408f3-7273-44c8-96ba-280214590146",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "SAP",
"severity": "高い",
- "text": "許容障害ポリシーが vSAN ストレージのニーズを満たすために設定されていることを確認します",
+ "text": "高可用性インフラストラクチャをデプロイする前に、選択したリージョンに応じて、Azure 可用性セットと可用性ゾーンのどちらを使用してデプロイするかを決定します。",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "SAP",
"severity": "高い",
- "text": "十分なクォータを要求し、拡張とディザスタリカバリの要件を考慮していることを確認します",
+ "text": "SAP コンポーネント (セントラル サービス、アプリケーション サーバー、データベース) のアプリケーションのインフラストラクチャ SLA を満たす場合は、すべてのコンポーネントに対して同じ高可用性オプション (VM、可用性セット、可用性ゾーン) を選択する必要があります。",
"waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
- "service": "AVS",
- "severity": "中程度",
- "text": "ESXiへのアクセス制限を理解し、サードパーティのソリューションに影響を与える可能性のあるアクセス制限があることを確認してください。",
- "waf": "オペレーションズ"
+ "checklist": "SAP Checklist",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "同じ可用性セット内に異なるロールのサーバーを混在させないでください。セントラル サービス VM、データベース VM、アプリケーション VM を独自の可用性セットに保持する",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "service": "SAP",
"severity": "中程度",
- "text": "ESXi ホストの密度と効率に関するポリシーがあることを確認し、新しいノードを要求するためのリード タイムを念頭に置いてください",
- "waf": "オペレーションズ"
+ "text": "近接通信配置グループを使用しない限り、Azure 可用性ゾーン内に Azure 可用性セットをデプロイすることはできません。",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
- "service": "AVS",
- "severity": "中程度",
- "text": "Azure VMware Solution の適切なコスト管理プロセスが整っていることを確認する - Azure Cost Management を使用できます",
- "waf": "費用"
+ "checklist": "SAP Checklist",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "可用性セットを作成するときは、使用可能な障害ドメインと更新ドメインの最大数を使用します。たとえば、1 つの可用性セットに 2 つ以上の VM をデプロイする場合は、Azure の計画メンテナンスに加えて、潜在的な物理ハードウェア障害、ネットワークの停止、または停電の影響を制限するために、最大数の障害ドメイン (3 つ) と十分な更新ドメインを使用します。障害ドメインの既定の数は 2 であり、後でオンラインで変更することはできません。",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
- "service": "AVS",
- "severity": "低い",
- "text": "Azure VMware Solution を使用するためのコストを最適化するために Azure 予約インスタンスが使用されているか",
- "waf": "費用"
+ "checklist": "SAP Checklist",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "可用性セットのデプロイで Azure 近接通信配置グループを使用する場合は、3 つの SAP コンポーネント (セントラル サービス、アプリケーション サーバー、データベース) をすべて同じ近接通信配置グループに含める必要があります。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
- "service": "AVS",
- "severity": "中程度",
- "text": "他の Azure Native Services を使用する場合は、Azure Private-Link の使用を検討してください",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "SAP SID ごとに 1 つの近接配置グループを使用します。グループは、Availability Zones や Azure リージョンにまたがっていません",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "高い",
- "text": "必要なすべてのリソースが同じ Azure 可用性ゾーン内に存在することを確認する",
- "waf": "パフォーマンス"
+ "text": "オペレーティング システムに応じて、次のいずれかのサービスを使用して SAP セントラル サービス クラスターを実行します。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure VMware Solution ゲスト VM ワークロードに対して Microsoft Defender for Cloud を有効にする",
- "waf": "安全"
+ "text": "現在、Azure では、同じ Linux Pacemaker クラスターでの ASCS と DB HA の組み合わせはサポートされていません。それらを個々のクラスターに分離します。ただし、最大 5 つの複数のセントラル サービス クラスターを 1 つの VM のペアに結合できます。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
- "service": "AVS",
- "severity": "中程度",
- "text": "Azure Arc 対応サーバーを使用して Azure VMware Solution ゲスト VM のワークロードを管理する",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
- "service": "AVS",
- "severity": "高い",
- "text": "Azure VMware Solution での診断ログとメトリック ログを有効にするEnable Diagnostic and metric logging on Azure VMware Solution",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "中程度",
- "text": "Log Analytics エージェントを Azure VMware Solution ゲスト VM ワークロードにデプロイする",
- "waf": "オペレーションズ"
+ "text": "両方の VM を高可用性ペアの可用性セットまたは可用性ゾーンにデプロイします。これらの VM は、同じサイズで、同じストレージ構成を持つ必要があります。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure VMware Solution VM ワークロードのバックアップ ポリシーとソリューションが文書化され、実装されていることを確認します",
- "waf": "オペレーションズ"
+ "text": "Azure では、Red Hat Enterprise Linux (RHEL) で実行されている同じ高可用性クラスターへの SAP HANA インスタンスと ASCS/SCS インスタンスと ERS インスタンスのインストールと構成がサポートされています。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
- "service": "AVS",
- "severity": "中程度",
- "text": "Microsoft Defender for Cloud を使用して、Azure VMware Solution で実行されているワークロードのコンプライアンス監視を行う",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "Premium マネージド SSD ですべての運用システムを実行し、Azure NetApp Files または Ultra Disk Storage を使用します。少なくとも、OS ディスクは Premium レベルにすることで、パフォーマンスの向上と最高の SLA を実現できます。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
- "service": "AVS",
- "severity": "中程度",
- "text": "適用可能なコンプライアンス ベースラインは Microsoft Defender for Cloud に追加されていますか",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "SAP HANA on Azure は、SAP によって認定された種類のストレージでのみ実行する必要があります。該当する場合は、特定のボリュームを特定のディスク構成で実行する必要があることに注意してください。これらの構成には、書き込みアクセラレータの有効化と Premium Storage の使用が含まれます。また、ストレージ上で稼働するファイル システムが、マシン上で稼働する DBMS と互換性があることを確認する必要もあります。",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
"severity": "高い",
- "text": "Azure VMware Solution のデプロイに使用する Azure リージョンを選択するときにデータ所在地が評価されましたか",
- "waf": "安全"
+ "text": "SAP ワークロードに使用するストレージの種類に応じて、高可用性を構成することを検討してください。Azure で使用できる一部のストレージ サービスは Azure Site Recovery でサポートされていないため、高可用性の構成が異なる場合があります。",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"severity": "高い",
- "text": "データ処理への影響 (サービス プロバイダー/サービス コンシューマー モデル) が明確で文書化されているか",
- "waf": "安全"
+ "text": "さまざまなネイティブ Azure ストレージ サービス (Azure Files、Azure NetApp Files、Azure Shared Disk など) は、リージョンによっては利用できない場合があります。そのため、フェールオーバー後に DR リージョンで同様の SAP 設定を行うには、それぞれのストレージ サービスが DR サイトで提供されていることを確認します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "547c1747-dc56-4068-a714-435cd19dd244",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
"severity": "中程度",
- "text": "コンプライアンス上の理由で必要な場合にのみ、vSAN に CMK (カスタマー マネージド キー) を使用することを検討してください。",
- "waf": "安全"
+ "text": "SAP システムのスタート/ストップを自動化してコストを管理します。",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
- "service": "AVS",
- "severity": "高い",
- "text": "Azure VMware Solution のコア監視分析情報を有効にするダッシュボードを作成するCreate dashboards to enable a core Azure VMware Solution monitoring insights",
- "waf": "オペレーションズ"
+ "checklist": "SAP Checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "SAP HANA で Azure Premium Storage を使用する場合は、Azure Standard SSD ストレージを使用して、コスト意識の高いストレージ ソリューションを選択できます。ただし、Standard SSD または Standard HDD Azure Storage を選択すると、個々の VM の SLA に影響することに注意してください。また、非運用環境など、I/O スループットが低く待機時間が短いシステムでは、下位のシリーズ VM を使用できます。",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
- "service": "AVS",
- "severity": "高い",
- "text": "Azure VMware Solution のパフォーマンス (CPU >80%、平均メモリ >80%、vSAN >70%) に関する自動アラートの重大しきい値の警告アラートを作成する",
- "waf": "オペレーションズ"
+ "checklist": "SAP Checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "低コストの代替構成 (多目的) として、非運用環境の HANA データベース サーバー VM に低パフォーマンスの SKU を選択できます。ただし、E シリーズなどの一部の VM の種類は、HANA 認定 (SAP HANA Hardware Directory) されていないか、ストレージ待機時間を 1 ミリ秒未満にできないことに注意することが重要です。",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
"severity": "高い",
- "text": "vSAN の消費量が 75% を下回っているかどうかを監視するための重要なアラートが作成されていることを確認します (これは VMware からのサポートしきい値です)。",
- "waf": "オペレーションズ"
+ "text": "管理グループ、サブスクリプション、リソース グループ、およびリソースに RBAC モデルを適用する",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
- "service": "AVS",
- "severity": "高い",
- "text": "Azure Service Health のアラートと通知に対してアラートが構成されていることを確認する",
- "waf": "オペレーションズ"
+ "checklist": "SAP Checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Cloud Connector を介して SAP クラウド アプリケーションからオンプレミス (IaaS を含む) に ID を転送するためのプリンシパル伝達を適用する",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"severity": "中程度",
- "text": "処理のために Azure Storage アカウントまたは Azure EventHub に送信するように Azure VMware Solution ログを構成する",
- "waf": "オペレーションズ"
+ "text": "SAML を使用して Azure AD で SAP Analytics Cloud、SAP Cloud Platform、Business by Design、SAP Qualtrics、SAP C4C などの SAP SaaS アプリケーションに SSO を実装します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
- "service": "AVS",
- "severity": "低い",
- "text": "VMware vSphere での詳細な分析情報が必要な場合:vRealize Operations や vRealize Network Insights がソリューションで使用されていますか?",
- "waf": "オペレーションズ"
+ "checklist": "SAP Checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "SAML を使用して、SAP Fiori や SAP Web GUI などの SAP NetWeaver ベースの Web アプリケーションに SSO を実装します。",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
- "service": "AVS",
- "severity": "高い",
- "text": "仮想マシンの vSAN ストレージ ポリシーはシック プロビジョニングを適用するため、このポリシーがデフォルトのストレージ ポリシーではないことを確認します",
- "waf": "オペレーションズ"
+ "checklist": "SAP Checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "SAML を使用して、SAP Fiori や SAP Web GUI などの SAP NetWeaver ベースの Web アプリケーションに SSO を実装します。",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"severity": "中程度",
- "text": "vSAN は有限のリソースであるため、vSphere コンテンツ ライブラリが vSAN に配置されていないことを確認する",
- "waf": "オペレーションズ"
+ "text": "SAP NetWeaver SSO またはパートナーソリューションを使用して、SAP GUI への SSO を実装できます。",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
"severity": "中程度",
- "text": "バックアップ ソリューションのデータ リポジトリが vSAN ストレージの外部に保存されていることを確認します。Azure ネイティブまたはディスク プールでバックアップされるデータストア上",
- "waf": "オペレーションズ"
+ "text": "SAP GUI および Web ブラウザアクセスの SSO には、設定とメンテナンスが容易なため、SNC/Kerberos/SPNEGO (シンプルで保護された GSSAPI ネゴシエーションメカニズム) を実装します。X.509 クライアント証明書を使用した SSO の場合は、SAP SSO ソリューションのコンポーネントである SAP セキュアログインサーバーを検討してください。",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure Arc for Servers を使用して Azure VMware Solution で実行されているワークロードがハイブリッド管理されていることを確認する (Arc for Azure VMware Solution はプレビュー段階です)",
- "waf": "オペレーションズ"
+ "text": "SAP GUI および Web ブラウザアクセスの SSO には、設定とメンテナンスが容易なため、SNC/Kerberos/SPNEGO (シンプルで保護された GSSAPI ネゴシエーションメカニズム) を実装します。X.509 クライアント証明書を使用した SSO の場合は、SAP SSO ソリューションのコンポーネントである SAP セキュアログインサーバーを検討してください。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure VMware Solution で実行されているワークロードが Azure Log Analytics と Azure Monitor を使用して監視されていることを確認する",
- "waf": "オペレーションズ"
+ "text": "OAuth for SAP NetWeaver を使用して SSO を実装し、サードパーティまたはカスタムアプリケーションが SAP NetWeaver OData サービスにアクセスできるようにします。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure VMware Solution で実行されているワークロードを、既存の更新プログラム管理ツールまたは Azure Update Management に含める",
- "waf": "オペレーションズ"
+ "text": "SAP HANAへのSSOの実装",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure Policy を使用して、Azure の管理、監視、セキュリティ ソリューションに Azure VMware Solution ワークロードをオンボードする",
- "waf": "オペレーションズ"
+ "text": "Azure AD は、RISE でホストされている SAP システムの ID プロバイダーであると考えてください。詳細については、「サービスと Azure AD の統合」を参照してください。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure VMware Solution で実行されているワークロードが Microsoft Defender for Cloud にオンボードされていることを確認する",
+ "text": "SAP にアクセスするアプリケーションでは、プリンシパル伝搬を使用して SSO を確立することができます。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
"severity": "中程度",
- "text": "vSAN は有限のリソースであるため、バックアップが vSAN に保存されないようにする",
- "waf": "確実"
+ "text": "SAP Identity Authentication Service (IAS) を必要とする SAP BTP サービスまたは SaaS ソリューションを使用している場合は、SAP Cloud Identity Authentication Services と Azure AD の間に SSO を実装して、それらの SAP サービスにアクセスすることを検討してください。この統合により、SAP IAS はプロキシ ID プロバイダーとして機能し、認証要求を中央ユーザー ストアおよび ID プロバイダーとして Azure AD に転送できます。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
"severity": "中程度",
- "text": "すべてのDRソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[SRM/JetStream/Zerto/Veeam/...]",
- "waf": "確実"
+ "text": "SAP BTP への SSO の実装",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
"severity": "中程度",
- "text": "ディザスター リカバリー テクノロジがネイティブの Azure IaaS の場合は、Azure Site Recovery を使用します",
- "waf": "確実"
+ "text": "SAP SuccessFactors を使用している場合は、Azure AD の自動ユーザー プロビジョニングの使用を検討してください。この統合により、SAP SuccessFactors に新しい従業員を追加するときに、Azure AD でユーザー アカウントを自動的に作成できます。 必要に応じて、Microsoft 365 または Azure AD でサポートされているその他の SaaS アプリケーションでユーザー アカウントを作成できます。 SAP SuccessFactors へのメール アドレスの書き戻しを使用します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "既存の管理グループ ポリシーを SAP サブスクリプションに適用する",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+ "waf": "オペレーションズ"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "高い",
- "text": "いずれかの災害ソリューションで自動復旧計画を使用し、手動タスクを可能な限り回避します",
- "waf": "確実"
+ "text": "緊密に結合されたアプリケーションを同じSAPサブスクリプションに統合し、ルーティングと管理の複雑さを回避",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8255461e-2aee-4345-9aec-8339248b262d",
- "service": "AVS",
- "severity": "中程度",
- "text": "地政学的リージョンのペアをセカンダリディザスタリカバリ環境として使用する",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "サブスクリプションをスケール ユニットとして活用し、リソースをスケーリングし、環境ごとにサブスクリプションをデプロイすることを検討してください。サンドボックス、非製品、製品",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
"severity": "高い",
- "text": "リージョン間で 2 つの異なるアドレス空間を使用します (例: 10.0.0.0/16 と 192.168.0.0/16)。",
- "waf": "確実"
+ "text": "サブスクリプションのプロビジョニングの一環としてクォータを確実に増やす (例: サブスクリプション内で使用可能な VM コアの合計数)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
- "service": "AVS",
- "severity": "中程度",
- "text": "ExpressRoute Global Reach は、プライマリとセカンダリの Azure VMware Solution プライベート クラウド間の接続に使用されますか、それともネットワーク仮想アプライアンスを介してルーティングされますか?",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "クォータ API は、Azure サービスのクォータを表示および管理するために使用できる REST API です。必要に応じて使用を検討してください。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "可用性ゾーンにデプロイする場合は、クォータが承認されたら、VM のゾーン デプロイが使用可能であることを確認します。必要なサブスクリプション、VM シリーズ、CPU の数、可用性ゾーンを含むサポート リクエストを送信します。",
+ "waf": "オペレーションズ"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "必要なサービスと機能が、選択した展開リージョン内で利用可能であることを確認します。ANF、ゾーンなど",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "waf": "オペレーションズ"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
"severity": "中程度",
- "text": "すべてのバックアップソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[ MABS/CommVault/Metallic.io/Veeam/ . ]",
+ "text": "コストの分類とリソースのグループ化 (BillTo、部門 (または部署)、環境 (運用、ステージ、開発)、層 (Web 層、アプリケーション層)、アプリケーション所有者、プロジェクト名) に Azure リソース タグを活用します",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "オペレーションズ"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "Azure Backup サービスを使用して HANA データベースを保護するのに役立ちます。",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
"severity": "中程度",
- "text": "バックアップ ソリューションを Azure VMware Solution プライベート クラウドと同じリージョンにデプロイする",
+ "text": "HANA、Oracle、または DB2 データベースに Azure NetApp Files をデプロイする場合は、Azure アプリケーション整合性スナップショット ツール (AzAcSnap) を使用して、アプリケーション整合性スナップショットを作成します。AzAcSnap は Oracle データベースもサポートしています。個々の VM ではなく、中央の VM で AzAcSnap を使用することを検討してください。",
"waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "オペレーティングシステムと SAP システムの間でタイムゾーンが一致していることを確認します。",
+ "waf": "オペレーションズ"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
"severity": "中程度",
- "text": "バックアップ ソリューションを vSan の外部の Azure ネイティブ コンポーネントにデプロイする",
+ "text": "異なるアプリケーション サービスを同じクラスターにグループ化しないでください。たとえば、DRBDとセントラルサービスクラスタを同じクラスタに組み合わせないでください。ただし、同じ Pacemaker クラスターを使用して、約 5 つの異なるセントラル サービス (マルチ SID クラスター) を管理できます。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
"severity": "低い",
- "text": "Azure プラットフォームによって管理されている VMware コンポーネントの復元を要求するプロセスは用意されていますか?",
- "waf": "確実"
+ "text": "スヌーズ モデルで開発/テスト システムを実行して、Azure の実行コストを節約および最適化することを検討してください。",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
- "service": "AVS",
- "severity": "低い",
- "text": "手動デプロイの場合、すべての構成とデプロイを文書化する必要があります",
+ "checklist": "SAP Checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "お客様の SAP 資産を管理することでお客様と提携する場合は、Azure Lighthouse をご検討ください。Azure Lighthouse を使用すると、マネージド サービス プロバイダーは Azure ネイティブ ID サービスを使用して、顧客の環境に対する認証を行うことができます。顧客はいつでもアクセスを取り消し、サービスプロバイダーの行動を監査できるため、制御を顧客の手に委ねることができます。",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
- "service": "AVS",
- "severity": "低い",
- "text": "手動デプロイの場合は、Azure VMware Solution プライベート クラウドでの偶発的なアクションを防ぐために、リソース ロックの実装を検討してください",
+ "checklist": "SAP Checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Azure Update Manager を使用して、1 つまたは複数の VM で利用可能な更新プログラムの状態を確認し、定期的な修正プログラムの適用をスケジュールすることを検討します。",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
"severity": "低い",
- "text": "自動デプロイの場合は、最小限のプライベート クラウドをデプロイし、必要に応じてスケーリングします",
+ "text": "SAP Landscape Management (LaMa) を使用して SAP Basis の運用を最適化および管理します。Azure 用の SAP LaMa コネクタを使用して、SAP システムの再配置、コピー、複製、更新を行います。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
- "service": "AVS",
- "severity": "低い",
- "text": "自動デプロイの場合は、デプロイを開始する前にクォータを要求または予約します",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
- "service": "AVS",
- "severity": "低い",
- "text": "自動デプロイの場合は、適切なガバナンスのために、自動化または Azure Policy を使用して関連するリソース ロックが作成されていることを確認します",
+ "checklist": "SAP Checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Azure Monitor for SAP solutions を使用して、Azure 上の SAP ワークロード (SAP HANA、高可用性 SUSE クラスター、SQL システム) を監視します。Azure Monitor for SAP solutions を SAP Solution Manager で補完することを検討してください。",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
- "service": "AVS",
- "severity": "低い",
- "text": "ExR 認証キーに人間が理解できる名前を実装して、キーの目的/用途を簡単に識別できるようにします",
+ "checklist": "SAP Checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "SAP の VM 拡張機能チェックを実行します。VM Extension for SAP では、仮想マシン (VM) の割り当てられたマネージド ID を使用して、VM の監視および構成データにアクセスします。このチェックにより、SAP アプリケーションのすべてのパフォーマンス メトリックが、基になる Azure Extension for SAP からのものであることが確認されます。",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "255461e2-aee3-4553-afc8-339248b262d6",
- "service": "AVS",
- "severity": "低い",
- "text": "Azure VMware Solution と ExpressRoute のデプロイに個別のサービス プリンシパルを使用する場合は、キー コンテナーを使用してシークレットと承認キーを格納します",
+ "checklist": "SAP Checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "アクセス制御とコンプライアンス レポートに Azure Policy を使用します。Azure Policy には、一貫したポリシーの遵守と迅速な違反検出を保証するために、組織全体の設定を適用する機能が用意されています。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
- "service": "AVS",
- "severity": "低い",
- "text": "Azure VMware Solution では限られた数の並列操作しかサポートされないため、Azure VMware Solution に多くのリソースをデプロイする必要がある場合に、IaC でアクションをシリアル化するためのリソースの依存関係を定義します。",
+ "checklist": "SAP Checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Azure Network Watcher の接続モニターを使用して、SAP データベースとアプリケーション サーバーの待機時間メトリックを監視します。または、Azure Monitor を使用してネットワーク待機時間の測定値を収集して表示します。",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
- "service": "AVS",
- "severity": "低い",
- "text": "単一の Tier-1 ゲートウェイで NSX-T セグメントの自動構成を実行する場合は、NSX-Manager API ではなく Azure Portal API を使用します",
+ "checklist": "SAP Checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "プロビジョニングされた Azure インフラストラクチャで SAP HANA の品質チェックを実行して、プロビジョニングされた VM が SAP HANA on Azure のベスト プラクティスに準拠していることを確認します。",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
- "service": "AVS",
- "severity": "中程度",
- "text": "自動スケールアウトを使用する場合は、Azure VMware Solution を実行しているサブスクリプションに対して十分な Azure VMware Solution クォータを申請してください",
+ "checklist": "SAP Checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "Azure サブスクリプションごとに、ゾーン デプロイの前に Azure 可用性ゾーンで待機時間テストを実行して、SAP on Azure のデプロイ用に待機時間の短いゾーンを選択します。",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
"severity": "中程度",
- "text": "自動スケールインを使用する場合は、そのようなアクションを実行する前に、ストレージ ポリシーの要件を必ず考慮してください",
- "waf": "パフォーマンス"
+ "text": "回復性レポートを実行して、プロビジョニングされた Azure インフラストラクチャ (コンピューティング、データベース、ネットワーク、ストレージ、Site Recovery) 全体の構成が、Cloud Adaption Framework for Azure によって定義された構成に準拠していることを確認します。",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "スケーリング操作は、一度に 1 つのスケール操作しか実行できないため、常に 1 つの SDDC 内でシリアル化する必要があります (複数のクラスタが使用されている場合でも)",
- "waf": "パフォーマンス"
+ "text": "SAP 用 Microsoft Sentinel ソリューションを使用して脅威保護を実装します。このソリューションを使用して、SAPシステムを監視し、ビジネスロジック層とアプリケーション層全体で高度な脅威を検出します。",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
"severity": "中程度",
- "text": "アーキテクチャで使用されるサードパーティソリューションでのスケーリング操作を検討および検証します(サポートされているかどうか)",
- "waf": "パフォーマンス"
+ "text": "Azure のタグ付けを利用して、リソースを論理的にグループ化して追跡し、デプロイを自動化し、最も重要なこととして、発生したコストを可視化できます。",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
- "service": "AVS",
- "severity": "中程度",
- "text": "自動化で環境のスケールイン/スケールアウトの上限を定義して適用する",
+ "checklist": "SAP Checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "待機時間の影響を受けやすいアプリケーションには、VM 間の待機時間の監視を使用します。",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "中程度",
- "text": "監視ルールを実装して、自動スケーリング操作を監視し、成功と失敗を監視して、適切な (自動化された) 応答を有効にします",
- "waf": "オペレーションズ"
+ "text": "Azure Site Recovery の監視を使用して、SAP アプリケーション サーバーのディザスター リカバリー サービスの正常性を維持します。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "severity": "高い",
- "text": "MONを使用する場合は、同時に構成されたVMの制限(HCXのMON制限[400 - 標準、1000 - 大規模アプライアンス])に注意してください",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "すべてのデータベース・ファイル・システムおよび実行可能プログラムをウイルス対策スキャンから除外します。これらを含めると、パフォーマンスの問題が発生する可能性があります。除外リストの規範的な詳細については、データベースベンダーに確認してください。たとえば、ウイルス対策スキャンから/oracle//sapdataを除外することをお薦めします。",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "severity": "高い",
- "text": "MON を使用する場合、100 を超えるネットワーク拡張で MON を有効にすることはできません",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "移行後に、HANA以外のデータベースの完全なデータベース統計を収集することを検討してください。たとえば、SAP ノート 1020260 - Oracle 統計の配信を実装します。",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
"severity": "中程度",
- "text": "移行に VPN 接続を使用する場合は、それに応じて MTU サイズを調整します。",
+ "text": "SAP on Azure を使用するすべての Oracle デプロイには、Oracle Automatic Storage Management (ASM) の使用を検討してください。",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e614658d-d457-4e92-9139-b821102cad6e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure に接続する接続性の低いリージョン (500 Mbps 以下) の場合は、HCX WAN 最適化アプライアンスのデプロイを検討してください",
+ "text": "Oracle を実行している SAP on Azure の場合、SQL スクリプトのコレクションは、パフォーマンスの問題の診断に役立ちます。 自動ワークロード・リポジトリ(AWR)レポートには、Oracleシステムの問題を診断するための貴重な情報が含まれています。AWRレポートは、複数のセッションで実行し、ピーク時間を選択して、分析を広範囲にカバーすることをお薦めします。",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
- "service": "AVS",
- "severity": "中程度",
- "text": "移行がオンプレミスアプライアンスから開始され、クラウドアプライアンスから開始されていないことを確認します(逆移行は実行しないでください)",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "Azure Site Recovery の監視を使用して、SAP アプリケーション サーバーのディザスター リカバリー サービスの正常性を維持します。",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure NetApp Files を使用して Azure VMware Solution のストレージを拡張する場合は、VM に直接接続するのではなく、これを VMware データストアとして使用することを検討してください。",
- "waf": "確実"
+ "text": "HTTP/S アプリを安全に配信するには、Application Gateway v2 を使用し、WAF の保護とポリシーが有効になっていることを確認します。",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "中程度",
- "text": "専用の ExpressRoute ゲートウェイが外部データ ストレージ ソリューションに使用されていることを確認する",
- "waf": "確実"
+ "text": "Azure への移行中に仮想マシンの DNS または仮想名が変更されない場合、バックグラウンド DNS と仮想名によって SAP ランドスケープ内の多くのシステム インターフェイスが接続され、お客様は、開発者が時間の経過と共に定義するインターフェイスに気付くことがあります。移行後に仮想名または DNS 名が変更されると、さまざまなシステム間で接続の問題が発生するため、このような問題を防ぐために DNS エイリアスを保持することをお勧めします。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "中程度",
- "text": "外部データ ストレージ ソリューションに使用されている ExpressRoute ゲートウェイで FastPath が有効になっていることを確認します",
- "waf": "確実"
+ "text": "異なる DNS ゾーンを使用して、各環境 (サンドボックス、開発、運用前、運用) を互いに区別します。例外は、独自の VNet を使用する SAP デプロイの場合です。ここでは、プライベート DNS ゾーンは必要ない場合があります。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "AVS",
- "severity": "高い",
- "text": "ストレッチ クラスタを使用している場合は、選択したディザスタ リカバリ ソリューションがベンダーによってサポートされていることを確認します",
+ "checklist": "SAP Checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "ローカルとグローバルの VNet ピアリングは接続を提供し、複数の Azure リージョンにまたがる SAP デプロイのランディング ゾーン間の接続を確保するための推奨されるアプローチです",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
"waf": "確実"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
"severity": "高い",
- "text": "ストレッチ クラスターを使用する場合は、提供される SLA が要件を満たしていることを確認します",
- "waf": "確実"
+ "text": "SAP アプリケーションと SAP データベース サーバー間の NVA のデプロイはサポートされていません",
+ "training": "https://me.sap.com/notes/2731110",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "AVS",
- "severity": "高い",
- "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線が接続ハブに接続されていることを確認します。",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Azure リージョンとオンプレミスの場所をまたいだグローバルなトランジット接続が必要な新規ネットワーク、大規模ネットワーク、またはグローバル ネットワークでの Azure デプロイに Virtual WAN を使用します。このアプローチでは、Azure ネットワークの推移的なルーティングを手動で設定する必要はなく、SAP on Azure デプロイの標準に従うことができます。",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "AVS",
- "severity": "高い",
- "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線で GlobalReach が有効になっていることを確認します。",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "パートナーの NVA が使用されている場合にのみ、リージョン間でネットワーク仮想アプライアンス (NVA) をデプロイすることを検討してください。ネイティブ NVA が存在する場合、リージョン間または VNet 間の NVA は必要ありません。パートナーのネットワーク テクノロジと NVA をデプロイする場合は、ベンダーのガイダンスに従って、Azure ネットワークと競合する構成を確認します。",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Virtual WAN は、仮想 WAN ベースのトポロジのスポーク VNet 間の接続を管理し (ユーザー定義ルーティング (UDR) または NVA を設定する必要はありません)、同じ仮想ハブ内の VNet 間トラフィックの最大ネットワーク スループットは 50 ギガビット/秒です。必要に応じて、SAP ランディング ゾーンは VNet ピアリングを使用して他のランディング ゾーンに接続し、この帯域幅の制限を克服できます。",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "オペレーションズ"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"severity": "高い",
- "text": "サイトの耐障害性の設定を適切に検討し、必要に応じてビジネスに合わせて変更しましたか?",
- "waf": "確実"
+ "text": "SAP ワークロードを実行している VM へのパブリック IP の割り当てはお勧めしません。",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
- "severity": "中程度",
- "text": "フレキシブル サーバーの活用",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "ASRの設定時にDR側でIPアドレスを予約することを検討してください",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
+ "checklist": "SAP Checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"severity": "高い",
- "text": "Availability Zones (地域的に適用可能な場合) を活用する",
- "waf": "確実"
+ "text": "運用サイトと DR サイトで重複する IP アドレス範囲を使用しないでください。",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
+ "checklist": "SAP Checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
"severity": "中程度",
- "text": "リージョン間の DR シナリオでのデータイン レプリケーションの活用",
- "waf": "確実"
+ "text": "Azure では 1 つの VNet に複数の委任されたサブネットを作成できますが、Azure NetApp Files の VNet に存在できる委任されたサブネットは 1 つだけです。Azure NetApp Files に複数の委任されたサブネットを使用すると、新しいボリュームを作成しようとしても失敗します。",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
+ "checklist": "SAP Checklist",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure Spring Apps では、アプリごとに 2 つのデプロイが許可され、そのうちの 1 つだけが運用トラフィックを受信します。ブルーグリーンデプロイ戦略により、ダウンタイムをゼロにすることができます。ブルー グリーン デプロイは、Standard レベルと Enterprise レベルでのみ使用できます。CI/CD と ADO/GitHub Actions を使用してデプロイを自動化できます",
- "waf": "確実"
+ "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルター処理 (組織で必要な場合) を管理します",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
+ "checklist": "SAP Checklist",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure Spring Apps インスタンスは、アプリケーション用に複数のリージョンに作成でき、トラフィックは Traffic Manager/Front Door によってルーティングできます。",
- "waf": "確実"
+ "text": "Application Gateway、SAP Web Dispatcher、およびその他のサードパーティ サービスの比較に示すように、Application Gateway が SAP Web アプリのリバース プロキシとして機能する場合、Application Gateway と Web Application Firewall には制限があります。",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
+ "checklist": "SAP Checklist",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "サポートされているリージョンでは、Azure Spring Apps をゾーン冗長としてデプロイできるため、インスタンスは可用性ゾーン間で自動的に分散されます。この機能は、Standard レベルと Enterprise レベルでのみ使用できます。",
- "waf": "確実"
+ "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン全体でグローバル保護を提供します。",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
+ "checklist": "SAP Checklist",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "アプリに複数のアプリ インスタンスを使用する",
- "waf": "確実"
+ "text": "Azure Front Door と Application Gateway を使用して HTTP/S アプリケーションを保護する場合は、Azure Front Door の Web アプリケーション ファイアウォール ポリシーを利用します。Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信します。",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
+ "checklist": "SAP Checklist",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure Spring Apps をログ、メトリック、トレースで監視します。ASA を Application Insights と統合し、障害を追跡し、ブックを作成します。",
- "waf": "確実"
+ "text": "Web アプリケーション ファイアウォールを使用して、インターネットに公開されているトラフィックをスキャンします。別のオプションとして、ロード バランサーや、Application Gateway やサードパーティ ソリューションなどのファイアウォール機能が組み込まれているリソースと共に使用することもできます。",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
+ "checklist": "SAP Checklist",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "Spring Cloud Gateway で自動スケーリングを設定する",
- "waf": "確実"
+ "text": "Azure リージョンとオンプレミスの場所をまたいだグローバルなトランジット接続が必要な新規ネットワーク、大規模ネットワーク、またはグローバル ネットワークでの Azure デプロイに Virtual WAN を使用します。このアプローチでは、Azure ネットワークの推移的なルーティングを手動で設定する必要はなく、SAP on Azure デプロイの標準に従うことができます。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
- "severity": "低い",
- "text": "Standard 従量課金プランと専用プランのアプリの自動スケーリングを有効にします。",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "データ漏えいを防ぐには、Azure Private Link を使用して、Azure Blob Storage、Azure Files、Azure Data Lake Storage Gen2、Azure Data Factory などのサービスとしてのプラットフォーム リソースに安全にアクセスします。Azure プライベート エンドポイントは、VNet と Azure Storage、Azure Backup などのサービス間のトラフィックをセキュリティで保護するのにも役立ちます。VNet とプライベート エンドポイント対応サービス間のトラフィックは、Microsoft グローバル ネットワークを経由するため、パブリック インターネットへの公開は防止されます。",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
- "severity": "中程度",
- "text": "ミッション クリティカルなアプリの Spring Boot の商用サポートには、Enterprise プランを使用します。他のレベルでは、OSS のサポートを受けることができます。",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "SAP アプリケーションと DBMS レイヤーで使用される VM で Azure 高速ネットワークが有効になっていることを確認します。",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "ストレージに関連する Microsoft クラウド セキュリティ ベンチマークのガイダンスを適用する",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "\"ストレージの Azure セキュリティ ベースライン\" を検討する",
+ "text": "Azure Load Balancer の内部デプロイが Direct Server Return (DSR) を使用するように設定されていることを確認します。この設定 (フローティング IP の有効化) により、DBMS レイヤーの高可用性構成に内部ロード バランサー構成が使用されている場合の待機時間が短縮されます。",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "既定では、Azure Storage にはパブリック IP アドレスがあり、インターネットにアクセス可能です。プライベート エンドポイントを使用すると、アクセスが必要な Azure コンピューティング リソースにのみ Azure Storage を安全に公開できるため、パブリック インターネットへの露出を排除できます",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Azure Storage",
- "severity": "高い",
- "text": "Azure Storage にプライベート エンドポイントを使用することを検討する",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "新しく作成されたストレージ アカウントは、RBAC や監査などがすべて有効になるように、ARM デプロイ モデルを使用して作成されます。サブスクリプションにクラシック デプロイ モデルの古いストレージ アカウントがないことを確認する",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "SAP",
"severity": "中程度",
- "text": "古いストレージ アカウントで \"クラシック デプロイ モデル\" が使用されていないことを確認する",
+ "text": "アプリケーション セキュリティ グループ (ASG) と NSG 規則を使用して、SAP アプリケーション層と DBMS 層の間にネットワーク セキュリティのアクセス制御リストを定義できます。ASG は、仮想マシンをグループ化してセキュリティの管理に役立てます。",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Microsoft Defender を活用して、不審なアクティビティや構成ミスについて学習します。",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "高い",
- "text": "すべてのストレージ アカウントに対して Microsoft Defender を有効にする",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "論理的な削除メカニズムを使用すると、誤って削除された BLOB を回復できます。",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Azure Storage",
- "severity": "中程度",
- "text": "BLOB の \"論理的な削除\" を有効にする",
- "waf": "安全"
+ "text": "ピアリングされていない異なる Azure VNet への SAP アプリケーション レイヤーと SAP DBMS の配置はサポートされていません。",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "中程度",
- "text": "BLOB の '論理的な削除' を無効にする",
- "waf": "安全"
+ "text": "SAP アプリケーションで最適なネットワーク待機時間を実現するには、Azure 近接通信配置グループの使用を検討してください。",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "コンテナーの論理的な削除を使用すると、コンテナーが削除された後に回復できます (たとえば、偶発的な削除操作から回復します)。",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "高い",
- "text": "コンテナーの \"論理的な削除\" を有効にする",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
- "severity": "中程度",
- "text": "コンテナーの \"論理的な削除\" を無効にする",
- "waf": "安全"
+ "text": "オンプレミスと Azure の間で分割された SAP アプリケーション サーバー レイヤーと DBMS レイヤーを実行することは、まったくサポートされていません。どちらのレイヤーも、オンプレミスまたは Azure に完全に存在する必要があります。",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "削除前に削除ロックを最初に解除するようにユーザーに強制することで、ストレージ アカウントが誤って削除されないようにします",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "高い",
- "text": "ストレージ アカウントでのリソース ロックの有効化",
- "waf": "安全"
+ "text": "SAP システムのデータベース管理システム (DBMS) レイヤーとアプリケーション レイヤーを異なる VNet でホストし、それらを VNet ピアリングに接続することは、レイヤー間の過剰なネットワーク トラフィックによって生成される可能性があるため、お勧めしません。Azure 仮想ネットワーク内のサブネットを使用して、SAP アプリケーション レイヤーと DBMS レイヤーを分離することをお勧めします。",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "BLOB の \"訴訟ホールド\" または \"時間ベースの保持\" ポリシーを検討して、BLOB、コンテナー、またはストレージ アカウントを削除できないようにします。「不可能」は実際には「不可能」を意味することに注意してください。ストレージ アカウントに不変の BLOB が含まれる場合、そのストレージ アカウントを \"取り除く\" 唯一の方法は、Azure サブスクリプションを取り消すことです。",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+ "service": "SAP",
"severity": "高い",
- "text": "不変の BLOB を検討する",
- "waf": "安全"
+ "text": "Linux ゲスト・オペレーティング・システムで Load Balancer を使用する場合は、Linux ネットワーク・パラメーター net.ipv4.tcp_timestamps が 0 に設定されていることを確認します。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "ストレージ アカウントへの保護されていない HTTP/80 アクセスを無効にして、すべてのデータ転送が暗号化され、整合性が保護され、サーバーが認証されるようにすることを検討してください。",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Azure Storage",
- "severity": "高い",
- "text": "HTTPS を要求する (つまり、ストレージ アカウントのポート 80 を無効にする)",
+ "checklist": "SAP Checklist",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "SAP RISE/ECS デプロイの場合、仮想ピアリングは、お客様の既存の Azure 環境との接続を確立するための推奨される方法です。SAP vnet と顧客 VNet の両方がネットワーク セキュリティ グループ (NSG) で保護され、vnet ピアリングを介した SAP ポートとデータベース ポートでの通信が可能になります",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "ストレージ アカウントでカスタム ドメイン (ホスト名) を構成する場合は、TLS/HTTPS が必要かどうかを確認します。その場合は、ストレージ アカウントの前に Azure CDN を配置する必要があります。",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "高い",
- "text": "HTTPS を適用する (HTTP を無効にする) 場合は、ストレージ アカウントにカスタム ドメイン (CNAME) を使用していないことを確認します。",
- "waf": "安全"
+ "text": "Azure VM の SAP HANA データベースのバックアップを確認します。",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "クライアントが SAS トークンを使用して BLOB データにアクセスするときに HTTPS を要求すると、資格情報が失われるリスクを最小限に抑えることができます。",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"severity": "中程度",
- "text": "Shared Access Signature (SAS) トークンを HTTPS 接続のみに制限する",
- "waf": "安全"
+ "text": "Site Recovery の組み込み監視 (SAP で使用されている場合) を確認します。",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "AAD トークンは、可能な限り、共有アクセス署名よりも優先する必要があります",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+ "service": "SAP",
"severity": "高い",
- "text": "BLOB アクセスに Azure Active Directory (Azure AD) トークンを使用する",
- "waf": "安全"
+ "text": "SAP HANA システム ランドスケープの監視に関するガイダンスを確認します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "ユーザー、グループ、またはアプリケーションにロールを割り当てる場合は、タスクの実行に必要なアクセス許可のみをセキュリティ プリンシパルに付与します。リソースへのアクセスを制限することで、意図しないデータの誤用と悪意のあるデータの誤用の両方を防ぐことができます。",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+ "service": "SAP",
"severity": "中程度",
- "text": "IaM アクセス許可の最小特権",
- "waf": "安全"
+ "text": "Azure Linux VM のバックアップ戦略で Oracle Database を確認します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "ユーザー委任 SAS は、Azure Active Directory (Azure AD) 資格情報と、SAS に指定されたアクセス許可によってセキュリティで保護されます。ユーザー委任 SAS は、そのスコープと機能の点でサービス SAS に似ていますが、サービス SAS よりもセキュリティ上の利点があります。",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Azure Storage",
- "severity": "高い",
- "text": "SAS を使用する場合は、ストレージ アカウント キー ベースの SAS よりも \"ユーザー委任 SAS\" を優先します。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "SQL Server 2016 での Azure Blob Storage の使用を確認します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "ストレージ アカウント キー (\"共有キー\") には、監査機能がほとんどありません。誰がいつキーのコピーを取得したかを監視できますが、キーが複数の人の手に渡ると、使用状況を特定のユーザーに帰属させることは不可能です。AAD 認証のみに依存することで、ストレージへのアクセスをユーザーに結び付けやすくなります。",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Azure Storage",
- "severity": "高い",
- "text": "ストレージ アカウント キーを無効にして、AAD アクセス (およびユーザー委任 SAS) のみがサポートされるようにすることを検討してください。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Azure VM の自動バックアップ v2 の使用を確認します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "アクティビティ ログ データを使用して、ストレージ アカウントのセキュリティ (ストレージ アカウント キー、アクセス ポリシーなど) が \"いつ、誰が、何を、\"どのように\" 表示または変更されているかを特定します。",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+ "service": "SAP",
"severity": "高い",
- "text": "Azure Monitor を使用して、ストレージ アカウントに対するコントロール プレーン操作を監査することを検討してください",
- "waf": "安全"
+ "text": "Premium ディスク使用時の M シリーズの書き込みアクセラレータの有効化 (V1)",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "キーの有効期限ポリシーを使用すると、アカウントアクセスキーのローテーションのリマインダーを設定できます。リマインダーは、指定した間隔が経過し、キーがまだローテーションされていない場合に表示されます。",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "service": "SAP",
"severity": "中程度",
- "text": "ストレージ アカウント キーを使用する場合は、\"キーの有効期限ポリシー\" を有効にすることを検討してください",
- "waf": "安全"
+ "text": "可用性ゾーンの待機時間をテストします。",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS 有効期限ポリシーでは、SAS が有効である推奨間隔を指定します。SAS 有効期限ポリシーは、サービス SAS またはアカウント SAS に適用されます。ユーザーがサービス SAS またはアカウント SAS を、推奨間隔よりも長い有効期間で生成すると、警告が表示されます。",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
- "service": "Azure Storage",
- "severity": "中程度",
- "text": "SAS 有効期限ポリシーの構成を検討する",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "すべての SAP コンポーネントに対して SAP EarlyWatch Alert を有効化します。",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "保存されているアクセス ポリシーを使用すると、ストレージ アカウント キーを再生成することなく、サービス SAS のアクセス許可を取り消すことができます。",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "service": "SAP",
"severity": "中程度",
- "text": "保存されているアクセス ポリシーに SAS をリンクすることを検討する",
- "waf": "安全"
+ "text": "SAP ABAPMeter report /SSA/CAT を使用して、SAP アプリケーション サーバーからデータベース サーバー間の待機時間を確認します。",
+ "training": "https://me.sap.com/notes/0002879613",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+ "service": "SAP",
"severity": "中程度",
- "text": "チェックインされた接続文字列とストレージ アカウント キーを検出するようにアプリケーションのソース コード リポジトリを構成することを検討してください。",
- "waf": "安全"
+ "text": "CCMS を使用した SQL Server のパフォーマンス監視を確認します。",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "理想的には、アプリケーションでマネージド ID を使用して Azure Storage に対する認証を行う必要があります。それが不可能な場合は、ストレージ資格情報 (接続文字列、ストレージ アカウント キー、SAS、サービス プリンシパル資格情報) を Azure KeyVault または同等のサービスに用意することを検討してください。",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
- "service": "Azure Storage",
- "severity": "高い",
- "text": "接続文字列を Azure KeyVault に格納することを検討する (マネージド ID が不可能なシナリオの場合)",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "SAP アプリケーション レイヤー VM と DBMS VM 間のネットワーク待機時間をテストします (NIPING)。",
+ "training": "https://me.sap.com/notes/1100926/E",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "アドホック SAS サービス SAS またはアカウント SAS で、有効期限が近づいています。このように、SAS が侵害された場合でも、有効期間は短時間です。この方法は、保存されているアクセス ポリシーを参照できない場合に特に重要です。また、有効期限が近いと、BLOB にアップロードできる時間が制限されるため、BLOB に書き込めるデータの量も制限されます。",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
- "severity": "高い",
- "text": "アドホックSASの有効期間を短くする",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "SAP HANA Studio アラートを確認します。",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS を作成するときは、できるだけ具体的かつ制限的にしてください。1 つのリソースと操作には、より広範なアクセスを提供する SAS よりも SAS を優先します。",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
+ "service": "SAP",
"severity": "中程度",
- "text": "SAS に狭いスコープを適用する",
+ "text": "HANA_Configuration_Minichecks を使用して SAP HANA ヘルスチェックを実行します。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Azure、オンプレミス、またはその他のクラウド環境で Windows VM と Linux VM を実行している場合は、Azure Automation の更新管理センターを使用して、セキュリティ パッチを含むオペレーティング システムの更新プログラムを管理できます。",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS には、SAS を使用してリソースを要求する権限をクライアント IP アドレスまたはアドレス範囲に与えるパラメーターを含めることができます。",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "中程度",
- "text": "可能な限り、SAS のスコープを特定のクライアント IP アドレスに設定することを検討してください",
+ "text": "SAP は、SAP システムを保護するために即時のアクションを必要とする非常に重要なセキュリティ パッチまたはホット フィックスをリリースしているため、SAP セキュリティ OSS ノートを定期的に確認してください。",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS は、クライアントがアップロードするデータの量を制限できません。時間の経過に伴うストレージ容量の価格モデルを考えると、クライアントが悪意を持って大きなコンテンツをアップロードしたかどうかを検証することは理にかなっているかもしれません。",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"severity": "低い",
- "text": "クライアントが SAS を使用してファイルをアップロードした後、アップロードされたデータを確認することを検討してください。",
+ "text": "SQL Server 上の SAP システムではアカウントを使用しないため、SQL Server 上の SAP システム管理者アカウントを無効にすることができます。元のシステム管理者アカウントを無効にする前に、システム管理者権限を持つ別のユーザーがサーバーにアクセスできることを確認してください。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "\"ローカル ユーザー アカウント\" を使用して SFTP 経由で BLOB ストレージにアクセスする場合、\"通常の\" RBAC 制御は適用されません。NFS または REST 経由の BLOB アクセスは、SFTP アクセスよりも制限が厳しい場合があります。残念ながら、2023 年初頭の時点で、SFTP エンドポイントで現在サポートされている ID 管理の形式はローカル ユーザーだけです",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"severity": "高い",
- "text": "SFTP: SFTPアクセスの「ローカルユーザー」の数を制限し、時間の経過とともにアクセスが必要かどうかを監査します。",
+ "text": "xp_cmdshellを無効にします。SQL Server 機能xp_cmdshell、SQL Server 内部オペレーティング システムのコマンド シェルを有効にします。これは、セキュリティ監査における潜在的なリスクです。",
+ "training": "https://me.sap.com/notes/3019299/E",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
- "service": "Azure Storage",
- "severity": "中程度",
- "text": "SFTP: SFTP エンドポイントは、POSIX ライクな ACL をサポートしていません。",
+ "checklist": "SAP Checklist",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "高い",
+ "text": "Azure 上の SAP HANA データベース サーバーの暗号化では、SAP HANA ネイティブ暗号化テクノロジが使用されます。さらに、Azure で SQL Server を使用している場合は、Transparent Data Encryption (TDE) を使用してデータとログ ファイルを保護し、バックアップも暗号化されるようにします。",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "ストレージは、CORS (Cross-Origin Resource Sharing)、つまり、異なるドメインの Web アプリが同一生成元ポリシーを緩めることを可能にする HTTP 機能をサポートしています。CORS を有効にする場合は、CorsRules を最小の特権に保ちます。",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
- "service": "Azure Storage",
- "severity": "高い",
- "text": "過度に広範な CORS ポリシーを避ける",
+ "checklist": "SAP Checklist",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Azure Storage の暗号化は、すべての Azure Resource Manager とクラシック ストレージ アカウントに対して有効になっており、無効にすることはできません。データは既定で暗号化されるため、Azure Storage 暗号化を使用するためにコードやアプリケーションを変更する必要はありません。",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "保存データは常にサーバー側で暗号化され、さらにクライアント側でも暗号化される場合があります。サーバー側の暗号化は、プラットフォーム マネージド キー (既定) またはカスタマー マネージド キーを使用して行われる場合があります。クライアント側の暗号化は、クライアントが BLOB ごとに暗号化/暗号化解除キーを Azure Storage に提供するか、クライアント側で暗号化を完全に処理することによって行われます。そのため、機密性の保証を Azure Storage にまったく依存しません。",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "SAP",
"severity": "高い",
- "text": "保存データの暗号化方法を決定します。データのスレッド モデルを理解します。",
+ "text": "Azure Key Vault を使用してシークレットと資格情報を格納する",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "SAP",
"severity": "中程度",
- "text": "どのプラットフォーム暗号化を使用するか、または使用するかを決定します。",
+ "text": "デプロイが成功したら、Azure リソースを LOCK して、承認されていない変更から保護することをお勧めします。また、カスタマイズされた Azure ポリシー (Custome ロール) を使用して、サブスクリプションごとに LOCK の制約とルールを適用することもできます。",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "SAP",
"severity": "中程度",
- "text": "クライアント側の暗号化を使用するかどうかを決定します。",
+ "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Resource Graph エクスプローラー (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) を利用して、匿名 BLOB アクセスを許可するストレージ アカウントを検索します。",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
- "service": "Azure Storage",
+ "checklist": "SAP Checklist",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "service": "SAP",
"severity": "高い",
- "text": "パブリック BLOB アクセスが必要かどうか、または特定のストレージ アカウントに対して無効にできるかどうかを検討します。",
+ "text": "既存の要件、規制、コンプライアンス制御 (内部/外部) に基づいて、必要な Azure ポリシーと Azure RBAC ロールを決定します",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
+ "checklist": "SAP Checklist",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"severity": "高い",
- "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する",
- "waf": "確実"
+ "text": "SAP 環境でMicrosoft Defender for Endpointを有効にする場合は、すべてのサーバーを対象とするのではなく、DBMS サーバー上のデータとログ ファイルを除外することをお勧めします。ターゲット ファイルを除外する場合は、DBMS ベンダーの推奨事項に従ってください。",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
+ "checklist": "SAP Checklist",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "service": "SAP",
"severity": "高い",
- "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する",
- "waf": "確実"
+ "text": "Microsoft Defender for Cloud の Just-In-Time アクセス権を持つ SAP 管理者カスタム ロールを委任します。",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
- "severity": "高い",
- "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
- "waf": "確実"
+ "checklist": "SAP Checklist",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "サードパーティのセキュリティ製品を DIAG (SAP GUI)、RFC、および SPNEGO for HTTPS のセキュアネットワーク通信 (SNC) と統合することにより、転送中のデータを暗号化します。",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
- "severity": "高い",
- "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
+ "checklist": "SAP Checklist",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "service": "SAP",
"severity": "中程度",
- "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "共鳴可能なAIのためのメタプロンプトガードレールに従う",
- "waf": "オペレーショナルエクセレンス"
+ "text": "プリンシパル暗号化機能には既定で Microsoft マネージド キーを使用し、必要に応じてカスタマー マネージド キーを使用します。",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
- "link": "https://github.com/Azure-Samples/AI-Gateway",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "service": "SAP",
"severity": "高い",
- "text": "APIM や AI Central などのソリューションを使用したゲートウェイ パターンを検討して、レート制限、負荷分散、認証、ログ記録を改善します",
- "waf": "オペレーショナルエクセレンス"
+ "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "service": "SAP",
"severity": "高い",
- "text": "AOAI インスタンスの監視を有効にする",
- "waf": "オペレーショナルエクセレンス"
+ "text": "HANA 以外の Windows オペレーティング システムと Windows 以外のオペレーティング システムのディスク暗号化キーとシークレットを制御および管理するには、Azure Key Vault を使用します。SAP HANA は Azure Key Vault ではサポートされていないため、SAP ABAP キーや SSH キーなどの代替方法を使用する必要があります。",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "service": "SAP",
"severity": "高い",
- "text": "リソースに対して実行されたアクション (サブスクリプション キーの再生成など) によって作成されたアクティビティ ログのエントリや、1 時間に 10 を超えるエラー数などのメトリックしきい値によって作成されたアクティビティ ログのエントリなど、イベントを通知するアラートを作成します",
- "waf": "オペレーショナルエクセレンス"
+ "text": "SAP on Azure スポーク サブスクリプションのロールベースのアクセス制御 (RBAC) ロールをカスタマイズして、偶発的なネットワーク関連の変更を回避します",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "service": "SAP",
"severity": "高い",
- "text": "トークンの使用状況を監視して、容量によるサービスの中断を防ぎます",
- "waf": "オペレーショナルエクセレンス"
+ "text": "DMZ と NVA を SAP 資産の残りの部分から分離し、Azure Private Link を構成し、SAP on Azure リソースを安全に管理および制御します",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
- "severity": "中程度",
- "text": "処理された推論トークン、生成された完了トークンなどのメトリックを観察し、レート制限を監視します",
- "waf": "オペレーショナルエクセレンス"
+ "checklist": "SAP Checklist",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "Azure で Microsoft マルウェア対策ソフトウェアを使用して、悪意のあるファイル、アドウェア、その他の脅威から仮想マシンを保護することを検討してください。",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
- "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "service": "SAP",
"severity": "低い",
- "text": "診断が十分でない場合は、Azure OpenAI の前で Azure API Management などのゲートウェイを使用して、受信プロンプトと送信応答の両方をログに記録することを検討してください (許可されている場合)",
- "waf": "オペレーショナルエクセレンス"
+ "text": "さらに強力な保護を行うには、Microsoft Defender for Endpointの使用を検討してください。",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
- "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
- "service": "Azure OpenAI",
+ "checklist": "SAP Checklist",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "高い",
- "text": "コードとしてのインフラストラクチャを使用して、Azure OpenAI Service、モデル デプロイ、およびすべての関連リソースをデプロイします",
- "waf": "オペレーショナルエクセレンス"
+ "text": "仮想ネットワーク ピアリングによってスポーク ネットワークに接続されているハブ仮想ネットワークを介してすべてのトラフィックを渡すことで、SAP アプリケーションとデータベース サーバーをインターネットまたはオンプレミス ネットワークから分離します。ピアリングされた仮想ネットワークにより、SAP on Azure ソリューションがパブリック インターネットから分離されることが保証されます。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4350d092-d234-4292-a752-8537a551c5bf",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "API キーの代わりにマネージド ID で Microsoft Entra 認証を使用する",
+ "checklist": "SAP Checklist",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "低い",
+ "text": "SAP Fiori などのインターネットに接続するアプリケーションの場合は、セキュリティレベルを維持しながら、アプリケーション要件ごとに負荷を分散してください。レイヤー 7 セキュリティについては、Azure Marketplace で入手できるサードパーティの Web アプリケーション ファイアウォール (WAF) を使用できます。",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "入力と正しい答えを持つ既知のゴールデンデータセットを使用して、システムのパフォーマンス/精度を評価します。PromptFlowの機能を評価に活用します。",
- "waf": "オペレーショナルエクセレンス"
+ "checklist": "SAP Checklist",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "service": "SAP",
+ "severity": "中程度",
+ "text": "Azure Monitor for SAP solutions でセキュリティで保護された通信を有効にするには、ルート証明書またはサーバー証明書のいずれかを使用することを選択できます。ルート証明書を使用することを強くお勧めします。",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "68889535-e327-4897-b31b-67d67be5962a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+ "service": "AVS",
"severity": "高い",
- "text": "プロビジョニング済みスループットモデルの使用状況の評価",
- "waf": "パフォーマンス"
+ "text": "ADDS ドメイン コントローラーがネイティブ Azure の ID サブスクリプションにデプロイされていることを確認する",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "Azure AI コンテンツの安全性を確認して実装する",
- "waf": "オペレーショナルエクセレンス"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "75089c20-990d-4927-b105-885576f76fc2",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure ベースのリソース (Azure VMware Solution を含む) からの認証要求を Azure にローカルに保持するように ADDS サイトとサービスが構成されていることを確認します",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+ "service": "AVS",
"severity": "高い",
- "text": "トークンと1分あたりのレスポンスに基づいてシステムのスループットを定義および評価し、要件に合わせます",
- "waf": "パフォーマンス"
+ "text": "vCenterがADDに接続されていることを確認し、「名前付きユーザーアカウント」に基づく認証を有効にします",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+ "service": "AVS",
"severity": "中程度",
- "text": "トークンサイズ、ストリーミングオプションを制限することにより、システムのレイテンシーを改善します",
- "waf": "パフォーマンス"
+ "text": "vCenter から ADDS への接続でセキュア プロトコル (LDAPS) が使用されていることを確認します",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+ "service": "AVS",
"severity": "中程度",
- "text": "弾力性の要求を見積もり、優先順位に基づいて同期要求とバッチ要求の分離を決定します。優先度が高い場合は同期アプローチを使用し、優先度が低い場合はキューを使用した非同期バッチ処理が推奨されます",
- "waf": "パフォーマンス"
+ "text": "vCenter IdP の CloudAdmin アカウントは、緊急アカウント(非常用アカウント)としてのみ使用されます",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5bda4332-4f24-4811-9331-82ba51752694",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+ "service": "AVS",
"severity": "高い",
- "text": "消費者からの推定需要に基づくトークン消費要件のベンチマーク。プロビジョニングされたスループット ユニットのデプロイを使用している場合は、Azure OpenAI ベンチマーク ツールを使用してスループットを検証することを検討してください",
- "waf": "パフォーマンス"
+ "text": "NSX-Manager が外部 ID プロバイダ (LDAPS) と統合されていることを確認します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+ "service": "AVS",
"severity": "中程度",
- "text": "プロビジョニングされたスループットユニット (PTU) を使用している場合は、オーバーフローリクエストに対して Token-Per Minute (TPM) デプロイメントをデプロイすることを検討してください。ゲートウェイを使用して、PTU の制限に達したときに要求を TPM デプロイにルーティングします。",
- "waf": "パフォーマンス"
+ "text": "VMware vSphere 内で使用するために RBAC モデルが作成されているか",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "適切なタスクに適したモデルを選択してください。速度、応答の品質、出力の複雑さの間で適切なトレードオフを持つモデルを選択する",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+ "service": "AVS",
"severity": "中程度",
- "text": "微調整によってモデルのパフォーマンスが向上したかどうかを知るための微調整を行わずに、パフォーマンスのベースラインを設定する",
- "waf": "パフォーマンス"
+ "text": "RBAC アクセス許可は、特定のユーザーではなく、ADDS グループに付与する必要があります",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
- "severity": "低い",
- "text": "複数のOAIインスタンスを複数のリージョンにデプロイする",
- "waf": "確実"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "Azure の Azure VMware Solution リソースに対する RBAC アクセス許可は、限られた所有者のセットのみに \"ロックダウン\" されます",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+ "service": "AVS",
"severity": "高い",
- "text": "APIM のようなゲートウェイ パターンを使用した再試行とヘルスチェックの実装",
- "waf": "確実"
+ "text": "すべてのカスタム ロールのスコープが CloudAdmin で許可された承認で設定されていることを確認する",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
- "service": "Azure OpenAI",
- "severity": "中程度",
- "text": "ワークロードに対してTPMとRPMの適切なクォータがあることを確認します",
- "waf": "確実"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+ "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "お客様のユース ケースに適した Azure VMware Solution 接続モデルが選択されているか",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
- "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
- "service": "Azure OpenAI",
- "severity": "中程度",
- "text": "HAIツールキットガイダンスの考慮事項を確認し、それらの相互作用の実践をslutionに適用します",
- "waf": "オペレーショナルエクセレンス"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "オンプレミスから Azure への ExpressRoute または VPN 接続が \"接続モニター\" を使用して監視されていることを確認する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+ "service": "AVS",
"severity": "中程度",
- "text": "ファインチューニングが採用されている場合は、リージョン間で個別の微調整モデルをデプロイします",
- "waf": "確実"
+ "text": "Azure VMware Solution バックエンドの ExpressRoute 接続を監視するために、Azure ネイティブ リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
- "link": "https://learn.microsoft.com/azure/backup/backup-overview",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+ "service": "AVS",
"severity": "中程度",
- "text": "重要なデータを定期的にバックアップおよびレプリケートして、データの損失やシステム障害が発生した場合のデータの可用性と回復性を確保します。Azure のバックアップおよびディザスター リカバリー サービスを活用して、データを保護します。",
- "waf": "確実"
+ "text": "エンド 2 エンドの接続を監視するために、オンプレミス リソースから Azure VMware Solution 仮想マシンへの接続モニターが作成されていることを確認します",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+ "service": "AVS",
"severity": "高い",
- "text": "Azure AI Search サービス レベルは、SLA を持つために選択する必要があります",
- "waf": "確実"
+ "text": "ルート サーバーを使用する場合は、ルート サーバーから ExR ゲートウェイ、オンプレミスに伝達されるルートが 1000 を超えないようにします (ARS 制限)。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
- "link": "https://learn.microsoft.com/purview/purview",
- "service": "Azure OpenAI",
- "severity": "低い",
- "text": "データと機密性を分類し、埋め込みを生成する前に Microsoft Purview でラベル付けし、生成された埋め込みを同じ感度と分類で処理するようにしてください",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "Azure Portal で Azure VMware Solution リソースを管理するロールに対して Privileged Identity Management が実装されていますか (永続的なアクセス許可は許可されません)",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+ "service": "AVS",
"severity": "高い",
- "text": "SSE/ディスク暗号化(オプションのBYOKを使用)を使用してRAGに使用されるデータを暗号化",
+ "text": "Privileged Identity Management 監査レポートは、Azure VMware Solution PIM ロールに対して実装する必要がある",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
- "link": "https://learn.microsoft.com/azure/search/search-security-overview",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "データソース間で転送されるデータ、Retrieval-Augmented Generation(RAG)およびLLM通信に使用されるAI検索にTLSが適用されていることを確認します",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Privileged Identity Management を使用している場合は、Azure VMware Solution のホストの自動置換通知用の有効な SMTP レコードを使用して、有効な Entra ID が有効なアカウントが作成されていることを確認します。(常任許可が必要)",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+ "service": "AVS",
"severity": "高い",
- "text": "RBAC を使用して、Azure OpenAI サービスへのアクセスを管理します。ユーザーに適切な権限を割り当て、ユーザーの役割と責任に基づいてアクセスを制限します",
+ "text": "CloudAdmin アカウントの使用を緊急アクセスのみに制限する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+ "service": "AVS",
"severity": "中程度",
- "text": "データの暗号化、マスキング、または編集技術を実装して、機密データを非表示にしたり、非本番環境で難読化された値に置き換えたり、テストやトラブルシューティングの目的でデータを共有する場合",
+ "text": "vCenter Server でカスタム RBAC ロールを作成して、vCenter 内に最小特権モデルを実装します",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "cloudadmin (vCenter) と admin (NSX) の資格情報を定期的にローテーションするように定義されたプロセスです。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+ "service": "AVS",
"severity": "高い",
- "text": "Azure Defender を利用して、セキュリティの脅威を検出して対応し、監視とアラートのメカニズムを設定して、疑わしいアクティビティや侵害を特定します。Azure Sentinel を活用して高度な脅威の検出と対応を実現",
+ "text": "一元化された ID プロバイダーを使用して、Azure VMware Solution で実行されているワークロード (VM) に使用する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
- "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+ "service": "AVS",
"severity": "中程度",
- "text": "コンプライアンス規制を遵守するためのデータ保持および廃棄ポリシーを確立します。不要になったデータに対して安全な削除方法を実装し、データの保持と廃棄活動の監査証跡を維持します",
+ "text": "East-West トラフィック フィルタリングは NSX-T 内に実装されていますか",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+ "service": "AVS",
"severity": "高い",
- "text": "Content Safety を使用した Prompt シールドと接地検出の実装",
- "waf": "オペレーショナルエクセレンス"
+ "text": "Azure VMware Solution 上のワークロードは、インターネットに直接公開されません。トラフィックは、Azure Application Gateway、Azure Firewall、またはサード パーティのソリューションによってフィルター処理され、検査されます",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
- "link": "https://learn.microsoft.com/azure/compliance/",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+ "service": "AVS",
"severity": "高い",
- "text": "GDPRやHIPAAなどの関連するデータ保護規制への準拠を確保するには、プライバシー制御を実装し、データ処理活動に必要な同意または許可を取得します。",
+ "text": "監査とログ記録は、Azure VMware Solution および Azure VMware Solution ベースのワークロードへの受信インターネット要求に対して実装されます",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+ "service": "AVS",
"severity": "中程度",
- "text": "データセキュリティのベストプラクティス、データの安全な取り扱いの重要性、データ侵害に関連する潜在的なリスクについて、従業員を教育します。データセキュリティプロトコルに熱心に従うように促します。",
+ "text": "セッション監視は、疑わしい/悪意のあるアクティビティを特定するために、Azure VMware Solution または Azure VMware Solution ベースのワークロードからの送信インターネット接続に実装されます",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "運用データを開発データやテストデータから分離します。本番環境では実際の機密データのみを使用し、開発環境やテスト環境では匿名化されたデータや合成データを利用します。",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "334fdf91-c234-4182-a652-75269440b4be",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure の ExR/VPN Gateway サブネットで DDoS Standard 保護が有効になっているか",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+ "service": "AVS",
"severity": "中程度",
- "text": "データの機密性のレベルが異なる場合は、レベルごとに個別のインデックスを作成することを検討してください。たとえば、一般的なデータ用に 1 つのインデックスを作成し、機密データ用に別のインデックスを作成し、それぞれ異なるアクセス プロトコルで管理することができます",
+ "text": "専用の特権アクセス ワークステーション (PAW) を使用して、Azure VMware Solution、vCenter、NSX Manager、HCX Manager を管理する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+ "service": "AVS",
"severity": "中程度",
- "text": "分離をさらに一歩進めて、機密性の高いデータセットをサービスの異なるインスタンスに配置します。各インスタンスは、独自のRBACポリシーのセットで制御できます",
+ "text": "Azure VMware Solution で実行されているワークロードに対して Advanced Threat Detection (Microsoft Defender for Cloud 別名 ASC) を有効にする",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "機密情報から生成された埋め込みとベクトルは、それ自体が機密性が高いことを認識します。このデータには、ソースマテリアルと同じ保護対策を提供する必要があります",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure ARC for Servers を使用して、Azure ネイティブ テクノロジを使用して Azure VMware Solution で実行されているワークロードを適切に管理します (Azure ARC for Azure VMware Solution はまだ利用できません)",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "埋め込みとベクトルを持つデータストアに RBAC を適用し、ロールのアクセス要件に基づいてアクセスのスコープを設定します",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "Azure VMware Solution 上のワークロードで、実行時に十分なデータ暗号化 (ゲスト内ディスク暗号化や SQL TDE など) が使用されるようにします。(保存時の vSAN 暗号化がデフォルトです)",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "AI サービスのプライベート エンドポイントを構成して、ネットワーク内のサービス アクセスを制限します",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "ゲスト内暗号化を使用する場合は、可能な場合は Azure Key Vault に暗号化キーを格納します",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "Azure Firewall と UDR を使用して受信と送信のトラフィック制御を厳密に適用し、外部統合ポイントを制限します",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5ac94222-3e13-4810-9230-81a941741583",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure VMware Solution で実行されているワークロードには、拡張セキュリティ更新プログラムのサポートの使用を検討してください (Azure VMware Solution は ESU の対象です)",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+ "service": "AVS",
"severity": "高い",
- "text": "ネットワークのセグメンテーションとアクセス制御を実装して、LLMアプリケーションへのアクセスを許可されたユーザーとシステムのみに制限し、横方向の移動を防ぎます",
- "waf": "安全"
+ "text": "適切な vSAN データ冗長化方式(RAID 仕様)が使用されていることを確認します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
- "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
- "service": "Azure OpenAI",
- "severity": "中程度",
- "text": "LLMLingua や gprtrim などのプロンプト圧縮ツールを使用します",
- "waf": "コストの最適化"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d88408f3-7273-44c8-96ba-280214590146",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "許容障害ポリシーが vSAN ストレージのニーズを満たすために設定されていることを確認します",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+ "service": "AVS",
"severity": "高い",
- "text": "LLM アプリケーションで使用される API とエンドポイントが、マネージド ID、API キー、OAuth などの認証および承認メカニズムで適切に保護され、不正アクセスを防止します。",
- "waf": "安全"
+ "text": "十分なクォータを要求し、拡張とディザスタリカバリの要件を考慮していることを確認します",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+ "service": "AVS",
"severity": "中程度",
- "text": "多要素認証などの強力なエンドユーザー認証メカニズムを適用して、LLMアプリケーションおよび関連するネットワークリソースへの不正アクセスを防止します",
- "waf": "安全"
+ "text": "ESXiへのアクセス制限を理解し、サードパーティのソリューションに影響を与える可能性のあるアクセス制限があることを確認してください。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+ "service": "AVS",
"severity": "中程度",
- "text": "ネットワーク監視ツールを実装して、疑わしいアクティビティや悪意のあるアクティビティのネットワークトラフィックを検出および分析します。ロギングを有効にしてネットワークイベントをキャプチャし、セキュリティインシデントが発生した場合のフォレンジック分析を容易にします",
- "waf": "安全"
+ "text": "ESXi ホストの密度と効率に関するポリシーがあることを確認し、新しいノードを要求するためのリード タイムを念頭に置いてください",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+ "service": "AVS",
"severity": "中程度",
- "text": "セキュリティ監査と侵入テストを実施して、LLMアプリケーションのネットワークインフラストラクチャのネットワークセキュリティの弱点または脆弱性を特定して対処します",
- "waf": "安全"
+ "text": "Azure VMware Solution の適切なコスト管理プロセスが整っていることを確認する - Azure Cost Management を使用できます",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+ "service": "AVS",
"severity": "低い",
- "text": "Azure AI Services は、管理を改善するために適切にタグ付けされています",
- "waf": "オペレーショナルエクセレンス"
+ "text": "Azure VMware Solution を使用するためのコストを最適化するために Azure 予約インスタンスが使用されているか",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
- "service": "Azure OpenAI",
- "severity": "低い",
- "text": "Azure AI Service アカウントは、組織の名前付け規則に従います",
- "waf": "オペレーショナルエクセレンス"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "他の Azure Native Services を使用する場合は、Azure Private-Link の使用を検討してください",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+ "service": "AVS",
"severity": "高い",
- "text": "Azure AI サービス リソースの診断ログを有効にする必要がある",
- "waf": "オペレーショナルエクセレンス"
+ "text": "必要なすべてのリソースが同じ Azure 可用性ゾーン内に存在することを確認する",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/ai-services/authentication",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "セキュリティのため、キーアクセス(ローカル認証)を無効にすることをお勧めします。 キーベースのアクセスを無効にすると、Microsoft Entra IDが唯一のアクセス方法になり、最小限の特権原則ときめ細かな制御を維持できます。",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure VMware Solution ゲスト VM ワークロードに対して Microsoft Defender for Cloud を有効にする",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "Azure Key Vault を使用して、キーを安全に保存および管理します。LLM アプリケーションのコード内で機密性の高いキーをハードコーディングしたり埋め込んだりすることを避け、マネージド ID を使用して Azure Key Vault から安全に取得します",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure Arc 対応サーバーを使用して Azure VMware Solution ゲスト VM のワークロードを管理する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+ "service": "AVS",
"severity": "高い",
- "text": "Azure Key Vault に格納されているキーを定期的にローテーションして期限切れにすることで、不正アクセスのリスクを最小限に抑えます。",
- "waf": "安全"
+ "text": "Azure VMware Solution での診断ログとメトリック ログを有効にするEnable Diagnostic and metric logging on Azure VMware Solution",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "adfe27be-e297-401a-a352-baaab79b088d",
- "link": "https://github.com/openai/tiktoken",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "tiktokenを使用して、会話モードでのトークン最適化のためのトークンサイズを理解します",
- "waf": "コストの最適化"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Log Analytics エージェントを Azure VMware Solution ゲスト VM ワークロードにデプロイする",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
- "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "安全なコーディング手法に従って、インジェクション攻撃、クロスサイトスクリプティング(XSS)、セキュリティ設定の誤りなどの一般的な脆弱性を防止します",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure VMware Solution VM ワークロードのバックアップ ポリシーとソリューションが文書化され、実装されていることを確認します",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
- "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Microsoft Defender for Cloud を使用して、Azure VMware Solution で実行されているワークロードのコンプライアンス監視を行う",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "適用可能なコンプライアンス ベースラインは Microsoft Defender for Cloud に追加されていますか",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+ "service": "AVS",
"severity": "高い",
- "text": "LLM ライブラリとその他のシステム コンポーネントを定期的に更新し、パッチを適用するプロセスを設定します",
+ "text": "Azure VMware Solution のデプロイに使用する Azure リージョンを選択するときにデータ所在地が評価されましたか",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e29711b1-352b-4eee-879b-588defc4972c",
- "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+ "service": "AVS",
"severity": "高い",
- "text": "Azure OpenAI またはその他の LLM の利用規約、ポリシー、ガイダンス、および許可されたユース ケースを順守する",
- "waf": "オペレーショナルエクセレンス"
+ "text": "データ処理への影響 (サービス プロバイダー/サービス コンシューマー モデル) が明確で文書化されているか",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+ "service": "AVS",
"severity": "中程度",
- "text": "基本モデルと微調整されたモデルおよびトークンのステップサイズのコストの違いを理解する",
- "waf": "コストの最適化"
+ "text": "コンプライアンス上の理由で必要な場合にのみ、vSAN に CMK (カスタマー マネージド キー) を使用することを検討してください。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+ "service": "AVS",
"severity": "高い",
- "text": "可能であれば、呼び出しごとのオーバーヘッドを最小限に抑え、全体的なコストを削減できるバッチ要求。バッチサイズを確実に最適化する",
- "waf": "コストの最適化"
+ "text": "Azure VMware Solution のコア監視分析情報を有効にするダッシュボードを作成するCreate dashboards to enable a core Azure VMware Solution monitoring insights",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
- "service": "Azure OpenAI",
- "severity": "中程度",
- "text": "モデルの使用状況を監視するコスト追跡システムを設定し、その情報を使用してモデルの選択とプロンプトのサイズを通知します",
- "waf": "コストの最適化"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "Azure VMware Solution のパフォーマンス (CPU >80%、平均メモリ >80%、vSAN >70%) に関する自動アラートの重大しきい値の警告アラートを作成する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "166cd072-af9b-4141-a898-a535e737897e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
- "service": "Azure OpenAI",
- "severity": "中程度",
- "text": "モデル応答あたりのトークン数に上限を設定します。サイズを最適化して、有効な応答に十分な大きさになるようにします",
- "waf": "コストの最適化"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "vSAN の消費量が 75% を下回っているかどうかを監視するための重要なアラートが作成されていることを確認します (これは VMware からのサポートしきい値です)。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
- "link": "https://learn.microsoft.com/azure/search/search-reliability",
- "service": "Azure OpenAI",
- "severity": "中程度",
- "text": "信頼性のための AI 検索の設定に関するガイダンスを確認します",
- "waf": "オペレーショナルエクセレンス"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "Azure Service Health のアラートと通知に対してアラートが構成されていることを確認する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
- "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+ "service": "AVS",
"severity": "中程度",
- "text": "AI Search Vector ストレージの計画と管理",
- "waf": "オペレーショナルエクセレンス"
+ "text": "処理のために Azure Storage アカウントまたは Azure EventHub に送信するように Azure VMware Solution ログを構成する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
- "severity": "中程度",
- "text": "LLMOpsプラクティスを適用して、GenAIアプリケーションのライフサイクル管理を自動化します",
- "waf": "オペレーショナルエクセレンス"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "VMware vSphere での詳細な分析情報が必要な場合:vRealize Operations や vRealize Network Insights がソリューションで使用されていますか?",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+ "service": "AVS",
"severity": "高い",
- "text": "請求モデルの使用状況の評価 - PAYG と PTU の比較",
- "waf": "コストの最適化"
+ "text": "仮想マシンの vSAN ストレージ ポリシーはシック プロビジョニングを適用するため、このポリシーがデフォルトのストレージ ポリシーではないことを確認します",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
- "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+ "service": "AVS",
"severity": "中程度",
- "text": "モデルバージョンを切り替える際のプロンプトとアプリケーションの品質を評価する",
- "waf": "オペレーショナルエクセレンス"
+ "text": "vSAN は有限のリソースであるため、vSphere コンテンツ ライブラリが vSAN に配置されていないことを確認する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3418db61-2712-4650-9bb4-7a393a080327",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+ "service": "AVS",
"severity": "中程度",
- "text": "GenAIアプリを評価、監視、改良して、接地性、関連性、精度、一貫性、流暢さなどの機能を確認します。",
- "waf": "オペレーショナルエクセレンス"
+ "text": "バックアップ ソリューションのデータ リポジトリが vSAN ストレージの外部に保存されていることを確認します。Azure ネイティブまたはディスク プールでバックアップされるデータストア上",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "294798b1-578b-4219-a46c-eb5443513592",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+ "service": "AVS",
"severity": "中程度",
- "text": "さまざまな検索パラメーターに基づいて Azure AI Search の結果を評価する",
- "waf": "オペレーショナルエクセレンス"
+ "text": "Azure Arc for Servers を使用して Azure VMware Solution で実行されているワークロードがハイブリッド管理されていることを確認する (Arc for Azure VMware Solution はプレビュー段階です)",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2744293b-b628-4537-a551-19b08e8f5854",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+ "service": "AVS",
"severity": "中程度",
- "text": "精度を向上させる方法としてモデルの微調整を検討するのは、データを使用してプロンプトエンジニアリングやRAGなどの他の基本的なアプローチを試した場合のみです",
- "waf": "オペレーショナルエクセレンス"
+ "text": "Azure VMware Solution で実行されているワークロードが Azure Log Analytics と Azure Monitor を使用して監視されていることを確認する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+ "service": "AVS",
"severity": "中程度",
- "text": "プロンプトエンジニアリング手法を使用して、LLM応答の精度を向上させる",
- "waf": "オペレーショナルエクセレンス"
+ "text": "Azure VMware Solution で実行されているワークロードを、既存の更新プログラム管理ツールまたは Azure Update Management に含める",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e737897e-71ca-47da-acfa-962a1594946d",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+ "service": "AVS",
"severity": "中程度",
- "text": "GenAIアプリケーションをレッドチーム化",
+ "text": "Azure Policy を使用して、Azure の管理、監視、セキュリティ ソリューションに Azure VMware Solution ワークロードをオンボードする",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure VMware Solution で実行されているワークロードが Microsoft Defender for Cloud にオンボードされていることを確認する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
- "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+ "service": "AVS",
"severity": "中程度",
- "text": "エンドユーザーにLLM応答のスコアリングオプションを提供し、これらのスコアを追跡します。",
- "waf": "オペレーショナルエクセレンス"
+ "text": "vSAN は有限のリソースであるため、バックアップが vSAN に保存されないようにする",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
- "severity": "高い",
- "text": "クォータ管理の実践を検討する",
- "waf": "コストの最適化"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "すべてのDRソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[SRM/JetStream/Zerto/Veeam/...]",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
- "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+ "service": "AVS",
"severity": "中程度",
- "text": "APIM ベースのゲートウェイなどのロード バランサー ソリューションを使用して、サービスやリージョン間で負荷と容量を分散します",
- "waf": "オペレーショナルエクセレンス"
+ "text": "ディザスター リカバリー テクノロジがネイティブの Azure IaaS の場合は、Azure Site Recovery を使用します",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
- "service": "Entra",
- "severity": "中程度",
- "text": "Azure リソースの管理には 1 つの Entra テナントを使用します (マルチテナントに対する明確な規制要件やビジネス要件がない限り)。",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "いずれかの災害ソリューションで自動復旧計画を使用し、手動タスクを可能な限り回避します",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Entra",
- "severity": "低い",
- "text": "マルチテナント自動化アプローチを使用して、Microsoft Entra ID テナントを管理します。",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "地政学的リージョンのペアをセカンダリディザスタリカバリ環境として使用する",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "Entra",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+ "service": "AVS",
"severity": "高い",
- "text": "同じ ID でマルチテナント管理に Azure Lighthouse を使用します。",
- "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
- "waf": "オペレーションズ"
+ "text": "リージョン間で 2 つの異なるアドレス空間を使用します (例: 10.0.0.0/16 と 192.168.0.0/16)。",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Entra",
- "severity": "高い",
- "text": "テナントを管理するためのアクセス権をパートナーに付与する場合は、Azure Lighthouse を使用します。",
- "waf": "費用"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "ExpressRoute Global Reach は、プライマリとセカンダリの Azure VMware Solution プライベート クラウド間の接続に使用されますか、それともネットワーク仮想アプライアンスを介してルーティングされますか?",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "348ef254-c27d-442e-abba-c7571559ab91",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
- "service": "Entra",
- "severity": "高い",
- "text": "クラウド運用モデルに合わせた RBAC モデルを適用します。管理グループとサブスクリプション全体のスコープと割り当て。",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "すべてのバックアップソリューションが検討され、ビジネスに最適なソリューションが決定されましたか?[ MABS/CommVault/Metallic.io/Veeam/ . ]",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
- "service": "Entra",
- "severity": "高い",
- "text": "すべてのアカウントの種類に対して、認証の種類である [職場または学校アカウント] のみを使用します。Microsoftアカウントの使用は避けてください",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "バックアップ ソリューションを Azure VMware Solution プライベート クラウドと同じリージョンにデプロイする",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "Entra",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+ "service": "AVS",
"severity": "中程度",
- "text": "権限の割り当てには、グループのみを使用してください。グループ管理システムがすでに導入されている場合は、オンプレミス グループを Entra ID のみのグループに追加します。",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "安全"
+ "text": "バックアップ ソリューションを vSan の外部の Azure ネイティブ コンポーネントにデプロイする",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
- "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
- "service": "Entra",
- "severity": "高い",
- "text": "Azure 環境に対する権限を持つすべてのユーザーに対して、Microsoft Entra ID 条件付きアクセス ポリシーを適用します。",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "Azure プラットフォームによって管理されている VMware コンポーネントの復元を要求するプロセスは用意されていますか?",
+ "waf": "確実"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
- "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
- "service": "Entra",
- "severity": "高い",
- "text": "Azure 環境に対する権限を持つすべてのユーザーに多要素認証を適用します。",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "手動デプロイの場合、すべての構成とデプロイを文書化する必要があります",
+ "waf": "オペレーションズ"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "Entra",
- "severity": "中程度",
- "text": "Microsoft Entra ID Privileged Identity Management (PIM) を適用して、ゼロスタンディング アクセスと最小特権を確立します。",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "手動デプロイの場合は、Azure VMware Solution プライベート クラウドでの偶発的なアクションを防ぐために、リソース ロックの実装を検討してください",
+ "waf": "オペレーションズ"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
- "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
- "service": "Entra",
- "severity": "中程度",
- "text": "Active Directory Domain Services から Entra ドメイン サービスへの切り替えを計画している場合は、すべてのワークロードの互換性を評価します。",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "自動デプロイの場合は、最小限のプライベート クラウドをデプロイし、必要に応じてスケーリングします",
+ "waf": "オペレーションズ"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
- "service": "Entra",
- "severity": "中程度",
- "text": "Microsoft Entra ID ログをプラットフォーム中央の Azure Monitor と統合します。Azure Monitor を使用すると、Azure のログと監視データに関する信頼できる唯一の情報源を使用できるため、ログの収集と保持に関する要件を満たすためのクラウド ネイティブ オプションを組織に提供できます。",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "自動デプロイの場合は、デプロイを開始する前にクォータを要求または予約します",
+ "waf": "オペレーションズ"
},
{
- "ammp": true,
- "checklist": "Azure Landing Zone Review",
- "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
- "service": "Entra",
- "severity": "高い",
- "text": "テナント全体のアカウント ロックアウトを防ぐために、緊急アクセスまたは非常用アカウントを実装します。",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "自動デプロイの場合は、適切なガバナンスのために、自動化または Azure Policy を使用して関連するリソース ロックが作成されていることを確認します",
+ "waf": "オペレーションズ"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "35037e68-9349-4c15-b371-228514f4cdff",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "Entra",
- "severity": "中程度",
- "text": "特に必要なシナリオがない限り、Microsoft Entra ID ロールの割り当てにオンプレミスの同期アカウントを使用しないでください。",
- "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "ExR 認証キーに人間が理解できる名前を実装して、キーの目的/用途を簡単に識別できるようにします",
+ "waf": "オペレーションズ"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Entra",
- "severity": "中程度",
- "text": "Microsoft Entra ID アプリケーション プロキシを使用してリモート ユーザーにアプリケーションへのアクセス権を付与する場合は、テナントごとに 1 つのインスタンスしか持つことができないため、プラットフォーム リソースとして管理します。",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "Azure VMware Solution と ExpressRoute のデプロイに個別のサービス プリンシパルを使用する場合は、キー コンテナーを使用してシークレットと承認キーを格納します",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
- "service": "VNet",
- "severity": "中程度",
- "text": "ハブアンドスポークネットワークトポロジは、最大限の柔軟性を必要とするネットワークシナリオに使用します。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "Azure VMware Solution では限られた数の並列操作しかサポートされないため、Azure VMware Solution に多くのリソースをデプロイする必要がある場合に、IaC でアクションをシリアル化するためのリソースの依存関係を定義します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
- "service": "VNet",
- "severity": "高い",
- "text": "ExpressRoute ゲートウェイ、VPN ゲートウェイ、Azure Firewall またはパートナー NVA などの共有ネットワーク サービスを中央ハブ仮想ネットワークにデプロイします。必要に応じて、DNS サービスもデプロイします。",
- "waf": "費用"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+ "service": "AVS",
+ "severity": "低い",
+ "text": "単一の Tier-1 ゲートウェイで NSX-T セグメントの自動構成を実行する場合は、NSX-Manager API ではなく Azure Portal API を使用します",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "VNet",
- "severity": "高い",
- "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して、DDoS ネットワークまたは IP 保護プランを使用します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "自動スケールアウトを使用する場合は、Azure VMware Solution を実行しているサブスクリプションに対して十分な Azure VMware Solution クォータを申請してください",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+ "service": "AVS",
"severity": "中程度",
- "text": "パートナー ネットワーク テクノロジまたは NVA をデプロイする場合は、パートナー ベンダーのガイダンスに従ってください。",
- "waf": "確実"
+ "text": "自動スケールインを使用する場合は、そのようなアクションを実行する前に、ストレージ ポリシーの要件を必ず考慮してください",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
- "service": "ExpressRoute",
- "severity": "低い",
- "text": "ハブ アンド スポークのシナリオで ExpressRoute ゲートウェイと VPN ゲートウェイ間のトランジットが必要な場合は、Azure Route Server を使用します。",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "スケーリング操作は、一度に 1 つのスケール操作しか実行できないため、常に 1 つの SDDC 内でシリアル化する必要があります (複数のクラスタが使用されている場合でも)",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Network/virtualHubs",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
- "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
- "service": "ARS",
- "severity": "低い",
- "text": "Route Server を使用する場合は、Route Server サブネットに /27 プレフィックスを使用します。",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "アーキテクチャで使用されるサードパーティソリューションでのスケーリング操作を検討および検証します(サポートされているかどうか)",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
- "service": "VNet",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+ "service": "AVS",
"severity": "中程度",
- "text": "Azure リージョン間で複数のハブ アンド スポーク トポロジを持つネットワーク アーキテクチャの場合は、ハブ VNet 間でグローバル仮想ネットワーク ピアリングを使用して、リージョンを相互に接続します。",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+ "text": "自動化で環境のスケールイン/スケールアウトの上限を定義して適用する",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
- "service": "VNet",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+ "service": "AVS",
"severity": "中程度",
- "text": "Azure Monitor for Networks を使用して、Azure 上のネットワークのエンドツーエンドの状態を監視します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "text": "監視ルールを実装して、自動スケーリング操作を監視し、成功と失敗を監視して、適切な (自動化された) 応答を有効にします",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
- "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
- "severity": "中程度",
- "text": "リージョンに 400 を超えるスポーク ネットワークがある場合は、VNet ピアリングの制限 (500) と ExpressRoute 経由でアドバタイズできるプレフィックスの最大数 (1000) をバイパスするために、追加のハブをデプロイします。",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "MONを使用する場合は、同時に構成されたVMの制限(HCXのMON制限[400 - 標準、1000 - 大規模アプライアンス])に注意してください",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "確実"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
- "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
- "severity": "中程度",
- "text": "ルート テーブルあたりのルート数を 400 に制限します。",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "MON を使用する場合、100 を超えるネットワーク拡張で MON を有効にすることはできません",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "確実"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
- "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
- "service": "VNet",
- "severity": "高い",
- "text": "VNet ピアリングを構成するときは、\"リモート仮想ネットワークへのトラフィックを許可する\" 設定を使用します。",
- "waf": "確実"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "移行に VPN 接続を使用する場合は、それに応じて MTU サイズを調整します。",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+ "service": "AVS",
"severity": "中程度",
- "text": "ExpressRoute Direct を使用している場合は、組織のルーターと MSEE の間のレイヤー 2 レベルでトラフィックを暗号化するために MACsec を構成します。この図は、フロー内のこの暗号化を示しています。",
- "waf": "安全"
+ "text": "Azure に接続する接続性の低いリージョン (500 Mbps 以下) の場合は、HCX WAN 最適化アプライアンスのデプロイを検討してください",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+ "service": "AVS",
"severity": "中程度",
- "text": "MACsec がオプションではないシナリオ (ExpressRoute Direct を使用しない場合など) は、VPN ゲートウェイを使用して、ExpressRoute プライベート ピアリング経由で IPsec トンネルを確立します。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
- "waf": "安全"
+ "text": "移行がオンプレミスアプライアンスから開始され、クラウドアプライアンスから開始されていないことを確認します(逆移行は実行しないでください)",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "ExpressRoute",
- "severity": "高い",
- "text": "Azure リージョンとオンプレミスの場所間で重複する IP アドレス空間が使用されていないことを確認します。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "Azure NetApp Files を使用して Azure VMware Solution のストレージを拡張する場合は、VM に直接接続するのではなく、これを VMware データストアとして使用することを検討してください。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
- "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "AVS",
"severity": "中程度",
- "text": "プライベートインターネットのアドレス割り当て範囲(RFC 1918)のIPアドレスを使用します。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "安全"
+ "text": "専用の ExpressRoute ゲートウェイが外部データ ストレージ ソリューションに使用されていることを確認する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
- "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
- "severity": "高い",
- "text": "IP アドレス空間が無駄にならないようにし、不必要に大規模な仮想ネットワーク (/16 など) を作成しないでください。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "AVS",
+ "severity": "中程度",
+ "text": "外部データ ストレージ ソリューションに使用されている ExpressRoute ゲートウェイで FastPath が有効になっていることを確認します",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
- "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
- "service": "VNet",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "AVS",
"severity": "高い",
- "text": "運用サイトとディザスター リカバリー サイトで重複する IP アドレス範囲を使用しないでください。",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "text": "ストレッチ クラスタを使用している場合は、選択したディザスタ リカバリ ソリューションがベンダーによってサポートされていることを確認します",
"waf": "確実"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
- "service": "DNS",
- "severity": "中程度",
- "text": "Azure での名前解決が必要な環境では、Azure プライベート DNS を使用して解決し、名前解決に委任されたゾーン ('azure.contoso.com' など) を使用します。",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "ストレッチ クラスターを使用する場合は、提供される SLA が要件を満たしていることを確認します",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
- "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
- "service": "DNS",
- "severity": "中程度",
- "text": "Azure とオンプレミス間での名前解決が必要で、Active Directory のような既存のエンタープライズ DNS サービスがない環境の場合は、Azure DNS Private Resolver を使用して DNS 要求を Azure またはオンプレミスの DNS サーバーにルーティングします。",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線が接続ハブに接続されていることを確認します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
- "service": "DNS",
- "severity": "低い",
- "text": "独自の DNS が必要でデプロイする特別なワークロード (Red Hat OpenShift など) は、優先する DNS ソリューションを使用する必要があります。",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "AVS",
+ "severity": "高い",
+ "text": "ストレッチ クラスターを使用している場合は、両方の ExpressRoute 回線で GlobalReach が有効になっていることを確認します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "614658d3-558f-4d77-849b-821112df27ee",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
- "service": "DNS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
"severity": "高い",
- "text": "Azure DNS の自動登録を有効にすると、仮想ネットワーク内にデプロイされた仮想マシンの DNS レコードのライフサイクルが自動的に管理されます。",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "オペレーションズ"
+ "text": "サイトの耐障害性の設定を適切に検討し、必要に応じてビジネスに合わせて変更しましたか?",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "Azure Landing Zone Review",
- "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
- "service": "Bastion",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "ストレージに関連する Microsoft クラウド セキュリティ ベンチマークのガイダンスを適用する",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "Azure Bastion を使用して、ネットワークに安全に接続します。",
+ "text": "\"ストレージの Azure セキュリティ ベースライン\" を検討する",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
- "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
- "service": "Bastion",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "既定では、Azure Storage にはパブリック IP アドレスがあり、インターネットにアクセス可能です。プライベート エンドポイントを使用すると、アクセスが必要な Azure コンピューティング リソースにのみ Azure Storage を安全に公開できるため、パブリック インターネットへの露出を排除できます",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+ "service": "Azure Storage",
+ "severity": "高い",
+ "text": "Azure Storage にプライベート エンドポイントを使用することを検討する",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "新しく作成されたストレージ アカウントは、RBAC や監査などがすべて有効になるように、ARM デプロイ モデルを使用して作成されます。サブスクリプションにクラシック デプロイ モデルの古いストレージ アカウントがないことを確認する",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "Azure Bastion は、/26 以上のサブネットで使用します。",
+ "text": "古いストレージ アカウントで \"クラシック デプロイ モデル\" が使用されていないことを確認する",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "WAF",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Microsoft Defender を活用して、不審なアクティビティや構成ミスについて学習します。",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+ "service": "Azure Storage",
+ "severity": "高い",
+ "text": "すべてのストレージ アカウントに対して Microsoft Defender を有効にする",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "論理的な削除メカニズムを使用すると、誤って削除された BLOB を回復できます。",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン間でグローバルな保護を提供します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "BLOB の \"論理的な削除\" を有効にする",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "severity": "低い",
- "text": "Azure Front Door と Azure Application Gateway を使用して HTTP/S アプリを保護する場合は、Azure Front Door の WAF ポリシーを使用します。Azure Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信するようにします。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
+ "severity": "中程度",
+ "text": "BLOB の '論理的な削除' を無効にする",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "コンテナーの論理的な削除を使用すると、コンテナーが削除された後に回復できます (たとえば、偶発的な削除操作から回復します)。",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "受信 HTTP/S 接続に WAF やその他のリバース プロキシが必要な場合は、ランディング ゾーン仮想ネットワーク内にデプロイし、保護してインターネットに公開するアプリと共にデプロイします。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "text": "コンテナーの \"論理的な削除\" を有効にする",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
- "severity": "高い",
- "text": "Azure DDoS ネットワークまたは IP Protection プランを使用して、仮想ネットワーク内のパブリック IP アドレス エンドポイントを保護します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "たとえば、機密性、プライバシー、コンプライアンス上の理由などから、削除された情報がすぐに削除されるようにアプリケーションで確認する必要がある場合など、特定の BLOB コンテナーに対して \"論理的な削除\" を選択的に無効にすることを検討してください。",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
+ "severity": "中程度",
+ "text": "コンテナーの \"論理的な削除\" を無効にする",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
- "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
- "service": "VNet",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "削除前に削除ロックを最初に解除するようにユーザーに強制することで、ストレージ アカウントが誤って削除されないようにします",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "ネットワークの送信トラフィックの構成と戦略を管理する方法を、今後の破壊的変更の前に計画します。2025 年 9 月 30 日に、新しいデプロイの既定の送信アクセスは廃止され、明示的なアクセス構成のみが許可されます。",
- "waf": "確実"
+ "text": "ストレージ アカウントでのリソース ロックの有効化",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "BLOB の \"訴訟ホールド\" または \"時間ベースの保持\" ポリシーを検討して、BLOB、コンテナー、またはストレージ アカウントを削除できないようにします。「不可能」は実際には「不可能」を意味することに注意してください。ストレージ アカウントに不変の BLOB が含まれる場合、そのストレージ アカウントを \"取り除く\" 唯一の方法は、Azure サブスクリプションを取り消すことです。",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "診断設定を追加して、保護されたすべてのパブリック IP アドレス (DDoS IP またはネットワーク保護) の DDoS 関連のログを保存します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "不変の BLOB を検討する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
- "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
- "service": "Policy",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "ストレージ アカウントへの保護されていない HTTP/80 アクセスを無効にして、すべてのデータ転送が暗号化され、整合性が保護され、サーバーが認証されるようにすることを検討してください。",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "Virtual Machines に直接関連付けられているパブリック IP アドレスを拒否するポリシーの割り当てがあることを確認します。 特定の VM でパブリック IP が必要な場合は、除外を使用します。",
+ "text": "HTTPS を要求する (つまり、ストレージ アカウントのポート 80 を無効にする)",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
- "severity": "中程度",
- "text": "ExpressRoute を Azure へのプライマリ接続として使用します。 バックアップ接続のソースとして VPN を使用します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "ストレージ アカウントでカスタム ドメイン (ホスト名) を構成する場合は、TLS/HTTPS が必要かどうかを確認します。その場合は、ストレージ アカウントの前に Azure CDN を配置する必要があります。",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+ "service": "Azure Storage",
+ "severity": "高い",
+ "text": "HTTPS を適用する (HTTP を無効にする) 場合は、ストレージ アカウントにカスタム ドメイン (CNAME) を使用していないことを確認します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "description": "AS パスの先頭と接続の重みを使用して Azure からオンプレミスへのトラフィックに影響を与えたり、独自のルーターの BGP 属性の全範囲を使用してオンプレミスから Azure へのトラフィックに影響を与えたりできます。",
- "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "クライアントが SAS トークンを使用して BLOB データにアクセスするときに HTTPS を要求すると、資格情報が失われるリスクを最小限に抑えることができます。",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "複数の ExpressRoute 回線または複数のオンプレミスの場所を使用する場合は、BGP 属性を使用してルーティングを最適化します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "確実"
+ "text": "Shared Access Signature (SAS) トークンを HTTPS 接続のみに制限する",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
- "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
- "service": "ExpressRoute",
- "severity": "中程度",
- "text": "ExpressRoute/VPN ゲートウェイの適切な SKU は、帯域幅とパフォーマンスの要件に基づいて選択してください。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "AAD トークンは、可能な限り、共有アクセス署名よりも優先する必要があります",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+ "service": "Azure Storage",
+ "severity": "高い",
+ "text": "BLOB アクセスに Azure Active Directory (Azure AD) トークンを使用する",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
- "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
- "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "ユーザー、グループ、またはアプリケーションにロールを割り当てる場合は、タスクの実行に必要なアクセス許可のみをセキュリティ プリンシパルに付与します。リソースへのアクセスを制限することで、意図しないデータの誤用と悪意のあるデータの誤用の両方を防ぐことができます。",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+ "service": "Azure Storage",
+ "severity": "中程度",
+ "text": "IaM アクセス許可の最小特権",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "ユーザー委任 SAS は、Azure Active Directory (Azure AD) 資格情報と、SAS に指定されたアクセス許可によってセキュリティで保護されます。ユーザー委任 SAS は、そのスコープと機能の点でサービス SAS に似ていますが、サービス SAS よりもセキュリティ上の利点があります。",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "無制限のデータ ExpressRoute 回線を使用しているのは、そのコストを正当化する帯域幅に達した場合にのみしてください。",
- "waf": "費用"
+ "text": "SAS を使用する場合は、ストレージ アカウント キー ベースの SAS よりも \"ユーザー委任 SAS\" を優先します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
- "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "ストレージ アカウント キー (\"共有キー\") には、監査機能がほとんどありません。誰がいつキーのコピーを取得したかを監視できますが、キーが複数の人の手に渡ると、使用状況を特定のユーザーに帰属させることは不可能です。AAD 認証のみに依存することで、ストレージへのアクセスをユーザーに結び付けやすくなります。",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "ExpressRoute のローカル SKU を活用して、回線のコストを削減します (回線ピアリングの場所がローカル SKU の Azure リージョンをサポートしている場合)。",
- "waf": "費用"
+ "text": "ストレージ アカウント キーを無効にして、AAD アクセス (およびユーザー委任 SAS) のみがサポートされるようにすることを検討してください。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
- "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
- "service": "ExpressRoute",
- "severity": "中程度",
- "text": "ゾーン冗長 ExpressRoute ゲートウェイをサポートされている Azure リージョンにデプロイします。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "確実"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "アクティビティ ログ データを使用して、ストレージ アカウントのセキュリティ (ストレージ アカウント キー、アクセス ポリシーなど) が \"いつ、誰が、何を、\"どのように\" 表示または変更されているかを特定します。",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Azure Storage",
+ "severity": "高い",
+ "text": "Azure Monitor を使用して、ストレージ アカウントに対するコントロール プレーン操作を監査することを検討してください",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "キーの有効期限ポリシーを使用すると、アカウントアクセスキーのローテーションのリマインダーを設定できます。リマインダーは、指定した間隔が経過し、キーがまだローテーションされていない場合に表示されます。",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "10 Gbps を超える帯域幅または専用の 10/100 Gbps ポートが必要なシナリオでは、ExpressRoute Direct を使用します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "パフォーマンス"
+ "text": "ストレージ アカウント キーを使用する場合は、\"キーの有効期限ポリシー\" を有効にすることを検討してください",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
- "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS 有効期限ポリシーでは、SAS が有効である推奨間隔を指定します。SAS 有効期限ポリシーは、サービス SAS またはアカウント SAS に適用されます。ユーザーがサービス SAS またはアカウント SAS を、推奨間隔よりも長い有効期間で生成すると、警告が表示されます。",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "待機時間を短くする必要がある場合、またはオンプレミスから Azure へのスループットを 10 Gbps より大きくする必要がある場合は、FastPath を有効にして、データ パスから ExpressRoute ゲートウェイをバイパスします。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "パフォーマンス"
+ "text": "SAS 有効期限ポリシーの構成を検討する",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
- "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
- "service": "VPN",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "保存されているアクセス ポリシーを使用すると、ストレージ アカウント キーを再生成することなく、サービス SAS のアクセス許可を取り消すことができます。",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "ゾーン冗長 VPN ゲートウェイを使用して、ブランチまたはリモートの場所を Azure (使用可能な場合) に接続します。",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "確実"
+ "text": "保存されているアクセス ポリシーに SAS をリンクすることを検討する",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "Azure Landing Zone Review",
- "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
- "service": "VPN",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "オンプレミスで冗長な VPN アプライアンス (アクティブ/アクティブまたはアクティブ/パッシブ) を使用します。",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "確実"
+ "text": "チェックインされた接続文字列とストレージ アカウント キーを検出するようにアプリケーションのソース コード リポジトリを構成することを検討してください。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "理想的には、アプリケーションでマネージド ID を使用して Azure Storage に対する認証を行う必要があります。それが不可能な場合は、ストレージ資格情報 (接続文字列、ストレージ アカウント キー、SAS、サービス プリンシパル資格情報) を Azure KeyVault または同等のサービスに用意することを検討してください。",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "ExpressRoute Direct を使用する場合は、コストを節約するために、ローカル Azure リージョンへの ExpressRoute ローカル回線を使用することを検討してください。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "費用"
+ "text": "接続文字列を Azure KeyVault に格納することを検討する (マネージド ID が不可能なシナリオの場合)",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
- "service": "ExpressRoute",
- "severity": "中程度",
- "text": "運用環境と非運用環境を分離する場合など、トラフィックの分離または専用の帯域幅が必要な場合は、異なる ExpressRoute 回線を使用します。これにより、ルーティングドメインを分離し、ノイズの多い隣人のリスクを軽減できます。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "アドホック SAS サービス SAS またはアカウント SAS で、有効期限が近づいています。このように、SAS が侵害された場合でも、有効期間は短時間です。この方法は、保存されているアクセス ポリシーを参照できない場合に特に重要です。また、有効期限が近いと、BLOB にアップロードできる時間が制限されるため、BLOB に書き込めるデータの量も制限されます。",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
+ "severity": "高い",
+ "text": "アドホックSASの有効期間を短くする",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS を作成するときは、できるだけ具体的かつ制限的にしてください。1 つのリソースと操作には、より広範なアクセスを提供する SAS よりも SAS を優先します。",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "ExpressRoute の可用性と使用率は、組み込みの Express Route Insights を使用して監視します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "オペレーションズ"
+ "text": "SAS に狭いスコープを適用する",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
- "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS には、SAS を使用してリソースを要求する権限をクライアント IP アドレスまたはアドレス範囲に与えるパラメーターを含めることができます。",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "接続モニターは、ネットワーク全体 (特にオンプレミスと Azure の間) の接続監視に使用します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "オペレーションズ"
+ "text": "可能な限り、SAS のスコープを特定のクライアント IP アドレスに設定することを検討してください",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
- "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
- "service": "ExpressRoute",
- "severity": "中程度",
- "text": "冗長性を確保するために、さまざまなピアリングの場所から ExpressRoute 回線を使用します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "確実"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS は、クライアントがアップロードするデータの量を制限できません。時間の経過に伴うストレージ容量の価格モデルを考えると、クライアントが悪意を持って大きなコンテンツをアップロードしたかどうかを検証することは理にかなっているかもしれません。",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Azure Storage",
+ "severity": "低い",
+ "text": "クライアントが SAS を使用してファイルをアップロードした後、アップロードされたデータを確認することを検討してください。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
- "service": "ExpressRoute",
- "severity": "中程度",
- "text": "ExpressRoute 回線を 1 つだけ使用する場合は、ExpressRoute のフェールオーバーとしてサイト間 VPN を使用します。",
- "waf": "確実"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "\"ローカル ユーザー アカウント\" を使用して SFTP 経由で BLOB ストレージにアクセスする場合、\"通常の\" RBAC 制御は適用されません。NFS または REST 経由の BLOB アクセスは、SFTP アクセスよりも制限が厳しい場合があります。残念ながら、2023 年初頭の時点で、SFTP エンドポイントで現在サポートされている ID 管理の形式はローカル ユーザーだけです",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Azure Storage",
+ "severity": "高い",
+ "text": "SFTP: SFTPアクセスの「ローカルユーザー」の数を制限し、時間の経過とともにアクセスが必要かどうかを監査します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
- "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
- "service": "ExpressRoute",
- "severity": "高い",
- "text": "GatewaySubnet でルート テーブルを使用している場合は、ゲートウェイ ルートが伝達されていることを確認してください。",
- "waf": "確実"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Azure Storage",
+ "severity": "中程度",
+ "text": "SFTP: SFTP エンドポイントは、POSIX ライクな ACL をサポートしていません。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "d581a947-69a2-4783-942e-9df3664324c8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "ストレージは、CORS (Cross-Origin Resource Sharing)、つまり、異なるドメインの Web アプリが同一生成元ポリシーを緩めることを可能にする HTTP 機能をサポートしています。CORS を有効にする場合は、CorsRules を最小の特権に保ちます。",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "ExpressRoute を使用する場合、オンプレミスのルーティングは動的である必要があり、接続エラーが発生した場合は、回線の残りの接続に収束する必要があります。負荷は、アクティブ/アクティブとして両方の接続で共有するのが理想的ですが、アクティブ/パッシブもサポートされています。",
- "waf": "確実"
+ "text": "過度に広範な CORS ポリシーを避ける",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "保存データは常にサーバー側で暗号化され、さらにクライアント側でも暗号化される場合があります。サーバー側の暗号化は、プラットフォーム マネージド キー (既定) またはカスタマー マネージド キーを使用して行われる場合があります。クライアント側の暗号化は、クライアントが BLOB ごとに暗号化/暗号化解除キーを Azure Storage に提供するか、クライアント側で暗号化を完全に処理することによって行われます。そのため、機密性の保証を Azure Storage にまったく依存しません。",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Azure Storage",
+ "severity": "高い",
+ "text": "保存データの暗号化方法を決定します。データのスレッド モデルを理解します。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "ExpressRoute 回線の 2 つの物理リンクが、ネットワーク内の 2 つの異なるエッジ デバイスに接続されていることを確認します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "確実"
+ "text": "どのプラットフォーム暗号化を使用するか、または使用するかを決定します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Azure Storage",
"severity": "中程度",
- "text": "BFD(Bidirectional Forwarding Detection)が顧客またはプロバイダのエッジルーティングデバイスで有効で設定されていることを確認します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "確実"
+ "text": "クライアント側の暗号化を使用するかどうかを決定します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Resource Graph エクスプローラー (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) を利用して、匿名 BLOB アクセスを許可するストレージ アカウントを検索します。",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Azure Storage",
"severity": "高い",
- "text": "ExpressRoute ゲートウェイを異なるピアリングの場所から 2 つ以上の回線に接続すると、回復性が向上します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "確実"
+ "text": "パブリック BLOB アクセスが必要かどうか、または特定のストレージ アカウントに対して無効にできるかどうかを検討します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "service": "APIM",
"severity": "中程度",
- "text": "ExpressRoute 仮想ネットワーク ゲートウェイの診断ログとアラートを構成します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "text": "グローバルレベルでのエラー処理ポリシーの実装",
"waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
- "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "service": "APIM",
"severity": "中程度",
- "text": "VNet 間通信に ExpressRoute 回線を使用しないでください。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "パフォーマンス"
+ "text": "すべての API ポリシーに要素が含まれていることを確認します。",
+ "waf": "オペレーションズ"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "service": "N/A",
- "severity": "低い",
- "text": "検査のために Azure トラフィックをハイブリッドの場所に送信しないでください。 代わりに、Azure のリソース間の通信が Microsoft バックボーン ネットワーク経由で行われるように、\"Azure のトラフィックは Azure にとどまる\" という原則に従います。",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+ "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "ポリシーフラグメントを使用して、複数の API で同じポリシー定義を繰り返さないようにする",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
- "link": "https://learn.microsoft.com/azure/firewall/overview",
- "service": "Firewall",
- "severity": "高い",
- "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルタリング (組織で必要な場合) を管理します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "安全"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+ "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "API の収益化を計画している場合は、「収益化のサポート」の記事でおすすめの方法をご確認ください",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
- "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
- "service": "Firewall",
- "severity": "中程度",
- "text": "グローバル ネットワーク環境全体のセキュリティ体制を管理するためのグローバル Azure Firewall ポリシーを作成し、それをすべての Azure Firewall インスタンスに割り当てます。Azure のロールベースのアクセス制御を介して、増分ファイアウォール ポリシーをローカル セキュリティ チームに委任することで、特定のリージョンの要件を満たすためのきめ細かなポリシーを可能にします。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "安全"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "service": "APIM",
+ "severity": "高い",
+ "text": "診断設定を有効にしてログを Azure Monitor にエクスポートする",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
- "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
- "service": "Firewall",
- "severity": "低い",
- "text": "サポートされているパートナー SaaS セキュリティプロバイダーを Firewall Manager 内で構成します。これは、組織がアウトバウンド接続を保護するためにそのようなソリューションを使用する場合です。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "安全"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "Application Insights を有効にして、より詳細なテレメトリを実現する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
- "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
- "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "service": "APIM",
"severity": "高い",
- "text": "アプリケーション・ルールを使用して、サポートされているプロトコルの宛先ホスト名でアウトバウンド・トラフィックをフィルタリングします。 FQDN ベースのネットワーク規則と Azure Firewall と DNS プロキシを使用して、他のプロトコル経由でインターネットへのエグレス トラフィックをフィルター処理します。",
- "waf": "安全"
+ "text": "最も重要なメトリックに関するアラートを構成する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
- "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "service": "APIM",
"severity": "高い",
- "text": "Azure Firewall Premium を使用して、追加のセキュリティ機能を有効にします。",
+ "text": "カスタム SSL 証明書が Azure Key Vault に格納され、安全にアクセスして更新できるようにする",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
- "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "service": "APIM",
"severity": "高い",
- "text": "Azure Firewall の脅威インテリジェンス モードを [アラート] と [拒否] に構成して、保護を強化します。",
+ "text": "Azure AD を使用して API (データ プレーン) への受信要求を保護する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
- "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
- "service": "Firewall",
- "severity": "高い",
- "text": "Azure Firewall の IDPS モードを [拒否] に構成して、保護を強化します。",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "Microsoft Entra ID を使用して開発者ポータルでユーザーを認証する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
- "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
- "service": "Firewall",
- "severity": "高い",
- "text": "Virtual WAN に接続されていない VNet 内のサブネットの場合は、インターネット トラフィックが Azure Firewall またはネットワーク仮想アプライアンスにリダイレクトされるようにルート テーブルをアタッチします。",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "適切なグループを作成して、製品の可視性を制御します",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+ "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "service": "APIM",
"severity": "中程度",
- "text": "診断設定を追加して、リソース固有の宛先テーブルを使用して、すべての Azure Firewall デプロイのログを保存します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "バックエンド機能を使用して、冗長な API バックエンド構成を排除します",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
- "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
- "service": "Firewall",
- "severity": "大事な",
- "text": "Azure Firewall クラシック ルール (存在する場合) からファイアウォール ポリシーに移行します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "名前付き値を使用して、ポリシーで使用できる共通の値を格納します",
"waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
- "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
- "service": "Firewall",
- "severity": "高い",
- "text": "Azure Firewall サブネットに /26 プレフィックスを使用します。",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
- "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "service": "APIM",
"severity": "中程度",
- "text": "ファイアウォールポリシー内のルールを、使用頻度に基づいて「ルールコレクショングループ」と「ルールコレクション」に整理します。",
- "waf": "パフォーマンス"
+ "text": "DR の場合は、99.99% の SLA で 2 つ以上のリージョンにスケーリングされたデプロイで Premium レベルを活用します",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
- "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+ "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "service": "APIM",
"severity": "中程度",
- "text": "IP グループまたは IP プレフィックスを使用して、IP テーブル・ルールの数を減らします。",
- "waf": "パフォーマンス"
+ "text": "少なくとも 1 つのユニットを 2 つ以上の可用性ゾーンにデプロイして、SLA を 99.99% に向上させる",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
- "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
- "service": "Firewall",
- "severity": "中程度",
- "text": "DNATSのソースIPとしてワイルドカード(*やanyなど)を使用せず、受信DNATのソースIPを指定する必要があります。",
- "waf": "パフォーマンス"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+ "service": "APIM",
+ "severity": "高い",
+ "text": "自動バックアップ・ルーチンがあることを確認する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
- "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+ "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+ "service": "APIM",
"severity": "中程度",
- "text": "SNAT ポートの使用状況を監視し、NAT ゲートウェイの設定を評価し、シームレスなフェールオーバーを確保することで、SNAT ポートの枯渇を防ぎます。ポート数が制限に近づく場合は、SNAT の枯渇が差し迫っている可能性があります。",
- "waf": "パフォーマンス"
+ "text": "ポリシーを使用して、フェイルオーバー・バックエンドURLとキャッシュを追加し、コールの失敗を減らします。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "346840b8-1064-496e-8396-4b1340172d52",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
- "service": "Firewall",
- "severity": "高い",
- "text": "Azure Firewall Premium を使用している場合は、TLS 検査を有効にします。",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+ "service": "APIM",
+ "severity": "低い",
+ "text": "高パフォーマンス レベルでログを記録する必要がある場合は、Event Hubs ポリシーを検討してください",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "調整ポリシーを適用して、毎秒の要求数を制御する",
+ "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
- "service": "Firewall",
- "severity": "低い",
- "text": "Web カテゴリを使用して、特定のトピックへの送信アクセスを許可または拒否します。",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "負荷が増加したときにインスタンスの数をスケールアウトするように自動スケーリングを構成する",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+ "service": "APIM",
"severity": "中程度",
- "text": "TLS 検査の一環として、Azure App Gateway からのトラフィックの受信を検査用に計画します。",
+ "text": "セルフホステッド ゲートウェイをデプロイする場所は、バックエンド API に近いリージョンが Azure にありません。",
"waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
- "link": "https://learn.microsoft.com/azure/firewall/dns-details",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+ "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+ "service": "APIM",
"severity": "中程度",
- "text": "Azure Firewall DNS プロキシ構成を有効にします。",
- "waf": "安全"
+ "text": "運用環境のワークロードには Premium レベルを使用します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
- "service": "Firewall",
- "severity": "高い",
- "text": "Azure Firewall を Azure Monitor と統合し、診断ログを有効にしてファイアウォール ログを格納および分析します。",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "複数リージョン モデルでは、ポリシーを使用して、可用性または待機時間に基づいてリージョン バックエンドに要求をルーティングします。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
- "service": "Firewall",
- "severity": "低い",
- "text": "ファイアウォールルールのバックアップを実装する",
- "waf": "オペレーションズ"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+ "service": "APIM",
+ "severity": "高い",
+ "text": "APIM の制限に注意する",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Landing Zone Review",
- "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "App Gateway",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+ "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+ "service": "APIM",
"severity": "高い",
- "text": "0.0.0.0/0 ルートやコントロール プレーン トラフィックをブロックする NSG ルールなど、仮想ネットワークに挿入された Azure PaaS サービスのコントロール プレーン通信を中断しないでください。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
- "waf": "安全"
+ "text": "セルフホステッド ゲートウェイのデプロイに回復性があることを確認します。",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
- "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+ "service": "APIM",
"severity": "中程度",
- "text": "オンプレミスからプライベート エンドポイントと ExpressRoute プライベート ピアリングを介して Azure PaaS サービスにアクセスします。この方法では、公共のインターネット経由のトランジットを回避できます。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "安全"
+ "text": "複数リージョンのデプロイに APIM の前で Azure Front Door を使用するUse Azure Front Door in front of APIM for multi-region deployment",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
- "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
- "service": "VNet",
- "severity": "高い",
- "text": "既定では、すべてのサブネットで仮想ネットワーク サービス エンドポイントを有効にしないでください。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "仮想ネットワーク (VNet) 内にサービスをデプロイするDeploy the service within a Virtual Network (VNet)",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
- "link": "azure/private-link/inspect-traffic-with-azure-firewall",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+ "service": "APIM",
"severity": "中程度",
- "text": "Azure Firewall または NVA の IP アドレスではなく FQDN を使用して Azure PaaS サービスへのエグレス トラフィックをフィルター処理し、データの流出を防ぎます。Private Link を使用している場合は、すべての FQDN をブロックでき、それ以外の場合は必要な PaaS サービスのみを許可できます。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "text": "ネットワーク セキュリティ グループ (NSG) をサブネットにデプロイして、APIM との間のトラフィックを制限または監視します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
- "service": "ExpressRoute",
- "severity": "高い",
- "text": "Gateway サブネットには、少なくとも /27 プレフィックスを使用します。",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+ "service": "APIM",
+ "severity": "中程度",
+ "text": "プライベート エンドポイントをデプロイして、APIM が VNet にデプロイされていない場合に受信トラフィックをフィルター処理します。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
- "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
- "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
- "service": "NSG",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+ "service": "APIM",
"severity": "高い",
- "text": "VirtualNetwork サービス タグを使用して接続を制限する NSG 受信既定の規則に依存しないでください。",
+ "text": "パブリックネットワークアクセスの無効化",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
- "service": "NSG",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+ "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+ "service": "APIM",
"severity": "中程度",
- "text": "NSG を使用して、サブネット間のトラフィックと、プラットフォーム全体の East/West トラフィック (ランディング ゾーン間のトラフィック) を保護します。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "NSG",
- "severity": "中程度",
- "text": "NSG とアプリケーション セキュリティ グループを使用して、ランディング ゾーン内のトラフィックをマイクロセグメント化し、中央の NVA を使用してトラフィック フローをフィルター処理しないようにします。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
- "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
- "service": "NSG",
- "severity": "中程度",
- "text": "VNet フロー ログを有効にし、Traffic Analytics にフィードして、内部および外部のトラフィック フローに関する分析情報を取得します。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
- "waf": "安全"
+ "text": "PowerShell 自動化スクリプトで管理を簡素化",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
- "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "NSG",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+ "service": "APIM",
"severity": "中程度",
- "text": "1000 ルールの制限があるため、NSG ごとに 900 を超える NSG ルールを実装しないでください。",
- "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "waf": "確実"
+ "text": "Infrastructure-as-code を使用して APIM を構成します。Cloud Adaption Framework APIM Landing Zone Accelerator から DevOps のベスト プラクティスを確認する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+ "service": "APIM",
"severity": "中程度",
- "text": "Virtual WAN ルーティング設計の一覧にシナリオが明示的に説明されている場合は、Virtual WAN を使用します。",
- "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+ "text": "Visual Studio Code APIM 拡張機能の使用を促進して API 開発を迅速化する",
"waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+ "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+ "service": "APIM",
"severity": "中程度",
- "text": "Azure リージョンごとに Virtual WAN ハブを使用して、共通のグローバル Azure Virtual WAN を介して Azure リージョン間で複数のランディング ゾーンを接続します。",
- "waf": "パフォーマンス"
+ "text": "DevOpsとCI/CDをワークフローに実装する",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
- "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
- "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+ "service": "APIM",
"severity": "中程度",
- "text": "送信インターネット トラフィックの保護とフィルタリングを行うには、セキュリティで保護されたハブに Azure Firewall をデプロイします。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "クライアント証明書認証を使用した API の保護",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
- "service": "VWAN",
- "severity": "中程度",
- "text": "Virtual WAN ネットワーク アーキテクチャが、特定されたアーキテクチャ シナリオと一致していることを確認します。",
- "waf": "確実"
- },
- {
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
- "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
- "service": "VWAN",
- "severity": "中程度",
- "text": "Azure Monitor Insights for Virtual WAN を使用して、Virtual WAN のエンドツーエンド トポロジ、状態、および主要なメトリックを監視します。",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+ "service": "APIM",
"severity": "中程度",
- "text": "Virtual WAN のブランチ間トラフィックは、これらのフローを明示的にブロックする必要がない限り、無効にしないでください。",
- "waf": "確実"
+ "text": "クライアント証明書認証を使用したバックエンド サービスのセキュリティ保護",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+ "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+ "service": "APIM",
"severity": "中程度",
- "text": "AS-Path は ExpressRoute や VPN よりも柔軟性が高いため、ハブ ルーティング設定として使用します。",
- "waf": "確実"
+ "text": "「OWASP API Security Top 10 の脅威を軽減するための推奨事項」の記事を確認し、API に適用できるものを確認します",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+ "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+ "service": "APIM",
"severity": "中程度",
- "text": "Virtual WAN でラベルベースの伝達を構成すると、仮想ハブ間の接続が損なわれます。",
- "waf": "確実"
+ "text": "承認機能を使用して、バックエンド API の OAuth 2.0 トークンの管理を簡素化します",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "9c75dfef-573c-461c-a698-68598595581a",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+ "service": "APIM",
"severity": "高い",
- "text": "仮想ハブに少なくとも /23 プレフィックスを割り当てて、十分な IP スペースが使用可能であることを確認します。",
- "waf": "確実"
+ "text": "転送中の情報を暗号化する場合は、最新のTLSバージョンを使用します。可能であれば、古くて不要なプロトコルと暗号を無効にします。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+ "service": "APIM",
"severity": "高い",
- "text": "Azure Policy を戦略的に活用し、環境のコントロールを定義し、ポリシー イニシアチブを使用して関連するポリシーをグループ化します。",
+ "text": "シークレット (名前付き値) が Azure Key Vault に格納され、安全にアクセスして更新できるようにする",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+ "service": "APIM",
"severity": "中程度",
- "text": "規制とコンプライアンスの要件を Azure Policy 定義と Azure ロールの割り当てにマップします。",
+ "text": "可能な限りマネージド ID を使用して、他の Azure リソースに対する認証を行う",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "中程度",
- "text": "中間ルート管理グループで Azure Policy 定義を確立して、継承されたスコープで割り当てられるようにします。",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+ "service": "APIM",
+ "severity": "高い",
+ "text": "Web アプリケーション ファイアウォール (WAF) を使用するには、APIM の前に Application Gateway をデプロイします",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
"severity": "高い",
- "text": "ポリシーの割り当てを適切な最上位レベルで管理し、必要に応じて下位レベルで除外します。",
- "waf": "安全"
+ "text": "ビジネスと SLO の要件に基づいて適切なロジック アプリのホスティング プランを選択する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "43334f24-9116-4341-a2ba-527526944008",
- "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
- "service": "Policy",
- "severity": "低い",
- "text": "Azure Policy を使用して、ユーザーがサブスクリプション/管理グループ レベルでプロビジョニングできるサービスを制御します。",
- "waf": "安全"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
+ "severity": "高い",
+ "text": "ゾーンの冗長性と可用性ゾーンを使用してリージョンの障害からロジック アプリを保護する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
"severity": "高い",
- "text": "可能な場合は組み込みポリシーを使用して、運用オーバーヘッドを最小限に抑えます。",
- "waf": "安全"
+ "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "description": "Resource Policy Contributor ロールを特定のスコープに割り当てると、ポリシー管理を関連するチームに委任できます。たとえば、中央のITチームが管理グループレベルのポリシーを監督し、アプリケーションチームがサブスクリプションのポリシーを処理することで、組織の標準に準拠した分散型ガバナンスが可能になります。",
- "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
- "service": "Policy",
- "severity": "中程度",
- "text": "特定のスコープで組み込みのリソース ポリシー共同作成者ロールを割り当てて、アプリケーション レベルのガバナンスを有効にします。",
- "waf": "安全"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
+ "severity": "高い",
+ "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "19048384-5c98-46cb-8913-156a12476e49",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "中程度",
- "text": "ルート管理グループのスコープで行われる Azure Policy の割り当ての数を制限して、継承されたスコープでの除外による管理を回避します。",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
- "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
- "service": "Policy",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
"severity": "中程度",
- "text": "データ主権の要件が存在する場合は、それらを適用するために Azure ポリシーをデプロイする必要があります。",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
- "waf": "安全"
+ "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
- "service": "Policy",
- "severity": "中程度",
- "text": "ソブリン ランディング ゾーンの場合は、ソブリン ポリシー ベースラインをデプロイし、正しい管理グループ レベルで割り当てます。",
- "waf": "安全"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Services",
+ "severity": "低い",
+ "text": "ベスト プラクティスについては、「ベースラインの高可用性ゾーン冗長 Web アプリケーション アーキテクチャ」を参照してください",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
- "service": "Policy",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "中程度",
- "text": "ソブリン ランディング ゾーンの場合は、ソブリン制御の目標をポリシー マッピングに文書化します。",
- "waf": "安全"
+ "text": "Premium レベルと Standard レベルを使用します。これらの層では、ステージング スロットと自動バックアップがサポートされています。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
- "service": "Policy",
- "severity": "中程度",
- "text": "ソブリン・ランディング・ゾーンについては、「ソブリン・コントロールの目標からポリシー・マッピングまで」の管理プロセスが実施されていることを確認してください。",
- "waf": "安全"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "リージョンで適用可能な場合は Availability Zones を活用します (Premium v2 または v3 レベルが必要)",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"severity": "中程度",
- "text": "Azure ロールベースのアクセス制御 (Azure RBAC)、データ主権要件、またはデータ保持ポリシーで個別のワークスペースが義務付けられている場合を除き、1 つのモニター ログ ワークスペースを使用してプラットフォームを一元的に管理します。",
- "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "waf": "オペレーションズ"
+ "text": "ヘルスチェックの実装",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Monitor",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+ "service": "App Services",
"severity": "高い",
- "text": "ログの保持要件が 12 年を超える場合は、ログを Azure Storage にエクスポートします。write-once、read-many ポリシーで不変ストレージを使用して、ユーザーが指定した間隔でデータを消去および変更できないようにします。",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
- "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
- "service": "VM",
- "severity": "中程度",
- "text": "Azure Policy を使用して、OS レベルの仮想マシン (VM) 構成のずれを監視します。ポリシーを使用して Azure Automanage マシン構成の監査機能を有効にすると、アプリケーション チームのワークロードは、わずかな労力で機能機能をすぐに使用できます。",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "オペレーションズ"
+ "text": "「Azure App Service のバックアップと復元のベスト プラクティス」を参照してください",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
- "service": "VM",
- "severity": "中程度",
- "text": "Azure Update Manager は、Azure の Windows VM と Linux VM の修正プログラム適用メカニズムとして使用します。",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "Azure App Service の信頼性に関するベスト プラクティスを実装する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
- "service": "VM",
- "severity": "中程度",
- "text": "Azure Arc を使用して、Azure の外部にある Windows および Linux VM の修正プログラム適用メカニズムとして Azure Update Manager を使用します。",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+ "service": "App Services",
+ "severity": "低い",
+ "text": "災害時に App Service アプリを別のリージョンに移動する方法を理解する",
+ "waf": "確実"
},
{
- "arm-service": "microsoft.network/networkWatchers",
- "checklist": "Azure Landing Zone Review",
- "guid": "90483845-c986-4cb2-a131-56a12476e49f",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Network Watcher",
- "severity": "中程度",
- "text": "Network Watcher を使用して、トラフィック フローを事前に監視します。",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "Azure App Service の信頼性サポートについて理解する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Monitor",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "App Services",
"severity": "中程度",
- "text": "Azure Monitor ログを使用して、分析情報とレポートを作成します。",
- "waf": "オペレーションズ"
+ "text": "App Service プランで実行されている Function Apps に対して \"Always On\" が有効になっていることを確認する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
- "service": "Monitor",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"severity": "中程度",
- "text": "Azure Monitor アラートを使用して、運用アラートを生成します。",
- "waf": "オペレーションズ"
+ "text": "正常性チェックを使用した App Service インスタンスの監視",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "Monitor",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+ "service": "App Services",
"severity": "中程度",
- "text": "Azure Automation アカウントを使用して変更とインベントリの追跡を使用する場合は、Log Analytics ワークスペースと Automation アカウントをリンクするためにサポートされているリージョンが選択されていることを確認してください。",
- "waf": "オペレーションズ"
+ "text": "Application Insights の可用性テストを使用して Web アプリまたは Web サイトの可用性と応答性を監視する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Backup",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+ "service": "App Services",
"severity": "低い",
- "text": "Azure Backup を使用する場合は、既定の設定が GRS であるため、バックアップに正しいバックアップの種類 (GRS、ZRS、LRS) を使用します。",
+ "text": "Application Insights Standard テストを使用して、Web アプリまたは Web サイトの可用性と応答性を監視する",
"waf": "確実"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "VM",
- "severity": "中程度",
- "text": "Azure ゲスト ポリシーを使用して、VM 拡張機能を通じてソフトウェア構成を自動的にデプロイし、準拠したベースライン VM 構成を適用します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure Key Vault を使用して、アプリケーションに必要なシークレットを格納します。 Key Vault は、シークレットを格納するための安全で監査された環境を提供し、Key Vault SDK または App Service Key Vault リファレンスを通じて App Service と適切に統合されています。",
+ "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "Key Vault を使用してシークレットを格納する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "description": "Azure Policy のゲスト構成機能を使用して、マシンの設定 (OS、アプリケーション、環境など) を監査および修復し、リソースが予想される構成と一致していることを確認し、Update Management では VM のパッチ管理を適用できます。",
- "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "VM",
- "severity": "中程度",
- "text": "Azure Policy を使用して VM セキュリティ構成のドリフトを監視します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "マネージド ID を使用して、Key Vault SDK または App Service Key Vault 参照を使用して Key Vault に接続します。",
+ "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "マネージド ID を使用して Key Vault に接続する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
- "severity": "中程度",
- "text": "Azure Site Recovery は、Azure から Azure Virtual Machines へのディザスター リカバリー シナリオに使用します。これにより、リージョン間でワークロードをレプリケートできます。",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service TLS 証明書を Key Vault に格納します。",
+ "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "Key Vault を使用して TLS 証明書を格納します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "Backup",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "機密情報を処理するシステムは分離する必要があります。 そのためには、個別の App Service プランまたは App Service Environment を使用し、異なるサブスクリプションまたは管理グループの使用を検討してください。",
+ "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "中程度",
- "text": "Azure ネイティブのバックアップ機能、または Azure と互換性のあるサード パーティのバックアップ ソリューションを使用します。",
- "waf": "オペレーションズ"
+ "text": "機密情報を処理するシステムを分離する",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "WAF",
- "severity": "高い",
- "text": "診断設定を追加して、Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを保存します。ログを定期的に確認して、攻撃や誤検知の検出がないか確認します。",
- "waf": "オペレーションズ"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service のローカル ディスクは暗号化されていないため、機密データを格納しないでください。 (例: D:\\\\Local and %TMP%)。",
+ "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+ "service": "App Services",
+ "severity": "中程度",
+ "text": "機密データをローカルディスクに保存しない",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "WAF",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "認証された Web アプリケーションの場合は、Azure AD や Azure AD B2C などの確立された ID プロバイダーを使用します。 選択したアプリケーション フレームワークを利用して、このプロバイダーと統合するか、App Service の認証/承認機能を使用します。",
+ "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+ "service": "App Services",
"severity": "中程度",
- "text": "Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを Microsoft Sentinel に送信します。攻撃を検出し、WAF テレメトリを Azure 環境全体に統合します。",
- "waf": "オペレーションズ"
+ "text": "認証に確立された ID プロバイダーを使用する",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "5017f154-e3ab-4369-9829-e7e316183687",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "Key Vault",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "適切に管理され、セキュリティで保護された DevOps デプロイ パイプラインなど、制御された信頼できる環境から App Service にコードをデプロイします。これにより、バージョン管理されておらず、悪意のあるホストからデプロイされることが確認されていないコードが回避されます。",
+ "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+ "service": "App Services",
"severity": "高い",
- "text": "Azure Key Vault を使用して、シークレットと資格情報を格納します。",
+ "text": "信頼できる環境からのデプロイ",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
- "guid": "a0477a20-9945-4bda-9333-4f2491163418",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
- "service": "Key Vault",
- "severity": "中程度",
- "text": "アプリケーションやリージョンごとに異なる Azure Key Vault を使用して、トランザクションのスケール制限を回避し、シークレットへのアクセスを制限します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "FTP/FTPS と WebDeploy/SCM の両方の基本認証を無効にします。 これにより、これらのサービスへのアクセスが無効になり、デプロイに Azure AD で保護されたエンドポイントの使用が強制されます。 SCM サイトは、Azure AD 資格情報を使用して開くこともできます。",
+ "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "基本認証の無効化",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "中程度",
- "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "可能な場合は、マネージド ID を使用して Azure AD のセキュリティで保護されたリソースに接続します。 これが不可能な場合は、Key Vault にシークレットを格納し、代わりにマネージド ID を使用して Key Vault に接続します。",
+ "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "マネージド ID を使用してリソースに接続する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "中程度",
- "text": "最小特権モデルに従って、キー、シークレット、証明書を完全に削除する承認を、特殊なカスタム Microsoft Entra ID ロールに制限します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure Container Registry に格納されているイメージを使用する場合は、マネージド ID を使用してこれらをプルします。",
+ "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "マネージド ID を使用してコンテナーをプルするPull containers using a Managed Identity",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service の診断設定を構成することで、ログ記録と監視の中央の宛先として、すべてのテレメトリを Log Analytics に送信できます。これにより、HTTP ログ、アプリケーション ログ、プラットフォーム ログなどの App Service のランタイム アクティビティを監視できます。",
+ "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+ "service": "App Services",
"severity": "中程度",
- "text": "公開認証局を使用して証明書の管理と更新プロセスを自動化し、管理を容易にします。",
+ "text": "App Service ランタイム ログを Log Analytics に送信する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "913156a1-2476-4e49-b541-acdce979377b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "ログ記録と監視の中央の宛先としてアクティビティ ログを Log Analytics に送信するための診断設定を設定します。これにより、App Service リソース自体のコントロール プレーンのアクティビティを監視できます。",
+ "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "service": "App Services",
"severity": "中程度",
- "text": "キーと証明書のローテーションのための自動化されたプロセスを確立します。",
+ "text": "App Service アクティビティ ログを Log Analytics に送信する",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "リージョンの VNet 統合、ネットワーク セキュリティ グループ、および UDR の組み合わせを使用して、送信ネットワーク アクセスを制御します。 トラフィックは、Azure Firewall などの NVA にルーティングする必要があります。 ファイアウォールのログを必ず監視してください。",
+ "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+ "service": "App Services",
"severity": "中程度",
- "text": "コンテナーでファイアウォールと仮想ネットワーク サービス エンドポイントまたはプライベート エンドポイントを有効にして、キー コンテナーへのアクセスを制御します。",
+ "text": "送信ネットワーク アクセスを制御する必要がある",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
- "service": "Key Vault",
- "severity": "中程度",
- "text": "プラットフォーム中央の Azure Monitor Log Analytics ワークスペースを使用して、Key Vault の各インスタンス内のキー、証明書、シークレットの使用状況を監査します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "VNet 統合を使用し、VNet NAT ゲートウェイまたは Azure Firewall などの NVA を使用することで、安定した送信 IP を提供できます。 これにより、受信側は必要に応じて IP に基づいて許可リストに登録できます。 多くの場合、Azure サービスへの通信では、IP アドレスに依存する必要はなく、代わりにサービス エンドポイントなどのメカニズムを使用する必要があります。 (また、受信側でプライベート エンドポイントを使用すると、SNAT の発生が回避され、安定した送信 IP 範囲が提供されます)。",
+ "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+ "service": "App Services",
+ "severity": "低い",
+ "text": "インターネットアドレスへの送信通信のIPを安定させる",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "中程度",
- "text": "Key Vault のインスタンス化と特権アクセスを委任し、Azure Policy を使用して一貫した準拠構成を適用します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service のアクセス制限、サービス エンドポイント、またはプライベート エンドポイントの組み合わせを使用して、受信ネットワーク アクセスを制御します。Web アプリ自体と SCM サイトに対して異なるアクセス制限を要求し、構成できます。",
+ "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "受信ネットワーク アクセスを制御する必要がある",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "中程度",
- "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Application Gateway や Azure Front Door などの Web アプリケーション ファイアウォールを使用して、悪意のある受信トラフィックから保護します。 WAFのログを必ず監視してください。",
+ "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "App Service の前で WAF を使用するUse a WAF in Front of App Service",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "中程度",
- "text": "独自のキーを持ち込む場合、これは考慮されるすべてのサービスでサポートされているとは限りません。不整合が望ましい結果を妨げないように、適切な軽減策を実装します。レイテンシを最小限に抑える適切なリージョンペアとディザスタリカバリリージョンを選択します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "WAFのみへのアクセスをロックダウンすることで、WAFをバイパスできないようにします。 アクセス制限、サービス・エンドポイントおよびプライベート・エンドポイントを組み合わせて使用します。",
+ "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "WAFをバイパスすることは避けてください",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
- "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
- "service": "Key Vault",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service の構成で最小 TLS ポリシーを 1.2 に設定します。",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+ "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+ "service": "App Services",
"severity": "中程度",
- "text": "ソブリン ランディング ゾーンの場合は、Azure Key Vault マネージド HSM を使用してシークレットと資格情報を格納します。",
+ "text": "最小 TLS ポリシーを 1.2 に設定します。",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
- "service": "Entra",
- "severity": "中程度",
- "text": "Microsoft Entra ID レポート機能を使用して、アクセス制御監査レポートを生成します。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "HTTPS のみを使用するように App Service を構成します。 これにより、App Service は HTTP から HTTPS にリダイレクトされます。 HTTP Strict Transport Security (HSTS) をコード内または WAF から使用して、サイトに HTTPS を使用してのみアクセスする必要があることをブラウザーに通知することを強く検討してください。",
+ "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+ "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "HTTPS のみを使用",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "09945bda-4333-44f2-9911-634182ba5275",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
- "service": "Defender",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "CORS 構成では、すべての配信元がサービスにアクセスできるため、ワイルドカードを使用しないでください (これにより、CORS の目的が損なわれます)。具体的には、サービスにアクセスできると予想される配信元のみを許可します。",
+ "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+ "service": "App Services",
"severity": "高い",
- "text": "すべてのサブスクリプションで Defender Cloud セキュリティ態勢管理を有効にします。",
+ "text": "ワイルドカードは CORS に使用しないでください",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
- "service": "Defender",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "リモート デバッグは、サービスに追加のポートが開き、攻撃対象領域が増加するため、運用環境でオンにしないでください。このサービスは、48 時間後に自動的にリモート デバッグをオフにすることに注意してください。",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+ "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+ "service": "App Services",
"severity": "高い",
- "text": "すべてのサブスクリプションで、サーバーの Defender Cloud ワークロード保護プランを有効にします。",
+ "text": "リモートデバッグをオフにする",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
- "service": "Defender",
- "severity": "高い",
- "text": "すべてのサブスクリプションで Azure リソースの Defender Cloud ワークロード保護プランを有効にします。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Defender for App Service を有効にします。 これは(他の脅威の中でも)既知の悪意のあるIPアドレスへの通信を検出します。 操作の一環として、Defender for App Service からの推奨事項を確認します。",
+ "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+ "service": "App Services",
+ "severity": "中程度",
+ "text": "Defender for Cloud を有効にする - Defender for App Service",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
- "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
- "service": "VM",
- "severity": "高い",
- "text": "IaaS サーバーでエンドポイント保護を有効にします。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure は、ネットワーク上で DDoS Basic 保護を提供しており、通常のトラフィック パターンを学習し、異常な動作を検出できるインテリジェントな DDoS Standard 機能によって改善できます。DDoS Standard は仮想ネットワークに適用されるため、Application Gateway や NVA など、アプリの前にあるネットワーク リソース用に構成する必要があります。",
+ "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "App Services",
+ "severity": "中程度",
+ "text": "WAF VNet で DDoS Protection Standard を有効にするEnable DDOS Protection Standard on the WAF VNet",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
- "link": "https://learn.microsoft.com/azure/security-center/",
- "service": "VM",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure Container Registry に格納されているイメージを使用する場合は、プライベート エンドポイントとアプリ設定 \"WEBSITE_PULL_IMAGE_OVER_VNET\" を使用して、Azure Container Registry から仮想ネットワーク経由でイメージをプルします。",
+ "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+ "service": "App Services",
"severity": "中程度",
- "text": "Azure Monitor ログと Defender for Cloud を使用して、基本オペレーティング システムの修正プログラムのずれを監視します。",
+ "text": "Virtual Network 経由でコンテナーをプルする",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "ペネトレーションテストのルールに従って、Webアプリケーションでペネトレーションテストを実施します。",
+ "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "service": "App Services",
"severity": "中程度",
- "text": "既定のリソース構成を一元化された Azure Monitor Log Analytics ワークスペースに接続します。",
+ "text": "ペネトレーションテストの実施",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
- "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
- "service": "Entra",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "DevSecOps プラクティスに従って脆弱性が検証およびスキャンされた信頼できるコードをデプロイします。",
+ "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+ "service": "App Services",
"severity": "中程度",
- "text": "ソブリン ランディング ゾーンの場合は、Entra ID テナントで透明度ログを有効にします。",
+ "text": "検証済みコードのデプロイ",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "サポートされているプラットフォーム、プログラミング言語、プロトコル、およびフレームワークの最新バージョンを使用します。",
+ "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+ "service": "App Services",
+ "severity": "高い",
+ "text": "最新のプラットフォーム、言語、プロトコル、フレームワークを使用",
"waf": "安全"
},
{
"checklist": "Azure Landing Zone Review",
- "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+ "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
"service": "Entra",
"severity": "中程度",
- "text": "Sovereign Landing Zone の場合は、Entra ID テナントでカスタマー ロックボックスを有効にします。",
- "waf": "安全"
+ "text": "Azure リソースの管理には 1 つの Entra テナントを使用します (マルチテナントに対する明確な規制要件やビジネス要件がない限り)。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Landing Zone Review",
- "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Storage",
- "severity": "高い",
- "text": "ストレージ アカウントへの安全な転送を有効にします。",
- "waf": "安全"
+ "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Entra",
+ "severity": "低い",
+ "text": "マルチテナント自動化アプローチを使用して、Microsoft Entra ID テナントを管理します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Landing Zone Review",
- "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
- "service": "Storage",
+ "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "Entra",
"severity": "高い",
- "text": "ストレージ アカウントのコンテナーの論理的な削除を有効にして、削除されたコンテナーとその内容を回復します。",
- "waf": "安全"
+ "text": "同じ ID でマルチテナント管理に Azure Lighthouse を使用します。",
+ "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
"checklist": "Azure Landing Zone Review",
- "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
- "service": "Key Vault",
+ "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Entra",
"severity": "高い",
- "text": "Key Vault シークレットを使用して、資格情報 (仮想マシン、ユーザー パスワード)、証明書、キーなどの機密情報のハードコーディングを回避します。",
- "waf": "オペレーションズ"
+ "text": "テナントを管理するためのアクセス権をパートナーに付与する場合は、Azure Lighthouse を使用します。",
+ "waf": "費用"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
- "service": "IoT",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+ "service": "Entra",
"severity": "高い",
- "text": "Availability Zones (リージョンで適用可能な場合) を活用する (これは自動的に有効になります)",
- "waf": "確実"
+ "text": "クラウド運用モデルに合わせた RBAC モデルを適用します。管理グループとサブスクリプション全体のスコープと割り当て。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
- "severity": "中程度",
- "text": "Microsoft が開始するフェールオーバーに注意してください。これらは、まれに、影響を受けるリージョンから対応する geo ペア リージョンにすべての IoT ハブをフェールオーバーするために Microsoft によって実行されます。",
- "waf": "確実"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+ "service": "Entra",
+ "severity": "高い",
+ "text": "すべてのアカウントの種類に対して、認証の種類である [職場または学校アカウント] のみを使用します。Microsoftアカウントの使用は避けてください",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
- "service": "IoT",
- "severity": "高い",
- "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
- "waf": "確実"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "Entra",
+ "severity": "中程度",
+ "text": "権限の割り当てには、グループのみを使用してください。グループ管理システムがすでに導入されている場合は、オンプレミス グループを Entra ID のみのグループに追加します。",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+ "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+ "service": "Entra",
"severity": "高い",
- "text": "手動フェールオーバーをトリガーする方法を学習します。",
- "waf": "確実"
+ "text": "Azure 環境に対する権限を持つすべてのユーザーに対して、Microsoft Entra ID 条件付きアクセス ポリシーを適用します。",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
- "service": "IoT",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+ "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+ "service": "Entra",
"severity": "高い",
- "text": "フェールオーバー後にフェールバックする方法を学習します。",
- "waf": "確実"
+ "text": "Azure 環境に対する権限を持つすべてのユーザーに多要素認証を適用します。",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "service": "Azure Monitor",
- "text": "Azure Monitor のデータ収集ルール - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "費用"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "Entra",
+ "severity": "中程度",
+ "text": "Microsoft Entra ID Privileged Identity Management (PIM) を適用して、ゼロスタンディング アクセスと最小特権を確立します。",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "45901365-d38e-443f-abcb-d868266abca2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Azure Backup",
- "text": "基になるデータソースが見つからないバックアップインスタンスを確認する",
- "waf": "費用"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+ "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
+ "service": "Entra",
+ "severity": "中程度",
+ "text": "Active Directory Domain Services から Entra ドメイン サービスへの切り替えを計画している場合は、すべてのワークロードの互換性を評価します。",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "VM",
- "text": "関連づけられていないサービス(ディスク、NIC、IPアドレスなど)を削除またはアーカイブする",
- "waf": "費用"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+ "service": "Entra",
+ "severity": "中程度",
+ "text": "Microsoft Entra ID ログをプラットフォーム中央の Azure Monitor と統合します。Azure Monitor を使用すると、Azure のログと監視データに関する信頼できる唯一の情報源を使用できるため、ログの収集と保持に関する要件を満たすためのクラウド ネイティブ オプションを組織に提供できます。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Azure Backup",
- "text": "ミッション クリティカルでないアプリケーションの Site Recovery ストレージとバックアップのバランスを考慮する",
- "waf": "費用"
+ "ammp": true,
+ "checklist": "Azure Landing Zone Review",
+ "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+ "service": "Entra",
+ "severity": "高い",
+ "text": "テナント全体のアカウント ロックアウトを防ぐために、緊急アクセスまたは非常用アカウントを実装します。",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
- "service": "Azure Monitor",
- "text": "40 の異なるログ分析ワークスペース間で支出と節約の機会を確認する - 非運用ワークスペースに異なる保持とデータ収集を使用する - 認識と階層サイズ設定のための日次上限を作成する - 日次上限を設定する場合は、上限に達したときにアラートを作成するだけでなく、ある割合 (90% など) に達したときに通知されるアラート ルールも作成してください。- 可能であればワークスペースの変革を検討する - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
- "waf": "費用"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "Entra",
+ "severity": "中程度",
+ "text": "特に必要なシナリオがない限り、Microsoft Entra ID ロールの割り当てにオンプレミスの同期アカウントを使用しないでください。",
+ "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Azure Monitor",
- "text": "ログのパージポリシーと自動化を適用する(必要に応じて、ログをコールドストレージに移動できます)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "費用"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Entra",
+ "severity": "中程度",
+ "text": "Microsoft Entra ID アプリケーション プロキシを使用してリモート ユーザーにアプリケーションへのアクセス権を付与する場合は、テナントごとに 1 つのインスタンスしか持つことができないため、プラットフォーム リソースとして管理します。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "VM",
- "text": "ディスクが本当に必要かどうかを確認し、必要でない場合は削除します。必要な場合は、下位のストレージ階層を見つけるか、バックアップを使用します。",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+ "service": "VNet",
+ "severity": "中程度",
+ "text": "ハブアンドスポークネットワークトポロジは、最大限の柔軟性を必要とするネットワークシナリオに使用します。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
- "text": "未使用のストレージを下位階層に移動し、カスタマイズされたルールを使用することを検討する - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "ExpressRoute ゲートウェイ、VPN ゲートウェイ、Azure Firewall またはパートナー NVA などの共有ネットワーク サービスを中央ハブ仮想ネットワークにデプロイします。必要に応じて、DNS サービスもデプロイします。",
"waf": "費用"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "VM",
- "text": "advisor が VM の適切なサイズ設定用に構成されていることを確認する",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して、DDoS ネットワークまたは IP 保護プランを使用します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "description": "コスト分析でメーターカテゴリライセンスを検索して確認してください",
- "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
- "service": "VM",
- "text": "すべての Windows VM でスクリプトを実行する https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM が頻繁に作成される場合は、ポリシーの実装を検討してください",
- "waf": "費用"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
+ "severity": "中程度",
+ "text": "パートナー ネットワーク テクノロジまたは NVA をデプロイする場合は、パートナー ベンダーのガイダンスに従ってください。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "VM",
- "text": "これは、すでにライセンスを持っている場合は、AHUBの下に置くこともできます https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
- "waf": "費用"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+ "service": "ExpressRoute",
+ "severity": "低い",
+ "text": "ハブ アンド スポークのシナリオで ExpressRoute ゲートウェイと VPN ゲートウェイ間のトランジットが必要な場合は、Azure Route Server を使用します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "VM",
- "text": "予約済み VM ファミリを柔軟性オプションで統合する (4 から 5 ファミリ以下)",
- "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualHubs",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+ "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+ "service": "ARS",
+ "severity": "低い",
+ "text": "Route Server を使用する場合は、Route Server サブネットに /27 プレフィックスを使用します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
- "service": "VM",
- "text": "Azure 予約インスタンスを利用する: この機能を使用すると、VM を 1 年または 3 年間予約できるため、PAYG 価格と比較して大幅なコスト削減が実現します。",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+ "service": "VNet",
+ "severity": "中程度",
+ "text": "Azure リージョン間で複数のハブ アンド スポーク トポロジを持つネットワーク アーキテクチャの場合は、ハブ VNet 間でグローバル仮想ネットワーク ピアリングを使用して、リージョンを相互に接続します。",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "service": "VM",
- "text": "より大きなディスクのみ予約できます => 1 TiB -",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+ "service": "VNet",
+ "severity": "中程度",
+ "text": "Azure Monitor for Networks を使用して、Azure 上のネットワークのエンドツーエンドの状態を監視します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
- "service": "VM",
- "text": "適切なサイズ最適化の後",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+ "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
+ "severity": "中程度",
+ "text": "リージョンに 400 を超えるスポーク ネットワークがある場合は、VNet ピアリングの制限 (500) と ExpressRoute 経由でアドバタイズできるプレフィックスの最大数 (1000) をバイパスするために、追加のハブをデプロイします。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Sql/servers",
- "checklist": "Cost Optimization Checklist",
- "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Azure SQL",
- "text": "該当するかどうかを確認し、ポリシー/変更 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations を適用します",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+ "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
+ "severity": "中程度",
+ "text": "ルート テーブルあたりのルート数を 400 に制限します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "VM",
- "text": "VM +ライセンス部分の割引(ahub + 3YRI)は約70%の割引です",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+ "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "VNet ピアリングを構成するときは、\"リモート仮想ネットワークへのトラフィックを許可する\" 設定を使用します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "VM",
- "text": "需要に合わせて、フラットなサイジングではなく、VMSS の使用を検討してください",
- "waf": "費用"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "ExpressRoute Direct を使用している場合は、組織のルーターと MSEE の間のレイヤー 2 レベルでトラフィックを暗号化するために MACsec を構成します。この図は、フロー内のこの暗号化を示しています。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Cost Optimization Checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "AKS",
- "text": "AKS オートスケーラーを使用してクラスターの使用量に一致させる (ポッドの要件がスケーラーと一致していることを確認する)",
- "waf": "費用"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "MACsec がオプションではないシナリオ (ExpressRoute Direct を使用しない場合など) は、VPN ゲートウェイを使用して、ExpressRoute プライベート ピアリング経由で IPsec トンネルを確立します。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Azure Backup",
- "text": "該当する場合は、復旧ポイントを vault-archive に移動します (検証)",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "費用"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "ExpressRoute",
+ "severity": "高い",
+ "text": "Azure リージョンとオンプレミスの場所間で重複する IP アドレス空間が使用されていないことを確認します。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Databricks/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
- "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
- "service": "Databricks",
- "text": "可能な場合は、フォールバックでスポット VM を使用することを検討してください。クラスターの自動終了を検討してください。",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
+ "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
+ "severity": "中程度",
+ "text": "プライベートインターネットのアドレス割り当て範囲(RFC 1918)のIPアドレスを使用します。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
- "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
- "service": "Azure Functions",
- "text": "関数 - 接続の再利用",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+ "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "IP アドレス空間が無駄にならないようにし、不必要に大規模な仮想ネットワーク (/16 など) を作成しないでください。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "パフォーマンス"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
- "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "service": "Azure Functions",
- "text": "関数 - データをローカルにキャッシュする",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+ "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "運用サイトとディザスター リカバリー サイトで重複する IP アドレス範囲を使用しないでください。",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Azure Functions",
- "text": "関数 - コールド スタート - 「パッケージから実行」機能を使用します。このようにして、コードは単一のzipファイルとしてダウンロードされます。これにより、たとえば、多くのノードモジュールを持つJavascript関数が大幅に改善される可能性があります。言語固有のツールを使用してパッケージサイズを縮小します (ツリーを揺るがす Javascript アプリケーションなど)。",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
+ "service": "DNS",
+ "severity": "中程度",
+ "text": "Azure での名前解決が必要な環境では、Azure プライベート DNS を使用して解決し、名前解決に委任されたゾーン ('azure.contoso.com' など) を使用します。",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "Azure Functions",
- "text": "関数 - 関数を暖かく保つ",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+ "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+ "service": "DNS",
+ "severity": "中程度",
+ "text": "Azure とオンプレミス間での名前解決が必要で、Active Directory のような既存のエンタープライズ DNS サービスがない環境の場合は、Azure DNS Private Resolver を使用して DNS 要求を Azure またはオンプレミスの DNS サーバーにルーティングします。",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Azure Functions",
- "text": "さまざまな関数で自動スケーリングを使用する場合、すべてのリソースのすべての自動スケーリングを駆動する 1 つが存在する可能性があるため、別の従量課金プランに移行することを検討してください (また、CPU のより高いプランを検討してください)",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+ "service": "DNS",
+ "severity": "低い",
+ "text": "独自の DNS が必要でデプロイする特別なワークロード (Red Hat OpenShift など) は、優先する DNS ソリューションを使用する必要があります。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
- "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
- "service": "Azure Functions",
- "text": "特定のプランの関数アプリはすべて一緒にスケーリングされるため、スケーリングに関する問題はプラン内のすべてのアプリに影響を与える可能性があります。",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "614658d3-558f-4d77-849b-821112df27ee",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+ "service": "DNS",
+ "severity": "高い",
+ "text": "Azure DNS の自動登録を有効にすると、仮想ネットワーク内にデプロイされた仮想マシンの DNS レコードのライフサイクルが自動的に管理されます。",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
- "service": "Azure Functions",
- "text": "「待機時間」に対して請求されますか?この質問は、通常、非同期操作を実行して結果を待機する C# 関数のコンテキストで尋ねられます (例: await Task.Delay(1000) や await client)。GetAsync('http://google.com') です。答えはイエスです-GB秒の計算は、関数の開始時刻と終了時刻、およびその期間のメモリ使用量に基づいています。その間に CPU アクティビティに関して実際に何が起こるかは、計算には考慮されません。この規則の 1 つの例外は、永続関数を使用している場合です。オーケストレーター関数で待機に費やされた時間に対しては課金されません。可能な場合は、デマンド シェーピング技術を適用します (開発環境?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
- "waf": "費用"
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+ "service": "Bastion",
+ "severity": "中程度",
+ "text": "Azure Bastion を使用して、ネットワークに安全に接続します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Front Door",
- "text": "Frontdoor - 既定のホームページをオフにするアプリのアプリケーション設定で、AzureWebJobsDisableHomepage を true に設定します。これにより、PoPに204(No Content)が返されるため、ヘッダーデータのみが返されます。",
- "waf": "費用"
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+ "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+ "service": "Bastion",
+ "severity": "中程度",
+ "text": "Azure Bastion は、/26 以上のサブネットで使用します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Front Door",
- "text": "Frontdoor - 何も返さないものへのルーティング。関数、関数プロキシを設定するか、200 (OK) を返し、コンテンツを送信しない、または最小限のコンテンツを送信 するルートを Web アプリに追加します。これの利点は、呼び出されたときにログアウトできることです。",
- "waf": "費用"
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "WAF",
+ "severity": "中程度",
+ "text": "Azure Front Door と WAF ポリシーを使用して、ランディング ゾーンへの受信 HTTP/S 接続に対して Azure リージョン間でグローバルな保護を提供します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
- "service": "Storage",
- "text": "使用頻度の低いデータの階層のアーカイブを検討する",
- "waf": "費用"
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "低い",
+ "text": "Azure Front Door と Azure Application Gateway を使用して HTTP/S アプリを保護する場合は、Azure Front Door の WAF ポリシーを使用します。Azure Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信するようにします。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "VM",
- "text": "サイズが階層と一致しない場合は、ディスク サイズを確認します (つまり、513 GiB のディスクは P30 (1TiB) を支払います) と、サイズ変更を検討してください",
- "waf": "費用"
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "高い",
+ "text": "受信 HTTP/S 接続に WAF やその他のリバース プロキシが必要な場合は、ランディング ゾーン仮想ネットワーク内にデプロイし、保護してインターネットに公開するアプリと共にデプロイします。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "Storage",
- "text": "可能な場合は、Premium や Ultra ではなく Standard SSD の使用を検討してください",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "Azure DDoS ネットワークまたは IP Protection プランを使用して、仮想ネットワーク内のパブリック IP アドレス エンドポイントを保護します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "Storage",
- "text": "ストレージ アカウントの場合は、選択したレベルによってトランザクション料金が加算されていないことを確認します (次のレベルに移動する方が安くなる可能性があります)",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "ネットワークの送信トラフィックの構成と戦略を管理する方法を、今後の破壊的変更の前に計画します。2025 年 9 月 30 日に、新しいデプロイの既定の送信アクセスは廃止され、明示的なアクセス構成のみが許可されます。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "Site Recovery",
- "text": "ASR の場合、RPO/RTO とレプリケーション スループットで許可されている場合は、Standard SSD ディスクの使用を検討してください",
- "waf": "費用"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "診断設定を追加して、保護されたすべてのパブリック IP アドレス (DDoS IP またはネットワーク保護) の DDoS 関連のログを保存します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
- "service": "Storage",
- "text": "ストレージ アカウント: 必要なホット層や GRS を確認する",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+ "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+ "service": "Policy",
+ "severity": "高い",
+ "text": "Virtual Machines に直接関連付けられているパブリック IP アドレスを拒否するポリシーの割り当てがあることを確認します。 特定の VM でパブリック IP が必要な場合は、除外を使用します。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "ExpressRoute を Azure へのプライマリ接続として使用します。 バックアップ接続のソースとして VPN を使用します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "description": "AS パスの先頭と接続の重みを使用して Azure からオンプレミスへのトラフィックに影響を与えたり、独自のルーターの BGP 属性の全範囲を使用してオンプレミスから Azure へのトラフィックに影響を与えたりできます。",
+ "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "複数の ExpressRoute 回線または複数のオンプレミスの場所を使用する場合は、BGP 属性を使用してルーティングを最適化します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+ "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "ExpressRoute/VPN ゲートウェイの適切な SKU は、帯域幅とパフォーマンスの要件に基づいて選択してください。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+ "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+ "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+ "service": "ExpressRoute",
+ "severity": "高い",
+ "text": "無制限のデータ ExpressRoute 回線を使用しているのは、そのコストを正当化する帯域幅に達した場合にのみしてください。",
+ "waf": "費用"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+ "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+ "service": "ExpressRoute",
+ "severity": "高い",
+ "text": "ExpressRoute のローカル SKU を活用して、回線のコストを削減します (回線ピアリングの場所がローカル SKU の Azure リージョンをサポートしている場合)。",
+ "waf": "費用"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+ "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "ゾーン冗長 ExpressRoute ゲートウェイをサポートされている Azure リージョンにデプロイします。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "10 Gbps を超える帯域幅または専用の 10/100 Gbps ポートが必要なシナリオでは、ExpressRoute Direct を使用します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+ "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "待機時間を短くする必要がある場合、またはオンプレミスから Azure へのスループットを 10 Gbps より大きくする必要がある場合は、FastPath を有効にして、データ パスから ExpressRoute ゲートウェイをバイパスします。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+ "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+ "service": "VPN",
+ "severity": "中程度",
+ "text": "ゾーン冗長 VPN ゲートウェイを使用して、ブランチまたはリモートの場所を Azure (使用可能な場合) に接続します。",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+ "service": "VPN",
+ "severity": "中程度",
+ "text": "オンプレミスで冗長な VPN アプライアンス (アクティブ/アクティブまたはアクティブ/パッシブ) を使用します。",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+ "service": "ExpressRoute",
+ "severity": "高い",
+ "text": "ExpressRoute Direct を使用する場合は、コストを節約するために、ローカル Azure リージョンへの ExpressRoute ローカル回線を使用することを検討してください。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "費用"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "VM",
- "text": "ディスク - あらゆる場所で Premium SSD ディスクの使用を検証: たとえば、非運用環境を Standard SSD またはオンデマンド Premium SSD にスワップできます",
- "waf": "費用"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "運用環境と非運用環境を分離する場合など、トラフィックの分離または専用の帯域幅が必要な場合は、異なる ExpressRoute 回線を使用します。これにより、ルーティングドメインを分離し、ノイズの多い隣人のリスクを軽減できます。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "ExpressRoute の可用性と使用率は、組み込みの Express Route Insights を使用して監視します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+ "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "接続モニターは、ネットワーク全体 (特にオンプレミスと Azure の間) の接続監視に使用します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+ "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "冗長性を確保するために、さまざまなピアリングの場所から ExpressRoute 回線を使用します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "ExpressRoute 回線を 1 つだけ使用する場合は、ExpressRoute のフェールオーバーとしてサイト間 VPN を使用します。",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+ "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+ "service": "ExpressRoute",
+ "severity": "高い",
+ "text": "GatewaySubnet でルート テーブルを使用している場合は、ゲートウェイ ルートが伝達されていることを確認してください。",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+ "service": "ExpressRoute",
+ "severity": "高い",
+ "text": "ExpressRoute を使用する場合、オンプレミスのルーティングは動的である必要があり、接続エラーが発生した場合は、回線の残りの接続に収束する必要があります。負荷は、アクティブ/アクティブとして両方の接続で共有するのが理想的ですが、アクティブ/パッシブもサポートされています。",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "ExpressRoute 回線の 2 つの物理リンクが、ネットワーク内の 2 つの異なるエッジ デバイスに接続されていることを確認します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "BFD(Bidirectional Forwarding Detection)が顧客またはプロバイダのエッジルーティングデバイスで有効で設定されていることを確認します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "ExpressRoute",
+ "severity": "高い",
+ "text": "ExpressRoute ゲートウェイを異なるピアリングの場所から 2 つ以上の回線に接続すると、回復性が向上します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "ExpressRoute 仮想ネットワーク ゲートウェイの診断ログとアラートを構成します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+ "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "VNet 間通信に ExpressRoute 回線を使用しないでください。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "パフォーマンス"
+ },
+ {
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "service": "N/A",
+ "severity": "低い",
+ "text": "検査のために Azure トラフィックをハイブリッドの場所に送信しないでください。 代わりに、Azure のリソース間の通信が Microsoft バックボーン ネットワーク経由で行われるように、\"Azure のトラフィックは Azure にとどまる\" という原則に従います。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+ "link": "https://learn.microsoft.com/azure/firewall/overview",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "Azure Firewall を使用して、インターネットへの Azure 送信トラフィック、HTTP/S 以外の受信接続、East/West トラフィック フィルタリング (組織で必要な場合) を管理します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "グローバル ネットワーク環境全体のセキュリティ体制を管理するためのグローバル Azure Firewall ポリシーを作成し、それをすべての Azure Firewall インスタンスに割り当てます。Azure のロールベースのアクセス制御を介して、増分ファイアウォール ポリシーをローカル セキュリティ チームに委任することで、特定のリージョンの要件を満たすためのきめ細かなポリシーを可能にします。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+ "service": "Firewall",
+ "severity": "低い",
+ "text": "サポートされているパートナー SaaS セキュリティプロバイダーを Firewall Manager 内で構成します。これは、組織がアウトバウンド接続を保護するためにそのようなソリューションを使用する場合です。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+ "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+ "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "アプリケーション・ルールを使用して、サポートされているプロトコルの宛先ホスト名でアウトバウンド・トラフィックをフィルタリングします。 FQDN ベースのネットワーク規則と Azure Firewall と DNS プロキシを使用して、他のプロトコル経由でインターネットへのエグレス トラフィックをフィルター処理します。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+ "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "Azure Firewall Premium を使用して、追加のセキュリティ機能を有効にします。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+ "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "Azure Firewall の脅威インテリジェンス モードを [アラート] と [拒否] に構成して、保護を強化します。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+ "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "Azure Firewall の IDPS モードを [拒否] に構成して、保護を強化します。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+ "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "Virtual WAN に接続されていない VNet 内のサブネットの場合は、インターネット トラフィックが Azure Firewall またはネットワーク仮想アプライアンスにリダイレクトされるようにルート テーブルをアタッチします。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "診断設定を追加して、リソース固有の宛先テーブルを使用して、すべての Azure Firewall デプロイのログを保存します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+ "service": "Firewall",
+ "severity": "大事な",
+ "text": "Azure Firewall クラシック ルール (存在する場合) からファイアウォール ポリシーに移行します。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+ "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "Azure Firewall サブネットに /26 プレフィックスを使用します。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "ファイアウォールポリシー内のルールを、使用頻度に基づいて「ルールコレクショングループ」と「ルールコレクション」に整理します。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+ "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "IP グループまたは IP プレフィックスを使用して、IP テーブル・ルールの数を減らします。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+ "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "DNATSのソースIPとしてワイルドカード(*やanyなど)を使用せず、受信DNATのソースIPを指定する必要があります。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+ "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "SNAT ポートの使用状況を監視し、NAT ゲートウェイの設定を評価し、シームレスなフェールオーバーを確保することで、SNAT ポートの枯渇を防ぎます。ポート数が制限に近づく場合は、SNAT の枯渇が差し迫っている可能性があります。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "346840b8-1064-496e-8396-4b1340172d52",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "Azure Firewall Premium を使用している場合は、TLS 検査を有効にします。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+ "service": "Firewall",
+ "severity": "低い",
+ "text": "Web カテゴリを使用して、特定のトピックへの送信アクセスを許可または拒否します。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "TLS 検査の一環として、Azure App Gateway からのトラフィックの受信を検査用に計画します。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+ "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "Azure Firewall DNS プロキシ構成を有効にします。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+ "service": "Firewall",
+ "severity": "高い",
+ "text": "Azure Firewall を Azure Monitor と統合し、診断ログを有効にしてファイアウォール ログを格納および分析します。",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+ "service": "Firewall",
+ "severity": "低い",
+ "text": "ファイアウォールルールのバックアップを実装する",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "App Gateway",
+ "severity": "高い",
+ "text": "0.0.0.0/0 ルートやコントロール プレーン トラフィックをブロックする NSG ルールなど、仮想ネットワークに挿入された Azure PaaS サービスのコントロール プレーン通信を中断しないでください。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+ "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+ "service": "ExpressRoute",
+ "severity": "中程度",
+ "text": "オンプレミスからプライベート エンドポイントと ExpressRoute プライベート ピアリングを介して Azure PaaS サービスにアクセスします。この方法では、公共のインターネット経由のトランジットを回避できます。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+ "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+ "service": "VNet",
+ "severity": "高い",
+ "text": "既定では、すべてのサブネットで仮想ネットワーク サービス エンドポイントを有効にしないでください。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+ "link": "azure/private-link/inspect-traffic-with-azure-firewall",
+ "service": "Firewall",
+ "severity": "中程度",
+ "text": "Azure Firewall または NVA の IP アドレスではなく FQDN を使用して Azure PaaS サービスへのエグレス トラフィックをフィルター処理し、データの流出を防ぎます。Private Link を使用している場合は、すべての FQDN をブロックでき、それ以外の場合は必要な PaaS サービスのみを許可できます。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+ "service": "ExpressRoute",
+ "severity": "高い",
+ "text": "Gateway サブネットには、少なくとも /27 プレフィックスを使用します。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+ "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+ "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+ "service": "NSG",
+ "severity": "高い",
+ "text": "VirtualNetwork サービス タグを使用して接続を制限する NSG 受信既定の規則に依存しないでください。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+ "service": "NSG",
+ "severity": "中程度",
+ "text": "NSG を使用して、サブネット間のトラフィックと、プラットフォーム全体の East/West トラフィック (ランディング ゾーン間のトラフィック) を保護します。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "NSG",
+ "severity": "中程度",
+ "text": "NSG とアプリケーション セキュリティ グループを使用して、ランディング ゾーン内のトラフィックをマイクロセグメント化し、中央の NVA を使用してトラフィック フローをフィルター処理しないようにします。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+ "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
+ "service": "NSG",
+ "severity": "中程度",
+ "text": "VNet フロー ログを有効にし、Traffic Analytics にフィードして、内部および外部のトラフィック フローに関する分析情報を取得します。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+ "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "NSG",
+ "severity": "中程度",
+ "text": "1000 ルールの制限があるため、NSG ごとに 900 を超える NSG ルールを実装しないでください。",
+ "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+ "service": "VWAN",
+ "severity": "中程度",
+ "text": "Virtual WAN ルーティング設計の一覧にシナリオが明示的に説明されている場合は、Virtual WAN を使用します。",
+ "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
+ "service": "VWAN",
+ "severity": "中程度",
+ "text": "Azure リージョンごとに Virtual WAN ハブを使用して、共通のグローバル Azure Virtual WAN を介して Azure リージョン間で複数のランディング ゾーンを接続します。",
+ "waf": "パフォーマンス"
+ },
+ {
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+ "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
+ "service": "VWAN",
+ "severity": "中程度",
+ "text": "送信インターネット トラフィックの保護とフィルタリングを行うには、セキュリティで保護されたハブに Azure Firewall をデプロイします。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
+ "service": "VWAN",
+ "severity": "中程度",
+ "text": "Virtual WAN ネットワーク アーキテクチャが、特定されたアーキテクチャ シナリオと一致していることを確認します。",
+ "waf": "確実"
+ },
+ {
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+ "service": "VWAN",
+ "severity": "中程度",
+ "text": "Azure Monitor Insights for Virtual WAN を使用して、Virtual WAN のエンドツーエンド トポロジ、状態、および主要なメトリックを監視します。",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+ "service": "VWAN",
+ "severity": "中程度",
+ "text": "Virtual WAN のブランチ間トラフィックは、これらのフローを明示的にブロックする必要がない限り、無効にしないでください。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "Synapse",
- "text": "予算を作成してコストを管理し、支出の異常や過剰支出のリスクを関係者に自動的に通知するアラートを作成します。",
- "waf": "費用"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+ "service": "VWAN",
+ "severity": "中程度",
+ "text": "AS-Path は ExpressRoute や VPN よりも柔軟性が高いため、ハブ ルーティング設定として使用します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "Synapse",
- "text": "追加のデータ分析のために、コスト データをストレージ アカウントにエクスポートします。",
- "waf": "費用"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+ "service": "VWAN",
+ "severity": "中程度",
+ "text": "Virtual WAN でラベルベースの伝達を構成すると、仮想ハブ間の接続が損なわれます。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Synapse",
- "text": "専用 SQL プールのコストを制御するには、リソースが使用されていないときに一時停止します。",
- "waf": "費用"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "9c75dfef-573c-461c-a698-68598595581a",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+ "service": "VWAN",
+ "severity": "高い",
+ "text": "仮想ハブに少なくとも /23 プレフィックスを割り当てて、十分な IP スペースが使用可能であることを確認します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
- "service": "Synapse",
- "text": "サーバーレス Apache Spark の自動一時停止機能を有効にし、それに応じてタイムアウト値を設定します。",
- "waf": "費用"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "高い",
+ "text": "Azure Policy を戦略的に活用し、環境のコントロールを定義し、ポリシー イニシアチブを使用して関連するポリシーをグループ化します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Synapse",
- "text": "さまざまなサイズの複数の Apache Spark プール定義を作成します。",
- "waf": "費用"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "中程度",
+ "text": "規制とコンプライアンスの要件を Azure Policy 定義と Azure ロールの割り当てにマップします。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "service": "Synapse",
- "text": "Azure Synapse Analytics のコストを節約するために、事前購入プランで Azure Synapse コミット ユニット (SCU) を 1 年間購入します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "費用"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "中程度",
+ "text": "中間ルート管理グループで Azure Policy 定義を確立して、継承されたスコープで割り当てられるようにします。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "VM",
- "text": "中断可能なジョブにスポット VM を使用する: これらは、割引価格で入札および購入できる VM であり、重要でないワークロードにコスト効率の高いソリューションを提供します。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "費用"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "高い",
+ "text": "ポリシーの割り当てを適切な最上位レベルで管理し、必要に応じて下位レベルで除外します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "VM",
- "text": "すべての VM の適切なサイズ設定",
- "waf": "費用"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "43334f24-9116-4341-a2ba-527526944008",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+ "service": "Policy",
+ "severity": "低い",
+ "text": "Azure Policy を使用して、ユーザーがサブスクリプション/管理グループ レベルでプロビジョニングできるサービスを制御します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "VM",
- "text": "正規化されたサイズと最新のサイズでサイズをスワップする VM",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "費用"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "高い",
+ "text": "可能な場合は組み込みポリシーを使用して、運用オーバーヘッドを最小限に抑えます。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "VM の適切なサイズ設定 - 使用率を 5% 未満で監視することから始めて、その後 40% まで作業します",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "費用"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "description": "Resource Policy Contributor ロールを特定のスコープに割り当てると、ポリシー管理を関連するチームに委任できます。たとえば、中央のITチームが管理グループレベルのポリシーを監督し、アプリケーションチームがサブスクリプションのポリシーを処理することで、組織の標準に準拠した分散型ガバナンスが可能になります。",
+ "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+ "service": "Policy",
+ "severity": "中程度",
+ "text": "特定のスコープで組み込みのリソース ポリシー共同作成者ロールを割り当てて、アプリケーション レベルのガバナンスを有効にします。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "アプリケーションをコンテナー化すると、VM の密度が向上し、スケーリングにかかるコストを節約できます",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "費用"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "19048384-5c98-46cb-8913-156a12476e49",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "中程度",
+ "text": "ルート管理グループのスコープで行われる Azure Policy の割り当ての数を制限して、継承されたスコープでの除外による管理を回避します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "severity": "高い",
- "text": "ビジネスとSLOの要件に基づいて適切な関数ホスティングプランを選択します",
- "waf": "確実"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+ "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+ "service": "Policy",
+ "severity": "中程度",
+ "text": "データ主権の要件が存在する場合は、それらを適用するために Azure ポリシーをデプロイする必要があります。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "severity": "高い",
- "text": "リージョンで適用可能な場合は Availability Zones を活用します (従量課金レベルでは使用できません)",
- "waf": "確実"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+ "service": "Policy",
+ "severity": "中程度",
+ "text": "ソブリン ランディング ゾーンの場合は、ソブリン ポリシー ベースラインをデプロイし、正しい管理グループ レベルで割り当てます。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+ "service": "Policy",
"severity": "中程度",
- "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
- "waf": "確実"
+ "text": "ソブリン ランディング ゾーンの場合は、ソブリン制御の目標をポリシー マッピングに文書化します。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Azure Functions",
- "severity": "高い",
- "text": "分離環境にデプロイする場合は、App Service Environment (ASE) v3 を使用するか、それらに移行します",
- "waf": "確実"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
+ "service": "Policy",
+ "severity": "中程度",
+ "text": "ソブリン・ランディング・ゾーンについては、「ソブリン・コントロールの目標からポリシー・マッピングまで」の管理プロセスが実施されていることを確認してください。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
+ "severity": "中程度",
+ "text": "Azure ロールベースのアクセス制御 (Azure RBAC)、データ主権要件、またはデータ保持ポリシーで個別のワークスペースが義務付けられている場合を除き、1 つのモニター ログ ワークスペースを使用してプラットフォームを一元的に管理します。",
+ "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Monitor",
"severity": "高い",
- "text": "App Service プランで実行されているすべての関数アプリで \"Always On\" が有効になっていることを確認する",
- "waf": "確実"
+ "text": "ログの保持要件が 12 年を超える場合は、ログを Azure Storage にエクスポートします。write-once、read-many ポリシーで不変ストレージを使用して、ユーザーが指定した間隔でデータを消去および変更できないようにします。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+ "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+ "service": "VM",
"severity": "中程度",
- "text": "関数アプリを独自のストレージ アカウントにペアリングします。Function Apps のストレージ アカウントは、緊密に結合されていない限り、再利用しないようにしてください",
- "waf": "確実"
+ "text": "Azure Policy を使用して、OS レベルの仮想マシン (VM) 構成のずれを監視します。ポリシーを使用して Azure Automanage マシン構成の監査機能を有効にすると、アプリケーション チームのワークロードは、わずかな労力で機能機能をすぐに使用できます。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
+ "service": "VM",
"severity": "中程度",
- "text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、関数アプリのコードを保護します",
+ "text": "Azure Update Manager は、Azure の Windows VM と Linux VM の修正プログラム適用メカニズムとして使用します。",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
"waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Services",
- "severity": "低い",
- "text": "ベスト プラクティスについては、「ベースラインの高可用性ゾーン冗長 Web アプリケーション アーキテクチャ」を参照してください",
- "waf": "確実"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+ "service": "VM",
"severity": "中程度",
- "text": "Premium レベルと Standard レベルを使用します。これらの層では、ステージング スロットと自動バックアップがサポートされています。",
- "waf": "確実"
+ "text": "Azure Arc を使用して、Azure の外部にある Windows および Linux VM の修正プログラム適用メカニズムとして Azure Update Manager を使用します。",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Services",
- "severity": "高い",
- "text": "リージョンで適用可能な場合は Availability Zones を活用します (Premium v2 または v3 レベルが必要)",
- "waf": "確実"
+ "arm-service": "microsoft.network/networkWatchers",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Network Watcher",
+ "severity": "中程度",
+ "text": "Network Watcher を使用して、トラフィック フローを事前に監視します。",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Monitor",
"severity": "中程度",
- "text": "ヘルスチェックの実装",
- "waf": "確実"
+ "text": "Azure Monitor ログを使用して、分析情報とレポートを作成します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
- "service": "App Services",
- "severity": "高い",
- "text": "「Azure App Service のバックアップと復元のベスト プラクティス」を参照してください",
- "waf": "確実"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+ "service": "Monitor",
+ "severity": "中程度",
+ "text": "Azure Monitor アラートを使用して、運用アラートを生成します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
- "service": "App Services",
- "severity": "高い",
- "text": "Azure App Service の信頼性に関するベスト プラクティスを実装する",
- "waf": "確実"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "Monitor",
+ "severity": "中程度",
+ "text": "Azure Automation アカウントを使用して変更とインベントリの追跡を使用する場合は、Log Analytics ワークスペースと Automation アカウントをリンクするためにサポートされているリージョンが選択されていることを確認してください。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
- "service": "App Services",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Backup",
"severity": "低い",
- "text": "災害時に App Service アプリを別のリージョンに移動する方法を理解する",
- "waf": "確実"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
- "service": "App Services",
- "severity": "高い",
- "text": "Azure App Service の信頼性サポートについて理解する",
+ "text": "Azure Backup を使用する場合は、既定の設定が GRS であるため、バックアップに正しいバックアップの種類 (GRS、ZRS、LRS) を使用します。",
"waf": "確実"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "App Services",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "VM",
"severity": "中程度",
- "text": "App Service プランで実行されている Function Apps に対して \"Always On\" が有効になっていることを確認する",
- "waf": "確実"
+ "text": "Azure ゲスト ポリシーを使用して、VM 拡張機能を通じてソフトウェア構成を自動的にデプロイし、準拠したベースライン VM 構成を適用します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "description": "Azure Policy のゲスト構成機能を使用して、マシンの設定 (OS、アプリケーション、環境など) を監査および修復し、リソースが予想される構成と一致していることを確認し、Update Management では VM のパッチ管理を適用できます。",
+ "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "VM",
"severity": "中程度",
- "text": "正常性チェックを使用した App Service インスタンスの監視",
- "waf": "確実"
+ "text": "Azure Policy を使用して VM セキュリティ構成のドリフトを監視します。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
- "service": "App Services",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "VM",
"severity": "中程度",
- "text": "Application Insights の可用性テストを使用して Web アプリまたは Web サイトの可用性と応答性を監視する",
- "waf": "確実"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
- "service": "App Services",
- "severity": "低い",
- "text": "Application Insights Standard テストを使用して、Web アプリまたは Web サイトの可用性と応答性を監視する",
- "waf": "確実"
+ "text": "Azure Site Recovery は、Azure から Azure Virtual Machines へのディザスター リカバリー シナリオに使用します。これにより、リージョン間でワークロードをレプリケートできます。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure Key Vault を使用して、アプリケーションに必要なシークレットを格納します。 Key Vault は、シークレットを格納するための安全で監査された環境を提供し、Key Vault SDK または App Service Key Vault リファレンスを通じて App Service と適切に統合されています。",
- "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
- "severity": "高い",
- "text": "Key Vault を使用してシークレットを格納する",
- "waf": "安全"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "Backup",
+ "severity": "中程度",
+ "text": "Azure ネイティブのバックアップ機能、または Azure と互換性のあるサード パーティのバックアップ ソリューションを使用します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "マネージド ID を使用して、Key Vault SDK または App Service Key Vault 参照を使用して Key Vault に接続します。",
- "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "WAF",
"severity": "高い",
- "text": "マネージド ID を使用して Key Vault に接続する",
- "waf": "安全"
+ "text": "診断設定を追加して、Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを保存します。ログを定期的に確認して、攻撃や誤検知の検出がないか確認します。",
+ "waf": "オペレーションズ"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service TLS 証明書を Key Vault に格納します。",
- "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
- "service": "App Services",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "WAF",
+ "severity": "中程度",
+ "text": "Azure Front Door や Azure Application Gateway などのアプリケーション配信サービスから WAF ログを Microsoft Sentinel に送信します。攻撃を検出し、WAF テレメトリを Azure 環境全体に統合します。",
+ "waf": "オペレーションズ"
+ },
+ {
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "Key Vault",
"severity": "高い",
- "text": "Key Vault を使用して TLS 証明書を格納します。",
+ "text": "Azure Key Vault を使用して、シークレットと資格情報を格納します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "機密情報を処理するシステムは分離する必要があります。 そのためには、個別の App Service プランまたは App Service Environment を使用し、異なるサブスクリプションまたは管理グループの使用を検討してください。",
- "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
- "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+ "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+ "service": "Key Vault",
"severity": "中程度",
- "text": "機密情報を処理するシステムを分離する",
+ "text": "アプリケーションやリージョンごとに異なる Azure Key Vault を使用して、トランザクションのスケール制限を回避し、シークレットへのアクセスを制限します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service のローカル ディスクは暗号化されていないため、機密データを格納しないでください。 (例: D:\\\\Local and %TMP%)。",
- "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
- "service": "App Services",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "中程度",
- "text": "機密データをローカルディスクに保存しない",
+ "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "認証された Web アプリケーションの場合は、Azure AD や Azure AD B2C などの確立された ID プロバイダーを使用します。 選択したアプリケーション フレームワークを利用して、このプロバイダーと統合するか、App Service の認証/承認機能を使用します。",
- "guid": "919ca0b2-c121-459e-814b-933df574eccc",
- "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
- "service": "App Services",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "中程度",
- "text": "認証に確立された ID プロバイダーを使用する",
+ "text": "最小特権モデルに従って、キー、シークレット、証明書を完全に削除する承認を、特殊なカスタム Microsoft Entra ID ロールに制限します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "適切に管理され、セキュリティで保護された DevOps デプロイ パイプラインなど、制御された信頼できる環境から App Service にコードをデプロイします。これにより、バージョン管理されておらず、悪意のあるホストからデプロイされることが確認されていないコードが回避されます。",
- "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
- "service": "App Services",
- "severity": "高い",
- "text": "信頼できる環境からのデプロイ",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中程度",
+ "text": "公開認証局を使用して証明書の管理と更新プロセスを自動化し、管理を容易にします。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "FTP/FTPS と WebDeploy/SCM の両方の基本認証を無効にします。 これにより、これらのサービスへのアクセスが無効になり、デプロイに Azure AD で保護されたエンドポイントの使用が強制されます。 SCM サイトは、Azure AD 資格情報を使用して開くこともできます。",
- "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
- "service": "App Services",
- "severity": "高い",
- "text": "基本認証の無効化",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "913156a1-2476-4e49-b541-acdce979377b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中程度",
+ "text": "キーと証明書のローテーションのための自動化されたプロセスを確立します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "可能な場合は、マネージド ID を使用して Azure AD のセキュリティで保護されたリソースに接続します。 これが不可能な場合は、Key Vault にシークレットを格納し、代わりにマネージド ID を使用して Key Vault に接続します。",
- "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
- "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
- "service": "App Services",
- "severity": "高い",
- "text": "マネージド ID を使用してリソースに接続する",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中程度",
+ "text": "コンテナーでファイアウォールと仮想ネットワーク サービス エンドポイントまたはプライベート エンドポイントを有効にして、キー コンテナーへのアクセスを制御します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure Container Registry に格納されているイメージを使用する場合は、マネージド ID を使用してこれらをプルします。",
- "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
- "service": "App Services",
- "severity": "高い",
- "text": "マネージド ID を使用してコンテナーをプルするPull containers using a Managed Identity",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+ "service": "Key Vault",
+ "severity": "中程度",
+ "text": "プラットフォーム中央の Azure Monitor Log Analytics ワークスペースを使用して、Key Vault の各インスタンス内のキー、証明書、シークレットの使用状況を監査します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service の診断設定を構成することで、ログ記録と監視の中央の宛先として、すべてのテレメトリを Log Analytics に送信できます。これにより、HTTP ログ、アプリケーション ログ、プラットフォーム ログなどの App Service のランタイム アクティビティを監視できます。",
- "guid": "47768314-c115-4775-a2ea-55b46ad48408",
- "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
- "service": "App Services",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "中程度",
- "text": "App Service ランタイム ログを Log Analytics に送信する",
+ "text": "Key Vault のインスタンス化と特権アクセスを委任し、Azure Policy を使用して一貫した準拠構成を適用します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "ログ記録と監視の中央の宛先としてアクティビティ ログを Log Analytics に送信するための診断設定を設定します。これにより、App Service リソース自体のコントロール プレーンのアクティビティを監視できます。",
- "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
- "service": "App Services",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "中程度",
- "text": "App Service アクティビティ ログを Log Analytics に送信する",
+ "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "リージョンの VNet 統合、ネットワーク セキュリティ グループ、および UDR の組み合わせを使用して、送信ネットワーク アクセスを制御します。 トラフィックは、Azure Firewall などの NVA にルーティングする必要があります。 ファイアウォールのログを必ず監視してください。",
- "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
- "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
- "service": "App Services",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "中程度",
- "text": "送信ネットワーク アクセスを制御する必要がある",
+ "text": "独自のキーを持ち込む場合、これは考慮されるすべてのサービスでサポートされているとは限りません。不整合が望ましい結果を妨げないように、適切な軽減策を実装します。レイテンシを最小限に抑える適切なリージョンペアとディザスタリカバリリージョンを選択します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "VNet 統合を使用し、VNet NAT ゲートウェイまたは Azure Firewall などの NVA を使用することで、安定した送信 IP を提供できます。 これにより、受信側は必要に応じて IP に基づいて許可リストに登録できます。 多くの場合、Azure サービスへの通信では、IP アドレスに依存する必要はなく、代わりにサービス エンドポイントなどのメカニズムを使用する必要があります。 (また、受信側でプライベート エンドポイントを使用すると、SNAT の発生が回避され、安定した送信 IP 範囲が提供されます)。",
- "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
- "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
- "service": "App Services",
- "severity": "低い",
- "text": "インターネットアドレスへの送信通信のIPを安定させる",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+ "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+ "service": "Key Vault",
+ "severity": "中程度",
+ "text": "ソブリン ランディング ゾーンの場合は、Azure Key Vault マネージド HSM を使用してシークレットと資格情報を格納します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service のアクセス制限、サービス エンドポイント、またはプライベート エンドポイントの組み合わせを使用して、受信ネットワーク アクセスを制御します。Web アプリ自体と SCM サイトに対して異なるアクセス制限を要求し、構成できます。",
- "guid": "0725769e-e669-41a4-a34a-c932223ece80",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
- "severity": "高い",
- "text": "受信ネットワーク アクセスを制御する必要がある",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+ "service": "Entra",
+ "severity": "中程度",
+ "text": "Microsoft Entra ID レポート機能を使用して、アクセス制御監査レポートを生成します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Application Gateway や Azure Front Door などの Web アプリケーション ファイアウォールを使用して、悪意のある受信トラフィックから保護します。 WAFのログを必ず監視してください。",
- "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
- "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
- "service": "App Services",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "09945bda-4333-44f2-9911-634182ba5275",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+ "service": "Defender",
"severity": "高い",
- "text": "App Service の前で WAF を使用するUse a WAF in Front of App Service",
+ "text": "すべてのサブスクリプションで Defender Cloud セキュリティ態勢管理を有効にします。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "WAFのみへのアクセスをロックダウンすることで、WAFをバイパスできないようにします。 アクセス制限、サービス・エンドポイントおよびプライベート・エンドポイントを組み合わせて使用します。",
- "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+ "service": "Defender",
"severity": "高い",
- "text": "WAFをバイパスすることは避けてください",
- "waf": "安全"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service の構成で最小 TLS ポリシーを 1.2 に設定します。",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
- "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
- "service": "App Services",
- "severity": "中程度",
- "text": "最小 TLS ポリシーを 1.2 に設定します。",
+ "text": "すべてのサブスクリプションで、サーバーの Defender Cloud ワークロード保護プランを有効にします。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "HTTPS のみを使用するように App Service を構成します。 これにより、App Service は HTTP から HTTPS にリダイレクトされます。 HTTP Strict Transport Security (HSTS) をコード内または WAF から使用して、サイトに HTTPS を使用してのみアクセスする必要があることをブラウザーに通知することを強く検討してください。",
- "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
- "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
- "service": "App Services",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+ "service": "Defender",
"severity": "高い",
- "text": "HTTPS のみを使用",
+ "text": "すべてのサブスクリプションで Azure リソースの Defender Cloud ワークロード保護プランを有効にします。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "CORS 構成では、すべての配信元がサービスにアクセスできるため、ワイルドカードを使用しないでください (これにより、CORS の目的が損なわれます)。具体的には、サービスにアクセスできると予想される配信元のみを許可します。",
- "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
- "service": "App Services",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+ "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+ "service": "VM",
"severity": "高い",
- "text": "ワイルドカードは CORS に使用しないでください",
+ "text": "IaaS サーバーでエンドポイント保護を有効にします。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "リモート デバッグは、サービスに追加のポートが開き、攻撃対象領域が増加するため、運用環境でオンにしないでください。このサービスは、48 時間後に自動的にリモート デバッグをオフにすることに注意してください。",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
- "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
- "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
- "service": "App Services",
- "severity": "高い",
- "text": "リモートデバッグをオフにする",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+ "link": "https://learn.microsoft.com/azure/security-center/",
+ "service": "VM",
+ "severity": "中程度",
+ "text": "Azure Monitor ログと Defender for Cloud を使用して、基本オペレーティング システムの修正プログラムのずれを監視します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Defender for App Service を有効にします。 これは(他の脅威の中でも)既知の悪意のあるIPアドレスへの通信を検出します。 操作の一環として、Defender for App Service からの推奨事項を確認します。",
- "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
- "service": "App Services",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
"severity": "中程度",
- "text": "Defender for Cloud を有効にする - Defender for App Service",
+ "text": "既定のリソース構成を一元化された Azure Monitor Log Analytics ワークスペースに接続します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure は、ネットワーク上で DDoS Basic 保護を提供しており、通常のトラフィック パターンを学習し、異常な動作を検出できるインテリジェントな DDoS Standard 機能によって改善できます。DDoS Standard は仮想ネットワークに適用されるため、Application Gateway や NVA など、アプリの前にあるネットワーク リソース用に構成する必要があります。",
- "guid": "223ece80-b123-4071-a541-6415833ea3ad",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "App Services",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+ "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+ "service": "Entra",
"severity": "中程度",
- "text": "WAF VNet で DDoS Protection Standard を有効にするEnable DDOS Protection Standard on the WAF VNet",
+ "text": "ソブリン ランディング ゾーンの場合は、Entra ID テナントで透明度ログを有効にします。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure Container Registry に格納されているイメージを使用する場合は、プライベート エンドポイントとアプリ設定 \"WEBSITE_PULL_IMAGE_OVER_VNET\" を使用して、Azure Container Registry から仮想ネットワーク経由でイメージをプルします。",
- "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
- "service": "App Services",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+ "service": "Entra",
"severity": "中程度",
- "text": "Virtual Network 経由でコンテナーをプルする",
+ "text": "Sovereign Landing Zone の場合は、Entra ID テナントでカスタマー ロックボックスを有効にします。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "ペネトレーションテストのルールに従って、Webアプリケーションでペネトレーションテストを実施します。",
- "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
- "service": "App Services",
- "severity": "中程度",
- "text": "ペネトレーションテストの実施",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Storage",
+ "severity": "高い",
+ "text": "ストレージ アカウントへの安全な転送を有効にします。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "DevSecOps プラクティスに従って脆弱性が検証およびスキャンされた信頼できるコードをデプロイします。",
- "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
- "service": "App Services",
- "severity": "中程度",
- "text": "検証済みコードのデプロイ",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+ "service": "Storage",
+ "severity": "高い",
+ "text": "ストレージ アカウントのコンテナーの論理的な削除を有効にして、削除されたコンテナーとその内容を回復します。",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "サポートされているプラットフォーム、プログラミング言語、プロトコル、およびフレームワークの最新バージョンを使用します。",
- "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
- "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
- "service": "App Services",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+ "service": "Key Vault",
"severity": "高い",
- "text": "最新のプラットフォーム、言語、プロトコル、フレームワークを使用",
- "waf": "安全"
+ "text": "Key Vault シークレットを使用して、資格情報 (仮想マシン、ユーザー パスワード)、証明書、キーなどの機密情報のハードコーディングを回避します。",
+ "waf": "オペレーションズ"
},
{
"arm-service": "Microsoft.Web/sites",
@@ -7716,178 +8078,6 @@
"text": "Azure DevOps または GitHub を活用して CI/CD を合理化し、ロジック アプリ コードを保護",
"waf": "オペレーションズ"
},
- {
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
- "severity": "中程度",
- "text": "Azure Bot Service の信頼性サポートの推奨事項に従う",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
- "severity": "中程度",
- "text": "ローカル データ所在地とリージョン コンプライアンスを備えたボットのデプロイ",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
- "severity": "中程度",
- "text": "Azure Bot Service は、グローバル サービスとリージョン サービスの両方に対してアクティブ/アクティブ モードで実行されます。停止が発生した場合、エラーを検出したり、サービスを管理したりする必要はありません。Azure Bot Service は、複数リージョンの地理的アーキテクチャで自動フェールオーバーと自動復旧を自動的に実行します。EU ボット リージョン サービスの場合、Azure Bot Service は、冗長性を確保するために、アクティブ/アクティブ レプリケーションを備えたヨーロッパ内の 2 つの完全なリージョンを提供します。グローバル ボット サービスの場合、使用可能なすべてのリージョン/地域をグローバル フットプリントとして提供できます。",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
- "service": "Azure Data Factory",
- "severity": "中程度",
- "text": "Azure Data Factory の FTA 回復性プレイブックの活用",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "severity": "高い",
- "text": "Availability Zones をサポートするリージョンでゾーン冗長パイプラインを使用するUse zone redundant pipelines in regions that support Availability Zones",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
- "link": "https://learn.microsoft.com/azure/data-factory/source-control",
- "service": "Azure Data Factory",
- "severity": "中程度",
- "text": "DevOps を使用して Github と Azure DevOps の統合で ARM テンプレートをバックアップする",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "severity": "中程度",
- "text": "セルフホステッド統合ランタイム VM を別のリージョンにレプリケートしてください",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "severity": "中程度",
- "text": "必ず、姉妹リージョンでネットワークをレプリケートまたは複製してください。別のリージョンに VNet のコピーを作成する必要があります",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "description": "ADF パイプラインで Key Vault が使用されている場合は、Key Vault をレプリケートするために何もする必要はありません。Key Vault はマネージド サービスであり、Microsoft が処理します",
- "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Azure Data Factory",
- "severity": "低い",
- "text": "Keyvault 統合を使用している場合は、Keyvault の SLA を使用して可用性を把握します",
- "waf": "確実"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
- "severity": "中程度",
- "text": "有効期間の長い取り消し可能なトークンを使用し、トークンをキャッシュし、Microsoft ID ライブラリを使用してサイレントに取得します",
- "waf": "確実"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
- "severity": "中程度",
- "text": "サインイン ユーザー フローがバックアップされ、回復性があることを確認します。ユーザーのサインインに使用するコードがバックアップされ、回復可能であることを確認します。外部プロセスとの回復力のあるインターフェース",
- "waf": "確実"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
- "severity": "中程度",
- "text": "カスタムブランドアセットはCDNでホストする必要がある",
- "waf": "パフォーマンス"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
- "severity": "低い",
- "text": "複数のIDプロバイダーを持っている(つまり、Microsoft、Google、Facebookアカウントでログインする)",
- "waf": "確実"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "中程度",
- "text": "VM レベルでの高可用性に関する VM ルールに従う (Premium ディスク、リージョン内の 2 つ以上、異なる可用性ゾーン内)",
- "waf": "確実"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "中程度",
- "text": "複製しないでください!レプリケーションにより、ディレクトリ同期に関する問題が発生する可能性があります",
- "waf": "確実"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "中程度",
- "text": "マルチリージョンのアクティブ/アクティブを持つ",
- "waf": "確実"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
- "severity": "中程度",
- "text": "Azure AD Domain Service スタンプを追加のリージョンと場所に追加する",
- "waf": "確実"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
- "severity": "中程度",
- "text": "DR にレプリカ セットを使用する",
- "waf": "確実"
- },
{
"arm-service": "microsoft.network/frontdoors",
"checklist": "Azure Application Delivery Networking",
@@ -7895,7 +8085,7 @@
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
"service": "Front Door",
"severity": "中程度",
- "text": "Azure Front Door でカスタマー マネージド TLS 証明書を使用する場合は、\"最新\" の証明書バージョンを使用します。証明書の手動更新によって引き起こされる停止のリスクを軽減",
+ "text": "Azure Front Door でカスタマー マネージド TLS 証明書を使用する場合は、\"最新\" の証明書バージョンを使用します。証明書の手動更新による停止のリスクを軽減",
"waf": "オペレーションズ"
},
{
@@ -7918,7 +8108,7 @@
"link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
"service": "Load Balancer",
"severity": "中程度",
- "text": "Azure Load Balancer に Standard SKU を使用していることを確認する",
+ "text": "Azure Load Balancers に Standard SKU を使用していることを確認します",
"waf": "安全"
},
{
@@ -7939,19 +8129,19 @@
"link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
"service": "App Gateway",
"severity": "中程度",
- "text": "Application Gateway v2 は、IP プレフィックスが /24 以上のサブネットにデプロイする必要があります",
+ "text": "Application Gateways v2 は、IP プレフィックスが /24 以上のサブネットにデプロイする必要があります",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
"arm-service": "microsoft.network/applicationGateways",
"checklist": "Azure Application Delivery Networking",
- "description": "リバースプロキシ全般、特にWAFの管理は、ネットワークよりもアプリケーションに近いため、アプリと同じサブスクリプションに属します。Application Gateway と WAF を接続サブスクリプションに一元化することは、1 つのチームによって管理されている場合は問題ない場合があります。",
+ "description": "リバースプロキシの管理全般、特にWAFの管理は、ネットワーキングよりもアプリケーションに近いため、アプリと同じサブスクリプションに属します。Application Gateway と WAF を接続サブスクリプションに一元化することは、1 つのチームによって管理されている場合は問題ない可能性があります。",
"guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "中程度",
- "text": "ランディング ゾーン仮想ネットワーク内およびそれらがセキュリティで保護しているアプリと共に、受信 HTTP(S) 接続のプロキシに使用される Azure Application Gateway v2 またはパートナーの NVA をデプロイします。",
+ "text": "ランディング ゾーン仮想ネットワーク内の受信 HTTP(S) 接続のプロキシに使用される Azure Application Gateway v2 またはパートナー NVA と、それらがセキュリティ保護しているアプリをデプロイします。",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
@@ -7962,7 +8152,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "App Gateway",
"severity": "中程度",
- "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して DDoS ネットワークまたは IP 保護プランを使用します。",
+ "text": "アプリケーション ランディング ゾーン内のすべてのパブリック IP アドレスに対して、DDoS ネットワークまたは IP 保護プランを使用します。",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
@@ -7974,7 +8164,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
"service": "App Gateway",
"severity": "中程度",
- "text": "最小数のインスタンスが 2 つになる自動スケーリングを構成します。",
+ "text": "自動スケールは、最小インスタンス数が 2 になるように構成します。",
"training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "確実"
},
@@ -7997,7 +8187,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "Front Door",
"severity": "中程度",
- "text": "Azure Front Door と WAF ポリシーを使用して、複数の Azure リージョンにまたがるグローバル HTTP/S アプリを配信し、保護します。",
+ "text": "Azure Front Door と WAF ポリシーを使用して、複数の Azure リージョンにまたがるグローバル HTTP/S アプリを提供し、保護します。",
"training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
@@ -8030,7 +8220,7 @@
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"severity": "低い",
- "text": "ユーザーが内部アプリケーションへのアクセスのみを必要とする場合、Microsoft Entra ID アプリケーション プロキシは Azure Virtual Desktop (AVD) の代替として検討されていますか?",
+ "text": "ユーザーが内部アプリケーションへのアクセスのみを必要とする場合、Microsoft Entra ID アプリケーション プロキシは Azure Virtual Desktop (AVD) の代替手段として検討されていますか?",
"training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "安全"
},
@@ -8040,7 +8230,7 @@
"link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
"severity": "中程度",
- "text": "ネットワーク内の着信接続用に開かれているファイアウォール ポートの数を減らすには、Microsoft Entra ID アプリケーション プロキシを使用して、リモート ユーザーに内部アプリケーションへの安全で認証されたアクセスを提供することを検討してください。",
+ "text": "ネットワーク内の着信接続用に開かれるファイアウォール ポートの数を減らすには、Microsoft Entra ID アプリケーション プロキシを使用して、リモート ユーザーに内部アプリケーションへの安全で認証されたアクセスを提供することを検討してください。",
"training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "安全"
},
@@ -8053,7 +8243,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
"service": "Front Door",
"severity": "高い",
- "text": "Front Door の WAF ポリシーを \"防止\" モードでデプロイします。",
+ "text": "Front Door の WAF ポリシーを \"防止\" モードでデプロイし、Web アプリケーション ファイアウォールがトラフィックを許可または拒否するための適切なアクションを実行するようにします。",
"waf": "安全"
},
{
@@ -8064,7 +8254,7 @@
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
"service": "Front Door",
"severity": "高い",
- "text": "Azure Traffic Manager と Azure Front Door の組み合わせは避けてください。",
+ "text": "Azure Traffic Manager と Azure Front Door を組み合わせることは避けてください。",
"waf": "安全"
},
{
@@ -8086,7 +8276,7 @@
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
"service": "Front Door",
"severity": "低い",
- "text": "Azure Front Door 配信元グループに配信元が 1 つしかない場合は、正常性プローブを無効にします。",
+ "text": "Azure Front Door の配信元グループに配信元が 1 つしかない場合は、正常性プローブを無効にします。",
"waf": "パフォーマンス"
},
{
@@ -8096,7 +8286,7 @@
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
"service": "Front Door",
"severity": "中程度",
- "text": "Azure Front Door に適した正常性プローブ エンドポイントを選択します。アプリケーションのすべての依存関係をチェックする正常性エンドポイントを構築することを検討してください。",
+ "text": "Azure Front Door の適切な正常性プローブ エンドポイントを選択します。アプリケーションのすべての依存関係をチェックする正常性エンドポイントの構築を検討してください。",
"waf": "確実"
},
{
@@ -8119,7 +8309,7 @@
"link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
"service": "Load Balancer",
"severity": "高い",
- "text": "Load Balancer の送信規則の代わりに Azure NAT Gateway を使用して、SNAT のスケーラビリティを向上させる",
+ "text": "Load Balancer のアウトバウンド規則の代わりに Azure NAT Gateway を使用して SNAT のスケーラビリティを向上させる",
"waf": "確実"
},
{
@@ -8141,7 +8331,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
"service": "Front Door",
"severity": "中程度",
- "text": "Azure Front Door WAF の構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
+ "text": "Azure Front Door WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
"waf": "オペレーションズ"
},
{
@@ -8152,7 +8342,7 @@
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
"service": "Front Door",
"severity": "高い",
- "text": "Azure Front Door でエンド ツー エンドの TLS を使用します。クライアントから Front Door への接続、および Front Door から配信元への接続には TLS を使用します。",
+ "text": "Azure Front Door でエンド ツー エンド TLS を使用します。クライアントから Front Door への接続、および Front Door から配信元への接続には TLS を使用します。",
"waf": "安全"
},
{
@@ -8162,7 +8352,7 @@
"link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
"service": "Front Door",
"severity": "中程度",
- "text": "Azure Front Door で HTTP から HTTPS へのリダイレクトを使用します。古いクライアントをHTTPSリクエストに自動的にリダイレクトすることでサポートします。",
+ "text": "Azure Front Door で HTTP から HTTPS へのリダイレクトを使用します。古いクライアントを自動的に HTTPS リクエストにリダイレクトすることで、クライアントをサポートします。",
"waf": "安全"
},
{
@@ -8184,7 +8374,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
"service": "Front Door",
"severity": "高い",
- "text": "ワークロードに合わせて Azure Front Door WAF を調整します。誤検知を減らします。",
+ "text": "ワークロードに合わせて Azure Front Door WAF を調整するには、検出モードで WAF を構成して誤検知の検出を減らして修正します。",
"waf": "安全"
},
{
@@ -8195,7 +8385,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "Front Door",
"severity": "高い",
- "text": "Azure Front Door WAF ポリシーで要求本文検査機能を有効にします。",
+ "text": "Azure Front Door WAF ポリシーで有効になっている要求本文の検査機能を有効にします。",
"waf": "安全"
},
{
@@ -8206,7 +8396,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
"service": "Front Door",
"severity": "高い",
- "text": "Azure Front Door WAF の既定の規則セットを有効にします。既定のルール セットは、一般的な攻撃を検出してブロックします。",
+ "text": "Azure Front Door WAF の既定のルール セットを有効にします。デフォルトのルールセットは、一般的な攻撃を検出してブロックします。",
"waf": "安全"
},
{
@@ -8217,7 +8407,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
"service": "Front Door",
"severity": "高い",
- "text": "Azure Front Door WAF ボット保護ルール セットを有効にします。ボットルールは、良いボットと悪いボットを検出します。",
+ "text": "Azure Front Door WAF ボット保護ルール セットを有効にします。ボット ルールは、良いボットと悪いボットを検出します。",
"waf": "安全"
},
{
@@ -8227,7 +8417,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
"service": "Front Door",
"severity": "中程度",
- "text": "最新の Azure Front Door WAF ルール セット バージョンを使用します。ルール セットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
+ "text": "最新の Azure Front Door WAF ルール セット バージョンを使用します。ルールセットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
"waf": "安全"
},
{
@@ -8237,7 +8427,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
"service": "Front Door",
"severity": "中程度",
- "text": "Azure Front Door WAF にレート制限を追加します。レート制限は、クライアントが短期間に大量のトラフィックを誤ってまたは意図的に送信することをブロックします。",
+ "text": "Azure Front Door WAF にレート制限を追加します。レート制限は、クライアントが誤ってまたは意図的に短時間に大量のトラフィックを送信するのをブロックします。",
"waf": "安全"
},
{
@@ -8247,7 +8437,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
"service": "Front Door",
"severity": "中程度",
- "text": "Azure Front Door WAF のレート制限には、高いしきい値を使用します。高いレート制限しきい値は、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多数の要求に対する保護を提供します。",
+ "text": "Azure Front Door WAF のレート制限には高いしきい値を使用します。レート制限のしきい値を高くすると、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多くのリクエストに対する保護を提供します。",
"waf": "安全"
},
{
@@ -8257,7 +8447,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
"service": "Front Door",
"severity": "低い",
- "text": "すべての地域からのトラフィックが想定されていない場合は、地域フィルタを使用して、想定外の国からのトラフィックをブロックします。",
+ "text": "すべての地理的地域からのトラフィックを想定していない場合は、geo フィルタを使用して、想定外の国からのトラフィックをブロックします。",
"waf": "安全"
},
{
@@ -8267,7 +8457,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
"service": "Front Door",
"severity": "中程度",
- "text": "Azure Front Door WAF を使用してトラフィックをジオフィルター処理するときに、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致させることができない場合に、正当な要求を誤ってブロックしないようにします。",
+ "text": "Azure Front Door WAF を使用してトラフィックを geo フィルタリングする場合は、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致できない場合に、正当な要求を誤ってブロックしないようにします。",
"waf": "安全"
},
{
@@ -8279,7 +8469,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
"service": "App Gateway",
"severity": "高い",
- "text": "Azure Application Gateway WAF ボット保護ルール セットを有効にする ボット ルールは、良いボットと悪いボットを検出します。",
+ "text": "Azure Application Gateway WAF ボット保護ルール セットを有効にします。ボット ルールは、良いボットと悪いボットを検出します。",
"waf": "安全"
},
{
@@ -8290,7 +8480,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
"service": "App Gateway",
"severity": "高い",
- "text": "Azure Application Gateway WAF ポリシーで有効になっている要求本文検査機能を有効にします。",
+ "text": "Azure Application Gateway WAF ポリシーで有効になっている要求本文の検査機能を有効にします。",
"waf": "安全"
},
{
@@ -8301,7 +8491,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
"service": "App Gateway",
"severity": "高い",
- "text": "ワークロードに合わせて Azure Application Gateway WAF を調整します。誤検知を減らします。",
+ "text": "ワークロードの検出モードで Azure Application Gateway WAF を調整します。誤検出を減らします。",
"waf": "安全"
},
{
@@ -8323,7 +8513,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
"service": "App Gateway",
"severity": "中程度",
- "text": "Azure Application Gateway WAF にレート制限を追加します。レート制限は、クライアントが短期間に大量のトラフィックを誤ってまたは意図的に送信することをブロックします。",
+ "text": "Azure Application Gateway WAF にレート制限を追加します。レート制限は、クライアントが誤ってまたは意図的に短時間に大量のトラフィックを送信するのをブロックします。",
"waf": "安全"
},
{
@@ -8333,7 +8523,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
"service": "App Gateway",
"severity": "中程度",
- "text": "Azure Application Gateway の WAF レート制限には高いしきい値を使用します。高いレート制限しきい値は、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多数の要求に対する保護を提供します。",
+ "text": "Azure Application Gateway WAF のレート制限には高いしきい値を使用します。レート制限のしきい値を高くすると、正当なトラフィックのブロックを回避しながら、インフラストラクチャを圧倒する可能性のある非常に多くのリクエストに対する保護を提供します。",
"waf": "安全"
},
{
@@ -8343,7 +8533,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
"service": "App Gateway",
"severity": "低い",
- "text": "すべての地域からのトラフィックが想定されていない場合は、地域フィルタを使用して、想定外の国からのトラフィックをブロックします。",
+ "text": "すべての地理的地域からのトラフィックを想定していない場合は、geo フィルタを使用して、想定外の国からのトラフィックをブロックします。",
"waf": "安全"
},
{
@@ -8353,7 +8543,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
"service": "App Gateway",
"severity": "中程度",
- "text": "Azure Application Gateway WAF でトラフィックを geo フィルタリングするときに、不明 (ZZ) の場所を指定します。IP アドレスを地理的に一致させることができない場合に、正当な要求を誤ってブロックしないようにします。",
+ "text": "Azure Application Gateway WAF を使用してトラフィックを geo フィルタリングする場合は、不明な (ZZ) 場所を指定します。IP アドレスを地理的に一致できない場合に、正当な要求を誤ってブロックしないようにします。",
"waf": "安全"
},
{
@@ -8363,7 +8553,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
"service": "App Gateway",
"severity": "中程度",
- "text": "最新バージョンの Azure Application Gateway WAF ルール セットを使用します。ルール セットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
+ "text": "最新の Azure Application Gateway WAF ルール セット バージョンを使用します。ルールセットの更新は、現在の脅威の状況を考慮して定期的に更新されます。",
"waf": "安全"
},
{
@@ -8373,7 +8563,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
"service": "App Gateway",
"severity": "中程度",
- "text": "診断設定を追加して、Azure Application Gateway の WAF ログを保存します。",
+ "text": "診断設定を追加して、Azure Application Gateway WAF ログを保存します。",
"waf": "オペレーションズ"
},
{
@@ -8413,7 +8603,7 @@
"link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
"service": "App Gateway",
"severity": "中程度",
- "text": "Azure Application Gateway の WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
+ "text": "Azure Application Gateway WAF 構成をコードとして定義します。コードを使用すると、新しいルール セット バージョンをより簡単に採用し、追加の保護を得ることができます。",
"waf": "オペレーションズ"
},
{
@@ -8433,7 +8623,7 @@
"link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
"service": "App Gateway",
"severity": "中程度",
- "text": "バックエンドの受信トラフィックをフィルター処理して、Application Gateway サブネットからの接続 (NSG など) のみを受け入れるようにします。",
+ "text": "バックエンドの受信トラフィックをフィルター処理して、Application Gateway サブネット (NSG など) からの接続のみを受け入れるようにします。",
"waf": "安全"
},
{
@@ -8443,7 +8633,7 @@
"link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
"service": "Front Door",
"severity": "中程度",
- "text": "配信元が Azure Front Door インスタンスからのトラフィックのみを受け取るようにします。",
+ "text": "配信元が Azure Front Door インスタンスからのトラフィックのみを受け取ることを確認します。",
"waf": "安全"
},
{
@@ -8453,7 +8643,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
"service": "App Gateway",
"severity": "高い",
- "text": "バックエンド・サーバーへのトラフィックを暗号化する必要があります。",
+ "text": "バックエンド サーバーへのトラフィックを暗号化する必要があります。",
"waf": "安全"
},
{
@@ -8473,7 +8663,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
"service": "App Gateway",
"severity": "中程度",
- "text": "HTTPをHTTPSにリダイレクトする",
+ "text": "HTTP を HTTPS にリダイレクトする",
"waf": "安全"
},
{
@@ -8483,7 +8673,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
"service": "App Gateway",
"severity": "中程度",
- "text": "ゲートウェイ管理の Cookie を使用して、ユーザー セッションから同じサーバーにトラフィックを送信して処理する",
+ "text": "ゲートウェイで管理される Cookie を使用して、ユーザーセッションからのトラフィックを同じサーバーに転送して処理する",
"waf": "オペレーションズ"
},
{
@@ -8513,7 +8703,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
"service": "App Gateway",
"severity": "中程度",
- "text": "HTTPリクエストとレスポンスヘッダーを編集して、クライアントとサーバー間のルーティングと情報交換を容易にします",
+ "text": "HTTP 要求と応答ヘッダーを編集して、クライアントとサーバー間のルーティングと情報交換を容易にします",
"waf": "安全"
},
{
@@ -8523,7 +8713,7 @@
"link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"service": "App Gateway",
"severity": "中程度",
- "text": "Front Door を構成して、グローバルな Web トラフィック ルーティングとトップレベルのエンド ユーザーのパフォーマンスを最適化し、迅速なグローバル フェールオーバーを通じて信頼性を確保します",
+ "text": "Front Door を構成して、グローバル Web トラフィックのルーティングと最上位のエンドユーザーのパフォーマンス、および迅速なグローバル フェイルオーバーによる信頼性を最適化する",
"waf": "パフォーマンス"
},
{
@@ -8553,7 +8743,7 @@
"link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
"service": "App Gateway",
"severity": "中程度",
- "text": "SSL証明書管理を一元化して、バックエンドサーバーファームからの暗号化と復号化のオーバーヘッドを削減",
+ "text": "SSL証明書管理を一元化して、バックエンドサーバーファームからの暗号化と復号化のオーバーヘッドを削減します",
"waf": "安全"
},
{
@@ -8563,434 +8753,244 @@
"link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
"service": "App Gateway",
"severity": "低い",
- "text": "Application Gateway を使用して WebSocket と HTTP/2 プロトコルをネイティブにサポートする",
+ "text": "Application Gateway を使用して WebSocket プロトコルと HTTP/2 プロトコルをネイティブにサポートする",
"waf": "安全"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
- "service": "APIM",
- "severity": "中程度",
- "text": "グローバルレベルでのエラー処理ポリシーの実装",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
- "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
- "service": "APIM",
- "severity": "中程度",
- "text": "すべての API ポリシーに要素が含まれていることを確認します。",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
- "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
- "service": "APIM",
- "severity": "中程度",
- "text": "ポリシーフラグメントを使用して、複数の API で同じポリシー定義を繰り返さないようにする",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
- "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
- "service": "APIM",
- "severity": "中程度",
- "text": "API の収益化を計画している場合は、「収益化のサポート」の記事でおすすめの方法をご確認ください",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
- "service": "APIM",
- "severity": "高い",
- "text": "診断設定を有効にしてログを Azure Monitor にエクスポートする",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
- "service": "APIM",
- "severity": "中程度",
- "text": "Application Insights を有効にして、より詳細なテレメトリを実現する",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
- "service": "APIM",
- "severity": "高い",
- "text": "最も重要なメトリックに関するアラートを構成する",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
- "service": "APIM",
- "severity": "高い",
- "text": "カスタム SSL 証明書が Azure Key Vault に格納され、安全にアクセスして更新できるようにする",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
- "service": "APIM",
- "severity": "高い",
- "text": "Azure AD を使用して API (データ プレーン) への受信要求を保護する",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
- "service": "APIM",
- "severity": "中程度",
- "text": "Microsoft Entra ID を使用して開発者ポータルでユーザーを認証する",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
- "service": "APIM",
- "severity": "中程度",
- "text": "適切なグループを作成して、製品の可視性を制御します",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "06862505-2d9a-4874-9491-2837b00a3475",
- "link": "https://learn.microsoft.com/azure/api-management/backends",
- "service": "APIM",
- "severity": "中程度",
- "text": "バックエンド機能を使用して、冗長な API バックエンド構成を排除します",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
- "service": "APIM",
- "severity": "中程度",
- "text": "名前付き値を使用して、ポリシーで使用できる共通の値を格納します",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
- "service": "APIM",
- "severity": "中程度",
- "text": "DR の場合は、99.99% の SLA で 2 つ以上のリージョンにスケーリングされたデプロイで Premium レベルを活用します",
- "waf": "確実"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
- "link": "https://learn.microsoft.com/azure/api-management/high-availability",
- "service": "APIM",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+ "service": "Azure Data Factory",
"severity": "中程度",
- "text": "少なくとも 1 つのユニットを 2 つ以上の可用性ゾーンにデプロイして、SLA を 99.99% に向上させる",
+ "text": "Azure Data Factory の FTA 回復性プレイブックの活用",
"waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
- "service": "APIM",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "高い",
- "text": "自動バックアップ・ルーチンがあることを確認する",
+ "text": "Availability Zones をサポートするリージョンでゾーン冗長パイプラインを使用するUse zone redundant pipelines in regions that support Availability Zones",
"waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
- "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
- "service": "APIM",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+ "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+ "service": "Azure Data Factory",
"severity": "中程度",
- "text": "ポリシーを使用して、フェイルオーバー・バックエンドURLとキャッシュを追加し、コールの失敗を減らします。",
+ "text": "DevOps を使用して Github と Azure DevOps の統合で ARM テンプレートをバックアップする",
"waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
- "service": "APIM",
- "severity": "低い",
- "text": "高パフォーマンス レベルでログを記録する必要がある場合は、Event Hubs ポリシーを検討してください",
- "waf": "オペレーションズ"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
- "service": "APIM",
- "severity": "中程度",
- "text": "調整ポリシーを適用して、毎秒の要求数を制御する",
- "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
- "service": "APIM",
- "severity": "中程度",
- "text": "負荷が増加したときにインスタンスの数をスケールアウトするように自動スケーリングを構成する",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
- "service": "APIM",
- "severity": "中程度",
- "text": "セルフホステッド ゲートウェイをデプロイする場所は、バックエンド API に近いリージョンが Azure にありません。",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
- "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
- "service": "APIM",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "中程度",
- "text": "運用環境のワークロードには Premium レベルを使用します。",
+ "text": "セルフホステッド統合ランタイム VM を別のリージョンにレプリケートしてください",
"waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
- "service": "APIM",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "中程度",
- "text": "複数リージョン モデルでは、ポリシーを使用して、可用性または待機時間に基づいてリージョン バックエンドに要求をルーティングします。",
+ "text": "必ず、姉妹リージョンでネットワークをレプリケートまたは複製してください。別のリージョンに VNet のコピーを作成する必要があります",
"waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
- "service": "APIM",
- "severity": "高い",
- "text": "APIM の制限に注意する",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "description": "ADF パイプラインで Key Vault が使用されている場合は、Key Vault をレプリケートするために何もする必要はありません。Key Vault はマネージド サービスであり、Microsoft が処理します",
+ "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Azure Data Factory",
+ "severity": "低い",
+ "text": "Keyvault 統合を使用している場合は、Keyvault の SLA を使用して可用性を把握します",
"waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
- "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
- "service": "APIM",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+ "service": "IoT",
"severity": "高い",
- "text": "セルフホステッド ゲートウェイのデプロイに回復性があることを確認します。",
+ "text": "Availability Zones (リージョンで適用可能な場合) を活用する (これは自動的に有効になります)",
"waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "7519e385-a88b-4d34-966b-6269d686e890",
- "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
- "service": "APIM",
- "severity": "中程度",
- "text": "複数リージョンのデプロイに APIM の前で Azure Front Door を使用するUse Azure Front Door in front of APIM for multi-region deployment",
- "waf": "パフォーマンス"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
- "service": "APIM",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
"severity": "中程度",
- "text": "仮想ネットワーク (VNet) 内にサービスをデプロイするDeploy the service within a Virtual Network (VNet)",
- "waf": "安全"
+ "text": "Microsoft が開始するフェールオーバーに注意してください。これらは、まれに、影響を受けるリージョンから対応する geo ペア リージョンにすべての IoT ハブをフェールオーバーするために Microsoft によって実行されます。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
- "service": "APIM",
- "severity": "中程度",
- "text": "ネットワーク セキュリティ グループ (NSG) をサブネットにデプロイして、APIM との間のトラフィックを制限または監視します。",
- "waf": "安全"
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+ "service": "IoT",
+ "severity": "高い",
+ "text": "重要なワークロードに対するリージョン間 DR 戦略を検討する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
- "service": "APIM",
- "severity": "中程度",
- "text": "プライベート エンドポイントをデプロイして、APIM が VNet にデプロイされていない場合に受信トラフィックをフィルター処理します。",
- "waf": "安全"
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
+ "severity": "高い",
+ "text": "手動フェールオーバーをトリガーする方法を学習します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
- "service": "APIM",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+ "service": "IoT",
"severity": "高い",
- "text": "パブリックネットワークアクセスの無効化",
- "waf": "安全"
+ "text": "フェールオーバー後にフェールバックする方法を学習します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
- "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
- "service": "APIM",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
"severity": "中程度",
- "text": "PowerShell 自動化スクリプトで管理を簡素化",
- "waf": "オペレーションズ"
+ "text": "Azure Spring Apps では、アプリごとに 2 つのデプロイが許可され、そのうちの 1 つだけが運用トラフィックを受信します。ブルーグリーンデプロイ戦略により、ダウンタイムをゼロにすることができます。ブルー グリーン デプロイは、Standard レベルと Enterprise レベルでのみ使用できます。CI/CD と ADO/GitHub Actions を使用してデプロイを自動化できます",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
- "service": "APIM",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
"severity": "中程度",
- "text": "Infrastructure-as-code を使用して APIM を構成します。Cloud Adaption Framework APIM Landing Zone Accelerator から DevOps のベスト プラクティスを確認する",
- "waf": "オペレーションズ"
+ "text": "Azure Spring Apps インスタンスは、アプリケーション用に複数のリージョンに作成でき、トラフィックは Traffic Manager/Front Door によってルーティングできます。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
- "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
- "service": "APIM",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
"severity": "中程度",
- "text": "Visual Studio Code APIM 拡張機能の使用を促進して API 開発を迅速化する",
- "waf": "オペレーションズ"
+ "text": "サポートされているリージョンでは、Azure Spring Apps をゾーン冗長としてデプロイできるため、インスタンスは可用性ゾーン間で自動的に分散されます。この機能は、Standard レベルと Enterprise レベルでのみ使用できます。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
- "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
- "service": "APIM",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
"severity": "中程度",
- "text": "DevOpsとCI/CDをワークフローに実装する",
- "waf": "オペレーションズ"
+ "text": "アプリに複数のアプリ インスタンスを使用する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "b6439493-426a-45f3-9697-cf65baee208d",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
- "service": "APIM",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
"severity": "中程度",
- "text": "クライアント証明書認証を使用した API の保護",
- "waf": "安全"
+ "text": "Azure Spring Apps をログ、メトリック、トレースで監視します。ASA を Application Insights と統合し、障害を追跡し、ブックを作成します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2a67d143-1033-4c0a-8732-680896478f08",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
- "service": "APIM",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
"severity": "中程度",
- "text": "クライアント証明書認証を使用したバックエンド サービスのセキュリティ保護",
- "waf": "安全"
+ "text": "Spring Cloud Gateway で自動スケーリングを設定する",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
- "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
- "service": "APIM",
- "severity": "中程度",
- "text": "「OWASP API Security Top 10 の脅威を軽減するための推奨事項」の記事を確認し、API に適用できるものを確認します",
- "waf": "安全"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
+ "severity": "低い",
+ "text": "Standard 従量課金プランと専用プランのアプリの自動スケーリングを有効にします。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
- "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
- "service": "APIM",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
"severity": "中程度",
- "text": "承認機能を使用して、バックエンド API の OAuth 2.0 トークンの管理を簡素化します",
- "waf": "安全"
+ "text": "ミッション クリティカルなアプリの Spring Boot の商用サポートには、Enterprise プランを使用します。他のレベルでは、OSS のサポートを受けることができます。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
- "service": "APIM",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+ "service": "Redis",
"severity": "高い",
- "text": "転送中の情報を暗号化する場合は、最新のTLSバージョンを使用します。可能であれば、古くて不要なプロトコルと暗号を無効にします。",
- "waf": "安全"
+ "text": "Azure Cache for Redis のゾーン冗長を有効にします。Azure Cache for Redis では、Premium レベルと Enterprise レベルでゾーン冗長構成がサポートされています。ゾーン冗長キャッシュでは、同じリージョン内の異なる Azure Availability Zones にノードを配置できます。これにより、データセンターや AZ の停止が単一障害点として排除され、キャッシュの全体的な可用性が向上します。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8af3d94-1d2b-4070-846f-849197524258",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
- "service": "APIM",
- "severity": "高い",
- "text": "シークレット (名前付き値) が Azure Key Vault に格納され、安全にアクセスして更新できるようにする",
- "waf": "安全"
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+ "service": "Redis",
+ "severity": "中程度",
+ "text": "Azure Cache for Redis インスタンスのデータ永続化を構成します。キャッシュ データはメモリに格納されるため、まれに複数のノードで計画外の障害が発生すると、すべてのデータがドロップされる可能性があります。データの完全な損失を回避するために、Redis 永続化では、メモリ内データのスナップショットを定期的に取得し、ストレージ アカウントに格納できます。",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "791abd8b-7706-4e31-9569-afefde724be3",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
- "service": "APIM",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+ "service": "Redis",
"severity": "中程度",
- "text": "可能な限りマネージド ID を使用して、他の Azure リソースに対する認証を行う",
- "waf": "安全"
+ "text": "geo 冗長ストレージ アカウントを使用して Azure Cache for Redis データを保持するか、geo 冗長性を使用できない場合はゾーン冗長を使用します",
+ "waf": "確実"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
- "service": "APIM",
- "severity": "高い",
- "text": "Web アプリケーション ファイアウォール (WAF) を使用するには、APIM の前に Application Gateway をデプロイします",
- "waf": "安全"
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+ "service": "Redis",
+ "severity": "中程度",
+ "text": "Premium Azure Cache for Redis インスタンスのパッシブ geo レプリケーションを構成します。geo レプリケーションは、2 つ以上の Azure Cache for Redis インスタンス (通常は 2 つの Azure リージョンにまたがる) をリンクするためのメカニズムです。geo レプリケーションは、主にリージョン間のディザスター リカバリー用に設計されています。2 つの Premium レベルのキャッシュ インスタンスは、プライマリ キャッシュへの読み取りと書き込みを提供する方法で geo レプリケーションを介して接続され、そのデータはセカンダリ キャッシュにレプリケートされます。",
+ "waf": "確実"
}
],
"metadata": {
"name": "WAF checklist",
- "timestamp": "August 05, 2024"
+ "timestamp": "August 08, 2024"
},
"severities": [
{
diff --git a/checklists/waf_checklist.ko.json b/checklists/waf_checklist.ko.json
index c6bc5a06d..83be3434f 100644
--- a/checklists/waf_checklist.ko.json
+++ b/checklists/waf_checklist.ko.json
@@ -1,3941 +1,3867 @@
{
"items": [
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
- "service": "APIM",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+ "service": "Entra",
"severity": "보통",
- "text": "전역 수준에서 오류 처리 정책 구현",
+ "text": "다중 테넌트에 대한 명확한 규정 또는 비즈니스 요구 사항이 없는 한 Azure 리소스를 관리하기 위해 하나의 Entra 테넌트를 사용합니다.",
"waf": "작업"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
- "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
- "service": "APIM",
- "severity": "보통",
- "text": "모든 API 정책에 요소가 포함되어 있는지 확인합니다.",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Entra",
+ "severity": "낮다",
+ "text": "다중 테넌트 자동화 접근 방식을 사용하여 Microsoft Entra ID 테넌트를 관리합니다.",
"waf": "작업"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
- "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
- "service": "APIM",
- "severity": "보통",
- "text": "정책 조각을 사용하여 여러 API에서 동일한 정책 정의를 반복하지 않도록 합니다.",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "Entra",
+ "severity": "높다",
+ "text": "동일한 ID로 다중 테넌트 관리에 Azure Lighthouse를 사용합니다.",
+ "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
"waf": "작업"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
- "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
- "service": "APIM",
- "severity": "보통",
- "text": "API로 수익을 창출할 계획이라면 '수익 창출 지원' 도움말에서 권장사항을 확인하세요",
- "waf": "작업"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Entra",
+ "severity": "높다",
+ "text": "파트너에게 테넌트를 관리할 수 있는 액세스 권한을 부여하는 경우 Azure Lighthouse를 사용합니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
- "service": "APIM",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+ "service": "Entra",
"severity": "높다",
- "text": "진단 설정을 사용하도록 설정하여 로그를 Azure Monitor로 내보내기",
- "waf": "작업"
+ "text": "클라우드 운영 모델에 맞는 RBAC 모델을 적용합니다. Scope and Assign across Management Groups and Subscriptions.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
- "service": "APIM",
- "severity": "보통",
- "text": "더 자세한 원격 분석을 위해 Application Insights 사용",
- "waf": "작업"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+ "service": "Entra",
+ "severity": "높다",
+ "text": "모든 계정 유형에 대해 회사 또는 학교 계정 인증 유형만 사용합니다. Microsoft 계정을 사용하지 마십시오.",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
- "service": "APIM",
- "severity": "높다",
- "text": "가장 중요한 메트릭에 대한 경고 구성",
- "waf": "작업"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "Entra",
+ "severity": "보통",
+ "text": "그룹만 사용하여 사용 권한을 할당합니다. 그룹 관리 시스템이 이미 있는 경우 Entra ID 전용 그룹에 온-프레미스 그룹을 추가합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
- "service": "APIM",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+ "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+ "service": "Entra",
"severity": "높다",
- "text": "사용자 지정 SSL 인증서가 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되어 있는지 확인합니다",
+ "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 Microsoft Entra ID 조건부 액세스 정책을 적용합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
- "service": "APIM",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+ "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+ "service": "Entra",
"severity": "높다",
- "text": "Azure AD를 사용하여 API(데이터 평면)에 들어오는 요청 보호",
+ "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 Multi-Factor Authentication을 적용합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
- "service": "APIM",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "Entra",
"severity": "보통",
- "text": "Microsoft Entra ID를 사용하여 개발자 포털에서 사용자 인증",
+ "text": "Microsoft Entra ID PIM(Privileged Identity Management)을 적용하여 제로 스탠딩 액세스 및 최소 권한을 설정합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
- "service": "APIM",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+ "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
+ "service": "Entra",
"severity": "보통",
- "text": "제품의 가시성을 제어하기 위해 적절한 그룹을 만듭니다",
+ "text": "Active Directory Domain Services에서 Entra Domain Services로 전환하려는 경우 모든 워크로드의 호환성을 평가합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "06862505-2d9a-4874-9491-2837b00a3475",
- "link": "https://learn.microsoft.com/azure/api-management/backends",
- "service": "APIM",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+ "service": "Entra",
"severity": "보통",
- "text": "백엔드 기능을 사용하여 중복 API 백엔드 구성 제거",
- "waf": "작업"
+ "text": "Microsoft Entra ID 로그를 플랫폼 중앙 Azure Monitor와 통합합니다. Azure Monitor는 Azure의 로그 및 모니터링 데이터에 대한 단일 정보 소스를 허용하여 조직에 로그 수집 및 보존에 대한 요구 사항을 충족하는 클라우드 네이티브 옵션을 제공합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
- "service": "APIM",
+ "ammp": true,
+ "checklist": "Azure Landing Zone Review",
+ "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+ "service": "Entra",
+ "severity": "높다",
+ "text": "응급 액세스 또는 비상 계정을 구현하여 테넌트 전체 계정 잠금을 방지합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "안전"
+ },
+ {
+ "checklist": "Azure Landing Zone Review",
+ "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "Entra",
"severity": "보통",
- "text": "명명된 값을 사용하여 정책에서 사용할 수 있는 공통 값 저장",
- "waf": "작업"
+ "text": "특별히 필요한 시나리오가 없는 한 Microsoft Entra ID 역할 할당에 온-프레미스 동기화 계정을 사용하지 마세요.",
+ "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
- "service": "APIM",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Entra",
"severity": "보통",
- "text": "DR의 경우 99.99% SLA를 위해 둘 이상의 지역에 걸쳐 확장된 배포와 함께 프리미엄 계층을 활용합니다",
- "waf": "신뢰도"
+ "text": "Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 애플리케이션에 대한 액세스 권한을 부여하는 경우 테넌트당 하나의 인스턴스만 가질 수 있으므로 플랫폼 리소스로 관리합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
- "link": "https://learn.microsoft.com/azure/api-management/high-availability",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+ "service": "VNet",
"severity": "보통",
- "text": "99.99%의 SLA 증가를 위해 둘 이상의 가용성 영역에 하나 이상의 단위를 배포합니다.",
- "waf": "신뢰도"
+ "text": "최대한의 유연성이 필요한 네트워크 시나리오에는 허브 및 스포크(hub-and-spoke) 네트워크 토폴로지를 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
+ "service": "VNet",
"severity": "높다",
- "text": "자동화된 백업 루틴이 있는지 확인",
- "waf": "신뢰도"
+ "text": "ExpressRoute 게이트웨이, VPN 게이트웨이 및 Azure Firewall 또는 파트너 NVA를 포함한 공유 네트워킹 서비스를 중앙 허브 가상 네트워크에 배포합니다. 필요한 경우 DNS 서비스도 배포합니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
- "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "VNet",
+ "severity": "높다",
+ "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
"severity": "보통",
- "text": "정책을 사용하여 장애 조치 백엔드 URL 및 캐싱을 추가하여 실패한 호출을 줄입니다.",
+ "text": "파트너 네트워킹 기술 또는 NVA를 배포할 때 파트너 공급업체의 지침을 따릅니다.",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+ "service": "ExpressRoute",
"severity": "낮다",
- "text": "고성능 수준에서 기록해야 하는 경우 Event Hubs 정책을 고려합니다",
- "waf": "작업"
+ "text": "허브 및 스포크 시나리오에서 ExpressRoute와 VPN 게이트웨이 간의 전송이 필요한 경우 Azure Route Server를 사용합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
- "service": "APIM",
- "severity": "보통",
- "text": "제한 정책을 적용하여 초당 요청 수 제어Apply throttling policies to control the number of requests per second",
- "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
- "waf": "공연"
+ "arm-service": "Microsoft.Network/virtualHubs",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+ "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+ "service": "ARS",
+ "severity": "낮다",
+ "text": "Route Server를 사용하는 경우 Route Server 서브넷에 /27 접두사를 사용합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+ "service": "VNet",
"severity": "보통",
- "text": "부하가 증가할 때 인스턴스 수를 확장하도록 자동 크기 조정 구성Configure autoscaling to scale out the number of instances when the load increases",
+ "text": "Azure 지역 간에 여러 허브 및 스포크 토폴로지가 있는 네트워크 아키텍처의 경우 허브 VNet 간의 글로벌 가상 네트워크 피어링을 사용하여 지역을 서로 연결합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
"waf": "공연"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+ "service": "VNet",
"severity": "보통",
- "text": "Azure에 백 엔드 API에 가까운 지역이 없는 자체 호스팅 게이트웨이를 배포합니다.",
- "waf": "공연"
+ "text": "네트워크용 Azure Monitor를 사용하여 Azure에서 네트워크의 엔드투엔드 상태를 모니터링합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
- "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+ "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
"severity": "보통",
- "text": "프로덕션 워크로드에 프리미엄 계층을 사용합니다.",
+ "text": "한 지역에 400개 이상의 스포크 네트워크가 있는 경우 VNet 피어링 제한(500) 및 ExpressRoute를 통해 보급할 수 있는 최대 접두사 수(1000)를 우회하기 위해 추가 허브를 배포합니다.",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+ "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
"severity": "보통",
- "text": "다중 리전 모델에서는 Policies를 사용하여 가용성 또는 지연 시간에 따라 리전 백엔드로 요청을 라우팅합니다.",
- "waf": "신뢰도"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
- "service": "APIM",
- "severity": "높다",
- "text": "APIM의 제한에 유의해야 합니다.",
+ "text": "경로 테이블당 경로 수를 400개로 제한합니다.",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
- "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+ "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+ "service": "VNet",
"severity": "높다",
- "text": "자체 호스팅 게이트웨이 배포가 복원력이 있는지 확인합니다.",
+ "text": "VNet 피어링을 구성할 때 '원격 가상 네트워크에 대한 트래픽 허용' 설정을 사용합니다.",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "7519e385-a88b-4d34-966b-6269d686e890",
- "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "다중 지역 배포를 위해 APIM 앞에서 Azure Front Door 사용Use Azure Front Door in front of APIM for multi-region deployment",
- "waf": "공연"
+ "text": "ExpressRoute Direct를 사용하는 경우 조직의 라우터와 MSEE 간의 계층 2 레벨에서 트래픽을 암호화하도록 MACsec을 구성합니다. 다이어그램은 흐름에서 이 암호화를 보여 줍니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "VNet(Virtual Network) 내에 서비스 배포Deploy the service within a Virtual Network (VNet)",
+ "text": "MACsec을 사용할 수 없는 시나리오(예: ExpressRoute Direct를 사용하지 않음)의 경우 VPN 게이트웨이를 사용하여 ExpressRoute 개인 피어링을 통해 IPsec 터널을 설정합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
- "service": "APIM",
- "severity": "보통",
- "text": "서브넷에 NSG(네트워크 보안 그룹)를 배포하여 APIM에서 들어오고 나가는 트래픽을 제한하거나 모니터링합니다.",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "ExpressRoute",
+ "severity": "높다",
+ "text": "Azure 지역 및 온-프레미스 위치에서 겹치는 IP 주소 공간이 사용되지 않는지 확인합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
+ "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
"severity": "보통",
- "text": "프라이빗 엔드포인트를 배포하여 APIM이 VNet에 배포되지 않은 경우 들어오는 트래픽을 필터링합니다.",
+ "text": "개인 인터넷(RFC 1918)에 대한 주소 할당 범위의 IP 주소를 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+ "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
"severity": "높다",
- "text": "공용 네트워크 액세스 사용 안 함",
- "waf": "안전"
+ "text": "IP 주소 공간이 낭비되지 않는지 확인하고 불필요하게 큰 가상 네트워크(예: /16)를 만들지 마세요.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
- "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
- "service": "APIM",
- "severity": "보통",
- "text": "PowerShell 자동화 스크립트로 관리 간소화",
- "waf": "작업"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+ "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+ "service": "VNet",
+ "severity": "높다",
+ "text": "프로덕션 및 재해 복구 사이트에 대해 겹치는 IP 주소 범위를 사용하지 마세요.",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
+ "service": "DNS",
"severity": "보통",
- "text": "Infrastructure-as-code를 통해 APIM을 구성합니다. Cloud Adaption Framework APIM 랜딩 존 가속기에서 DevOps 모범 사례 검토",
+ "text": "Azure의 이름 확인만 필요한 환경의 경우 이름 확인을 위해 위임된 영역(예: 'azure.contoso.com')을 사용하여 확인을 위해 Azure 프라이빗 DNS를 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
"waf": "작업"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
- "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+ "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+ "service": "DNS",
"severity": "보통",
- "text": "더 빠른 API 개발을 위해 Visual Studio Code APIM 확장 사용 촉진",
+ "text": "Azure 및 온-프레미스에서 이름 확인이 필요하고 Active Directory와 같은 기존 엔터프라이즈 DNS 서비스가 없는 환경의 경우 Azure DNS Private Resolver를 사용하여 DNS 요청을 Azure 또는 온-프레미스 DNS 서버로 라우팅합니다.",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+ "service": "DNS",
+ "severity": "낮다",
+ "text": "자체 DNS(예: Red Hat OpenShift)가 필요하고 배포하는 특수 워크로드는 선호하는 DNS 솔루션을 사용해야 합니다.",
"waf": "작업"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
- "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
- "service": "APIM",
- "severity": "보통",
- "text": "워크플로에서 DevOps 및 CI/CD 구현",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "614658d3-558f-4d77-849b-821112df27ee",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+ "service": "DNS",
+ "severity": "높다",
+ "text": "Azure DNS에 대한 자동 등록을 사용하도록 설정하여 가상 네트워크 내에 배포된 가상 머신에 대한 DNS 레코드의 수명 주기를 자동으로 관리합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
"waf": "작업"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "b6439493-426a-45f3-9697-cf65baee208d",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
- "service": "APIM",
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+ "service": "Bastion",
"severity": "보통",
- "text": "클라이언트 인증서 인증을 사용하여 API 보안",
+ "text": "Azure Bastion을 사용하여 네트워크에 안전하게 연결합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2a67d143-1033-4c0a-8732-680896478f08",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
- "service": "APIM",
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+ "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+ "service": "Bastion",
"severity": "보통",
- "text": "클라이언트 인증서 인증을 사용한 보안 백엔드 서비스",
+ "text": "서브넷 /26 이상에서 Azure Bastion을 사용합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
- "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
- "service": "APIM",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "WAF",
"severity": "보통",
- "text": "'OWASP API 보안 상위 10개 위협을 완화하기 위한 권장 사항' 문서를 검토하고 API에 적용할 수 있는 항목을 확인합니다.",
+ "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역 전체에서 전역 보호를 제공합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
- "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
- "service": "APIM",
- "severity": "보통",
- "text": "권한 부여 기능을 사용하여 백엔드 API에 대한 OAuth 2.0 토큰 관리 간소화",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "낮다",
+ "text": "Azure Front Door 및 Azure Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Azure Front Door에서 WAF 정책을 사용합니다. Azure Front Door에서만 트래픽을 수신하도록 Azure Application Gateway를 잠급니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
- "service": "APIM",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
"severity": "높다",
- "text": "전송 중인 정보를 암호화할 때 최신 TLS 버전을 사용합니다. 가능한 경우 오래되고 불필요한 프로토콜과 암호를 사용하지 않도록 설정합니다.",
+ "text": "인바운드 HTTP/S 연결에 WAF 및 기타 역방향 프록시가 필요한 경우 랜딩 존 가상 네트워크 내에 배포하고 보호하고 인터넷에 노출하는 앱과 함께 배포합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8af3d94-1d2b-4070-846f-849197524258",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
"severity": "높다",
- "text": "비밀(명명된 값)이 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되었는지 확인합니다.",
+ "text": "Azure DDoS 네트워크 또는 IP 보호 플랜을 사용하여 가상 네트워크 내의 공용 IP 주소 엔드포인트를 보호할 수 있습니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "791abd8b-7706-4e31-9569-afefde724be3",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
- "service": "APIM",
- "severity": "보통",
- "text": "가능할 때마다 관리 ID를 사용하여 다른 Azure 리소스에 인증",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+ "service": "VNet",
+ "severity": "높다",
+ "text": "예정된 호환성이 손상되는 변경 전에 네트워크 아웃바운드 트래픽 구성 및 전략을 관리하는 방법을 계획합니다. 2025년 9월 30일에 새 배포에 대한 기본 아웃바운드 액세스가 사용 중지되고 명시적 액세스 구성만 허용됩니다.",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
+ "severity": "높다",
+ "text": "보호된 모든 공용 IP 주소(DDoS IP 또는 네트워크 보호)에 대한 DDoS 관련 로그를 저장하는 진단 설정을 추가합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
- "service": "APIM",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+ "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+ "service": "Policy",
"severity": "높다",
- "text": "APIM 앞에 Application Gateway를 배포하여 WAF(웹 애플리케이션 방화벽) 사용Use Web Application Firewall (WAF) by deploying Application Gateway in of APIM",
+ "text": "Virtual Machines에 직접 연결된 공용 IP 주소를 거부하는 정책 할당이 있는지 확인합니다. 특정 VM에서 공용 IP가 필요한 경우 제외를 사용합니다.",
"waf": "안전"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "장기 취소 가능 토큰을 사용하고, 토큰을 캐시하고, Microsoft ID 라이브러리를 사용하여 자동으로 획득합니다.",
- "waf": "신뢰도"
+ "text": "ExpressRoute를 Azure에 대한 기본 연결로 사용합니다. VPN을 백업 연결의 소스로 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "공연"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "description": "AS-path 접두사 및 연결 가중치를 사용하여 Azure에서 온-프레미스로의 트래픽에 영향을 주고, 자체 라우터의 전체 BGP 특성 범위를 사용하여 온-프레미스에서 Azure로의 트래픽에 영향을 줄 수 있습니다.",
+ "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "로그인 사용자 흐름이 백업되고 복원력이 있는지 확인합니다. 사용자를 로그인하는 데 사용하는 코드가 백업되고 복구 가능한지 확인합니다. 외부 프로세스와의 복원력 있는 인터페이스",
+ "text": "여러 ExpressRoute 회로 또는 여러 온-프레미스 위치를 사용하는 경우 BGP 특성을 사용하여 라우팅을 최적화합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "신뢰도"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+ "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "사용자 지정 브랜드 자산은 CDN에서 호스팅되어야 합니다.",
+ "text": "대역폭 및 성능 요구 사항에 따라 ExpressRoute/VPN 게이트웨이에 적합한 SKU를 선택합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "공연"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
- "severity": "낮다",
- "text": "여러 ID 공급자가 있어야 합니다(예: Microsoft, Google, Facebook 계정으로 로그인).",
- "waf": "신뢰도"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "보통",
- "text": "VM 수준에서 고가용성을 위한 VM 규칙(프리미엄 디스크, 서로 다른 가용성 영역에 있는 지역에 두 개 이상)을 따릅니다.",
- "waf": "신뢰도"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+ "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+ "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+ "service": "ExpressRoute",
+ "severity": "높다",
+ "text": "비용을 정당화하는 대역폭에 도달하는 경우에만 무제한 데이터 ExpressRoute 회로를 사용해야 합니다.",
+ "waf": "비용"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "보통",
- "text": "복제하지 마세요! 복제로 인해 디렉터리 동기화에 문제가 발생할 수 있습니다",
- "waf": "신뢰도"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+ "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+ "service": "ExpressRoute",
+ "severity": "높다",
+ "text": "회로 피어링 위치가 로컬 SKU에 대한 Azure 지역을 지원하는 경우 ExpressRoute의 로컬 SKU를 활용하여 회로 비용을 줄입니다.",
+ "waf": "비용"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+ "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "다중 지역에 대해 활성-활성 상태 보유",
+ "text": "지원되는 Azure 지역에 영역 중복 ExpressRoute 게이트웨이를 배포합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "신뢰도"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "추가 지역 및 위치에 Azure AD 도메인 서비스 스탬프 추가Add Azure AD Domain service stamps to additional regions and locations",
- "waf": "신뢰도"
+ "text": "10Gbps보다 높은 대역폭 또는 전용 10/100Gbps 포트가 필요한 시나리오의 경우 ExpressRoute Direct를 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "공연"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+ "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "DR에 복제본 세트 사용",
- "waf": "신뢰도"
+ "text": "짧은 대기 시간이 필요하거나 온-프레미스에서 Azure로의 처리량이 10Gbps보다 커야 하는 경우 FastPath를 사용하도록 설정하여 데이터 경로에서 ExpressRoute 게이트웨이를 우회합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+ "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+ "service": "VPN",
"severity": "보통",
- "text": "Azure Bot Service의 안정성 지원 권장 사항을 따릅니다",
+ "text": "영역 중복 VPN 게이트웨이를 사용하여 분기 또는 원격 위치를 Azure(사용 가능한 경우)에 연결합니다.",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+ "service": "VPN",
"severity": "보통",
- "text": "로컬 데이터 레지던시 및 지역 규정 준수를 통해 봇 배포Deploying bots with local data residency and regional compliance",
+ "text": "온-프레미스에서 중복 VPN 어플라이언스(활성/활성 또는 활성/수동)를 사용합니다.",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+ "service": "ExpressRoute",
+ "severity": "높다",
+ "text": "ExpressRoute Direct를 사용하는 경우 비용을 절감하기 위해 로컬 Azure 지역에 대한 ExpressRoute 로컬 회로를 사용하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "비용"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "Azure Bot Service는 글로벌 및 지역 서비스 모두에 대해 활성-활성 모드로 실행됩니다. 중단이 발생하면 오류를 감지하거나 서비스를 관리할 필요가 없습니다. Azure Bot Service는 다중 지역 지리적 아키텍처에서 자동 장애 조치(failover) 및 자동 복구를 자동으로 수행합니다. EU 봇 지역 서비스의 경우 Azure Bot Service는 중복성을 보장하기 위해 활성/활성 복제가 있는 유럽 내 두 개의 전체 지역을 제공합니다. 글로벌 봇 서비스의 경우 사용 가능한 모든 지역/지역을 글로벌 공간으로 제공할 수 있습니다.",
- "waf": "신뢰도"
+ "text": "트래픽 격리 또는 전용 대역폭이 필요한 경우(예: 프로덕션 환경과 비프로덕션 환경 분리) 다른 ExpressRoute 회로를 사용합니다. 이는 격리된 라우팅 도메인을 보장하고 시끄러운 이웃 위험을 완화하는 데 도움이 됩니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Services",
- "severity": "낮다",
- "text": "모범 사례는 기준 고가용성 영역 중복 웹 애플리케이션 아키텍처를 참조하세요.",
- "waf": "신뢰도"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+ "service": "ExpressRoute",
+ "severity": "보통",
+ "text": "기본 제공 Express Route Insights를 사용하여 ExpressRoute 가용성 및 사용률을 모니터링합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+ "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "프리미엄 및 표준 계층을 사용합니다. 이러한 계층은 스테이징 슬롯 및 자동 백업을 지원합니다.",
- "waf": "신뢰도"
+ "text": "네트워크 전반, 특히 온-프레미스와 Azure 간의 연결을 모니터링하려면 연결 모니터를 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Services",
- "severity": "높다",
- "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(프리미엄 v2 또는 v3 계층 필요)",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+ "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
+ "service": "ExpressRoute",
+ "severity": "보통",
+ "text": "중복성을 위해 서로 다른 피어링 위치의 ExpressRoute 회로를 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "상태 확인 구현",
+ "text": "단일 ExpressRoute 회로만 사용하는 경우 사이트 간 VPN을 ExpressRoute의 장애 조치(failover)로 사용합니다.",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+ "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+ "service": "ExpressRoute",
"severity": "높다",
- "text": "Azure App Service에 대한 백업 및 복원 모범 사례를 참조하세요.",
+ "text": "GatewaySubnet에서 경로 테이블을 사용하는 경우 게이트웨이 경로가 전파되었는지 확인합니다.",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+ "service": "ExpressRoute",
"severity": "높다",
- "text": "Azure App Service 안정성 모범 사례 구현",
+ "text": "ExpressRoute를 사용하는 경우 온-프레미스 라우팅은 동적이어야 하며, 연결 오류가 발생할 경우 회로의 나머지 연결로 수렴해야 합니다. 로드는 두 연결 모두에서 이상적으로는 액티브/액티브로 공유해야 하지만 액티브/패시브도 지원됩니다.",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
- "service": "App Services",
- "severity": "낮다",
- "text": "App Service 앱을 다른 지역으로 이동하는 방법을 숙지합니다. 재해가 발생하는 동안",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+ "service": "ExpressRoute",
+ "severity": "보통",
+ "text": "ExpressRoute 회로의 두 물리적 링크가 네트워크에 있는 두 개의 고유한 에지 디바이스에 연결되어 있는지 확인합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
- "service": "App Services",
- "severity": "높다",
- "text": "Azure App Service의 안정성 지원 숙지",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+ "service": "ExpressRoute",
+ "severity": "보통",
+ "text": "BFD(Bidirectional Forwarding Detection)가 고객 또는 프로바이더 에지 라우팅 디바이스에서 활성화되고 구성되도록 보장합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "App Services",
- "severity": "보통",
- "text": "App Service 계획에서 실행되는 Function Apps에 대해 \"Always On\"이 사용하도록 설정되어 있는지 확인합니다.",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "ExpressRoute",
+ "severity": "높다",
+ "text": "복원력을 높이기 위해 ExpressRoute 게이트웨이를 서로 다른 피어링 위치에서 둘 이상의 회로에 연결합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "상태 검사를 사용하여 App Service 인스턴스 모니터링Monitor App Service instances using Health checks",
- "waf": "신뢰도"
+ "text": "ExpressRoute 가상 네트워크 게이트웨이에 대한 진단 로그 및 경고를 구성합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+ "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "Application Insights 가용성 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링",
- "waf": "신뢰도"
+ "text": "VNet 간 통신에 ExpressRoute 회로를 사용하지 마세요.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
- "service": "App Services",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "service": "N/A",
"severity": "낮다",
- "text": "Application Insights 표준 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링",
- "waf": "신뢰도"
+ "text": "검사를 위해 Azure 트래픽을 하이브리드 위치로 보내지 마세요. 대신 'Azure의 트래픽이 Azure에 유지됨' 원칙을 따라 Azure의 리소스 간 통신이 Microsoft 백본 네트워크를 통해 발생하도록 합니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure Key Vault를 사용하여 애플리케이션에 필요한 모든 비밀을 저장합니다. Key Vault는 비밀을 저장하기 위한 안전하고 감사된 환경을 제공하며 Key Vault SDK 또는 App Service Key Vault 참조를 통해 App Service와 잘 통합됩니다.",
- "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+ "link": "https://learn.microsoft.com/azure/firewall/overview",
+ "service": "Firewall",
"severity": "높다",
- "text": "Key Vault를 사용하여 비밀 저장",
+ "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, HTTP/S가 아닌 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "관리 ID를 사용하여 Key Vault SDK를 사용하거나 App Service Key Vault 참조를 통해 Key Vault에 연결합니다.",
- "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
- "severity": "높다",
- "text": "관리 ID를 사용하여 Key Vault에 연결",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+ "service": "Firewall",
+ "severity": "보통",
+ "text": "글로벌 Azure Firewall 정책을 만들어 글로벌 네트워크 환경에서 보안 태세를 제어하고 모든 Azure Firewall 인스턴스에 할당합니다. Azure 역할 기반 액세스 제어를 통해 증분 방화벽 정책을 로컬 보안 팀에 위임하여 특정 지역의 요구 사항을 충족하는 세분화된 정책을 허용합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service TLS 인증서를 Key Vault에 저장합니다.",
- "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+ "service": "Firewall",
+ "severity": "낮다",
+ "text": "조직에서 아웃바운드 연결을 보호하기 위해 이러한 솔루션을 사용하려는 경우 Firewall Manager 내에서 지원되는 파트너 SaaS 보안 공급자를 구성합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+ "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+ "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+ "service": "Firewall",
"severity": "높다",
- "text": "Key Vault를 사용하여 TLS 인증서를 저장합니다.",
+ "text": "응용 프로그램 규칙을 사용하여 지원되는 프로토콜에 대한 대상 호스트 이름에서 아웃바운드 트래픽을 필터링합니다. FQDN 기반 네트워크 규칙 및 DNS 프록시와 함께 Azure Firewall을 사용하여 다른 프로토콜을 통해 인터넷으로의 송신 트래픽을 필터링합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "중요한 정보를 처리하는 시스템은 격리해야 합니다. 이렇게 하려면 별도의 App Service 계획 또는 App Service Environment를 사용하고 다른 구독 또는 관리 그룹을 사용하는 것이 좋습니다.",
- "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
- "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
- "service": "App Services",
- "severity": "보통",
- "text": "민감한 정보를 처리하는 시스템 격리",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+ "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+ "service": "Firewall",
+ "severity": "높다",
+ "text": "Azure Firewall 프리미엄을 사용하여 추가 보안 기능을 사용하도록 설정합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service의 로컬 디스크는 암호화되지 않으며 중요한 데이터를 저장해서는 안 됩니다. (예: D:\\\\Local and %TMP%).",
- "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
- "service": "App Services",
- "severity": "보통",
- "text": "로컬 디스크에 중요한 데이터를 저장하지 마십시오.",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+ "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
+ "service": "Firewall",
+ "severity": "높다",
+ "text": "추가 보호를 위해 Azure Firewall 위협 인텔리전스 모드를 경고 및 거부로 구성합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "인증된 웹 애플리케이션의 경우 Azure AD 또는 Azure AD B2C와 같이 잘 설정된 ID 공급자를 사용합니다. 선택한 애플리케이션 프레임워크를 활용하여 이 공급자와 통합하거나 App Service 인증/권한 부여 기능을 사용합니다.",
- "guid": "919ca0b2-c121-459e-814b-933df574eccc",
- "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
- "service": "App Services",
- "severity": "보통",
- "text": "인증에 설정된 ID 공급자 사용",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+ "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+ "service": "Firewall",
+ "severity": "높다",
+ "text": "추가 보호를 위해 Azure Firewall IDPS 모드를 거부로 구성합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "잘 관리되고 안전한 DevOps 배포 파이프라인과 같이 제어되고 신뢰할 수 있는 환경에서 App Service에 코드를 배포합니다. 이렇게 하면 버전이 제어되지 않고 악성 호스트에서 배포되는 것으로 확인되지 않은 코드를 방지할 수 있습니다.",
- "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+ "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+ "service": "Firewall",
"severity": "높다",
- "text": "신뢰할 수 있는 환경에서 배포",
+ "text": "Virtual WAN에 연결되지 않은 VNet의 서브넷의 경우 인터넷 트래픽이 Azure Firewall 또는 네트워크 가상 어플라이언스로 리디렉션되도록 경로 테이블을 연결합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "FTP/FTPS 및 WebDeploy/SCM 모두에 대한 기본 인증을 사용 안함으로 설정합니다. 이렇게 하면 이러한 서비스에 대한 액세스가 비활성화되고 배포에 Azure AD 보안 엔드포인트가 사용됩니다. SCM 사이트는 Azure AD 자격 증명을 사용하여 열 수도 있습니다.",
- "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
- "service": "App Services",
- "severity": "높다",
- "text": "기본 인증 사용 안 함",
- "waf": "안전"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+ "service": "Firewall",
+ "severity": "보통",
+ "text": "모든 Azure Firewall 배포에 대해 리소스별 대상 테이블을 사용하여 로그를 저장하는 진단 설정을 추가합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "가능한 경우 관리 ID를 사용하여 Azure AD 보안 리소스에 연결합니다. 이렇게 할 수 없는 경우 Key Vault에 비밀을 저장하고 대신 관리 ID를 사용하여 Key Vault에 연결합니다.",
- "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
- "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
- "service": "App Services",
- "severity": "높다",
- "text": "관리 ID를 사용하여 리소스에 연결",
- "waf": "안전"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+ "service": "Firewall",
+ "severity": "중요하다",
+ "text": "Azure Firewall 클래식 규칙(있는 경우)에서 방화벽 정책으로 마이그레이션합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 관리 ID를 사용하여 끌어옵니다.",
- "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+ "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+ "service": "Firewall",
"severity": "높다",
- "text": "관리 ID를 사용하여 컨테이너 끌어오기",
+ "text": "Azure Firewall 서브넷에 /26 접두사를 사용합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service의 진단 설정을 구성하면 모든 원격 분석을 로깅 및 모니터링의 중앙 대상으로 Log Analytics에 보낼 수 있습니다. 이를 통해 HTTP 로그, 애플리케이션 로그, 플랫폼 로그 등과 같은 App Service의 런타임 활동을 모니터링할 수 있습니다.",
- "guid": "47768314-c115-4775-a2ea-55b46ad48408",
- "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+ "service": "Firewall",
"severity": "보통",
- "text": "Log Analytics에 App Service 런타임 로그 보내기Send App Service runtime logs to Log Analytics",
- "waf": "안전"
+ "text": "방화벽 정책 내의 규칙을 Rule Collection Groups(규칙 컬렉션 그룹) 및 Rule Collections(규칙 컬렉션)로 정렬하고 사용 빈도에 따라 정렬합니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "활동 로그를 Log Analytics에 로깅 및 모니터링의 중앙 대상으로 보내도록 진단 설정을 지정합니다. 이렇게 하면 App Service 리소스 자체에서 컨트롤 플레인 작업을 모니터링할 수 있습니다.",
- "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+ "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+ "service": "Firewall",
"severity": "보통",
- "text": "Log Analytics에 App Service 활동 로그 보내기Send App Service activity logs to Log Analytics",
- "waf": "안전"
+ "text": "IP 그룹 또는 IP 접두사를 사용하여 IP 테이블 규칙의 수를 줄입니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "지역 VNet 통합, 네트워크 보안 그룹 및 UDR의 조합을 사용하여 아웃바운드 네트워크 액세스를 제어합니다. 트래픽은 Azure Firewall과 같은 NVA로 라우팅되어야 합니다. 방화벽의 로그를 모니터링해야 합니다.",
- "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
- "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+ "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+ "service": "Firewall",
"severity": "보통",
- "text": "아웃바운드 네트워크 액세스를 제어해야 함",
- "waf": "안전"
+ "text": "와일드카드를 DNAT의 소스 IP로 사용하지 마십시오(예: * 또는 any). 들어오는 DNAT에 대한 소스 IP를 지정해야 합니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "VNet 통합을 사용하고 VNet NAT Gateway 또는 NVA와 같은 Azure Firewall을 사용하여 안정적인 아웃바운드 IP를 제공할 수 있습니다. 이렇게 하면 필요한 경우 수신 당사자가 IP를 기반으로 허용 목록을 만들 수 있습니다. Azure 서비스에 대한 통신의 경우 IP 주소에 의존할 필요가 없는 경우가 많으며 서비스 엔드포인트와 같은 메커니즘을 대신 사용해야 합니다. (또한 수신 끝에서 프라이빗 엔드포인트를 사용하면 SNAT가 발생하지 않고 안정적인 아웃바운드 IP 범위를 제공합니다.)",
- "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
- "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
- "service": "App Services",
- "severity": "낮다",
- "text": "인터넷 주소에 대한 아웃바운드 통신을 위한 안정적인 IP 보장",
- "waf": "안전"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+ "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
+ "service": "Firewall",
+ "severity": "보통",
+ "text": "SNAT 포트 사용량을 모니터링하고, NAT 게이트웨이 설정을 평가하고, 원활한 장애 조치(failover)를 보장하여 SNAT 포트 고갈을 방지합니다. 포트 수가 제한에 가까워지면 SNAT 고갈이 임박했을 수 있다는 신호입니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service 액세스 제한, 서비스 엔드포인트 또는 프라이빗 엔드포인트의 조합을 사용하여 인바운드 네트워크 액세스를 제어합니다. 웹앱 자체 및 SCM 사이트에 대해 서로 다른 액세스 제한이 필요하고 구성될 수 있습니다.",
- "guid": "0725769e-e669-41a4-a34a-c932223ece80",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "346840b8-1064-496e-8396-4b1340172d52",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+ "service": "Firewall",
"severity": "높다",
- "text": "인바운드 네트워크 액세스를 제어해야 합니다.",
- "waf": "안전"
+ "text": "Azure Firewall 프리미엄을 사용하는 경우 TLS 검사를 사용하도록 설정합니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Application Gateway 또는 Azure Front Door와 같은 Web Application Firewall을 사용하여 악의적인 인바운드 트래픽으로부터 보호합니다. WAF의 로그를 모니터링해야 합니다.",
- "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
- "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
- "service": "App Services",
- "severity": "높다",
- "text": "App Service 앞에서 WAF 사용Use a WAF in front of App Service",
- "waf": "안전"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+ "service": "Firewall",
+ "severity": "낮다",
+ "text": "웹 범주를 사용하여 특정 주제에 대한 아웃바운드 액세스를 허용하거나 거부할 수 있습니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "WAF에 대한 액세스만 잠궈 WAF를 우회할 수 없는지 확인합니다. 액세스 제한, 서비스 엔드포인트 및 프라이빗 엔드포인트의 조합을 사용합니다.",
- "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
- "severity": "높다",
- "text": "WAF가 우회되지 않도록 방지",
- "waf": "안전"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+ "service": "Firewall",
+ "severity": "보통",
+ "text": "TLS 검사의 일환으로 검사를 위해 Azure App Gateway에서 트래픽을 수신하도록 계획합니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service 구성에서 최소 TLS 정책을 1.2로 설정합니다.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
- "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+ "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+ "service": "Firewall",
"severity": "보통",
- "text": "최소 TLS 정책을 1.2로 설정합니다.",
+ "text": "Azure Firewall DNS 프록시 구성을 사용하도록 설정합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "HTTPS만 사용하도록 App Service를 구성합니다. 이로 인해 App Service가 HTTP에서 HTTPS로 리디렉션됩니다. 코드 또는 WAF에서 HSTS(HTTP Strict Transport Security)를 사용하여 HTTPS를 통해서만 사이트에 액세스해야 함을 브라우저에 알리는 것이 좋습니다.",
- "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
- "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+ "service": "Firewall",
"severity": "높다",
- "text": "HTTPS만 사용",
- "waf": "안전"
+ "text": "Azure Firewall을 Azure Monitor와 통합하고 진단 로깅을 사용하도록 설정하여 방화벽 로그를 저장하고 분석합니다.",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "CORS 구성에서 와일드카드를 사용하면 모든 원본이 서비스에 액세스할 수 있으므로 CORS의 목적에 어긋나므로 사용하지 마세요. 특히 서비스에 액세스할 수 있을 것으로 예상되는 원본만 허용합니다.",
- "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
- "service": "App Services",
- "severity": "높다",
- "text": "와일드카드는 CORS에 사용할 수 없습니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+ "service": "Firewall",
+ "severity": "낮다",
+ "text": "방화벽 규칙에 대한 백업 구현Implement backups for your firewall rules",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "원격 디버깅은 서비스에서 추가 포트를 열어 공격 노출 영역을 증가시키므로 프로덕션에서 켜면 안 됩니다. 서비스는 48시간 후에 자동으로 원격 디버깅을 설정합니다.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
- "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
- "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
- "service": "App Services",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "App Gateway",
"severity": "높다",
- "text": "원격 디버깅 끄기",
+ "text": "컨트롤 플레인 트래픽을 차단하는 0.0.0.0/0 경로 또는 NSG 규칙과 같이 가상 네트워크에 삽입된 Azure PaaS 서비스에 대한 컨트롤 플레인 통신을 중단하지 마세요.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "App Service용 Defender를 사용하도록 설정합니다. 이는 다른 위협 중에서도 알려진 악성 IP 주소에 대한 통신을 탐지합니다. 작업의 일부로 App Service용 Defender의 권장 사항을 검토합니다.",
- "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
- "service": "App Services",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+ "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+ "service": "ExpressRoute",
"severity": "보통",
- "text": "클라우드용 Defender 사용 - App Service용 Defender",
+ "text": "프라이빗 엔드포인트 및 ExpressRoute 프라이빗 피어링을 통해 온-프레미스에서 Azure PaaS 서비스에 액세스하세요. 이 방법을 사용하면 공용 인터넷을 통해 전송되지 않습니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure는 네트워크에서 DDoS 기본 보호를 제공하며, 정상적인 트래픽 패턴을 학습하고 비정상적인 동작을 감지할 수 있는 지능형 DDoS 표준 기능으로 개선할 수 있습니다. DDoS 표준은 Virtual Network에 적용되므로 Application Gateway 또는 NVA와 같은 앱 앞의 네트워크 리소스에 대해 구성해야 합니다.",
- "guid": "223ece80-b123-4071-a541-6415833ea3ad",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "App Services",
- "severity": "보통",
- "text": "WAF VNet에서 DDOS 보호 표준 사용Enable DDOS Protection Standard on the WAF VNet",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+ "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+ "service": "VNet",
+ "severity": "높다",
+ "text": "모든 서브넷에서 기본적으로 가상 네트워크 서비스 엔드포인트를 사용하도록 설정하지 마세요.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 프라이빗 엔드포인트 및 앱 설정 'WEBSITE_PULL_IMAGE_OVER_VNET'를 사용하여 Azure Container Registry에서 가상 네트워크를 통해 끌어옵니다.",
- "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
- "service": "App Services",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+ "link": "azure/private-link/inspect-traffic-with-azure-firewall",
+ "service": "Firewall",
"severity": "보통",
- "text": "Virtual Network를 통해 컨테이너 끌어오기",
+ "text": "Azure Firewall 또는 NVA의 IP 주소 대신 FQDN을 사용하여 Azure PaaS 서비스에 대한 송신 트래픽을 필터링하여 데이터 반출을 방지합니다. Private Link를 사용하는 경우 모든 FQDN을 차단할 수 있으며, 그렇지 않으면 필요한 PaaS 서비스만 허용할 수 있습니다.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "참여의 침투 테스트 규칙에 따라 웹 응용 프로그램에 대한 침투 테스트를 수행합니다.",
- "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
- "service": "App Services",
- "severity": "보통",
- "text": "침투 테스트 수행",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+ "service": "ExpressRoute",
+ "severity": "높다",
+ "text": "게이트웨이 서브넷에 /27 이상의 접두사를 사용합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "DevSecOps 사례에 따라 취약성을 검증하고 검사한 신뢰할 수 있는 코드를 배포합니다.",
- "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
- "service": "App Services",
- "severity": "보통",
- "text": "유효성이 검사된 코드 배포",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+ "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+ "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+ "service": "NSG",
+ "severity": "높다",
+ "text": "VirtualNetwork 서비스 태그를 사용하여 연결을 제한하는 NSG 인바운드 기본 규칙에 의존하지 마세요.",
"waf": "안전"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "지원되는 플랫폼, 프로그래밍 언어, 프로토콜 및 프레임워크의 최신 버전을 사용합니다.",
- "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
- "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
- "service": "App Services",
- "severity": "높다",
- "text": "최신 플랫폼, 언어, 프로토콜 및 프레임워크 사용",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+ "service": "NSG",
+ "severity": "보통",
+ "text": "NSG를 사용하여 서브넷 간의 트래픽과 플랫폼 전체의 동쪽/서쪽 트래픽(랜딩 존 간 트래픽)을 보호할 수 있습니다.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "공명형 AI를 위한 Metaprompting 가드레일 따르기",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "NSG",
+ "severity": "보통",
+ "text": "NSG 및 애플리케이션 보안 그룹을 사용하여 랜딩 존 내의 트래픽을 마이크로 세그먼트화하고 중앙 NVA를 사용하여 트래픽 흐름을 필터링하지 않도록 합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
- "link": "https://github.com/Azure-Samples/AI-Gateway",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "더 나은 속도 제한, 부하 분산, 인증 및 로깅을 위해 APIM 또는 AI Central과 같은 솔루션을 사용하여 게이트웨이 패턴을 고려합니다.",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+ "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
+ "service": "NSG",
+ "severity": "보통",
+ "text": "VNet 흐름 로그를 사용하도록 설정하고 트래픽 분석에 제공하여 내부 및 외부 트래픽 흐름에 대한 인사이트를 얻을 수 있습니다.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "AOAI 인스턴스에 대한 모니터링 활성화",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+ "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "NSG",
+ "severity": "보통",
+ "text": "1,000개의 규칙 제한으로 인해 NSG당 900개 이상의 NSG 규칙을 구현하지 마세요.",
+ "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "리소스에 대해 수행된 작업(예: 구독 키 다시 생성) 또는 메트릭 임계값(예: 한 시간에 10을 초과하는 오류 수)에 의해 생성된 활동 로그의 항목과 같은 이벤트를 팀에 알리는 경고를 만듭니다",
- "waf": "운영 우수성"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+ "service": "VWAN",
+ "severity": "보통",
+ "text": "시나리오가 Virtual WAN 라우팅 디자인 목록에 명시적으로 설명된 경우 Virtual WAN을 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "용량으로 인한 서비스 중단을 방지하기 위해 토큰 사용량을 모니터링합니다.",
- "waf": "운영 우수성"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
+ "service": "VWAN",
+ "severity": "보통",
+ "text": "Azure 지역당 Virtual WAN 허브를 사용하여 공통 글로벌 Azure Virtual WAN을 통해 Azure 지역 간에 여러 랜딩 존을 함께 연결합니다.",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+ "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
+ "service": "VWAN",
"severity": "보통",
- "text": "처리된 추론 토큰, 생성된 완료 토큰, 속도 제한 모니터링과 같은 메트릭 관찰",
- "waf": "운영 우수성"
+ "text": "아웃바운드 인터넷 트래픽 보호 및 필터링을 위해 보안 허브에 Azure Firewall을 배포합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
- "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
- "service": "Azure OpenAI",
- "severity": "낮다",
- "text": "진단이 충분하지 않은 경우 Azure OpenAI 앞에 있는 Azure API Managements와 같은 게이트웨이를 사용하여 허용되는 경우 들어오는 프롬프트와 나가는 응답을 모두 기록하는 것이 좋습니다",
- "waf": "운영 우수성"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
+ "service": "VWAN",
+ "severity": "보통",
+ "text": "Virtual WAN 네트워크 아키텍처가 식별된 아키텍처 시나리오에 맞는지 확인합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
- "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "Infrastructure as code를 사용하여 Azure OpenAI Service, 모델 배포 및 모든 관련 리소스를 배포합니다",
- "waf": "운영 우수성"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+ "service": "VWAN",
+ "severity": "보통",
+ "text": "Virtual WAN용 Azure Monitor Insights를 사용하여 Virtual WAN의 엔드투엔드 토폴로지, 상태 및 주요 메트릭을 모니터링합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4350d092-d234-4292-a752-8537a551c5bf",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "API 키 대신 관리 ID로 Microsoft Entra 인증 사용",
- "waf": "안전"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+ "service": "VWAN",
+ "severity": "보통",
+ "text": "이러한 흐름을 명시적으로 차단해야 하는 경우가 아니면 Virtual WAN에서 분기 간 트래픽을 사용하지 않도록 설정하지 마세요.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "입력과 정답이 있는 알려진 골든 데이터 세트를 사용하여 시스템의 성능/정확도를 평가합니다. 평가를 위해 PromptFlow의 기능을 활용합니다.",
- "waf": "운영 우수성"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+ "service": "VWAN",
+ "severity": "보통",
+ "text": "AS-Path는 ExpressRoute 또는 VPN보다 유연하므로 허브 라우팅 기본 설정으로 사용합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "68889535-e327-4897-b31b-67d67be5962a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "프로비저닝된 처리량 모델의 사용 평가 ",
- "waf": "공연"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+ "service": "VWAN",
+ "severity": "보통",
+ "text": "Virtual WAN에서 레이블 기반 전파를 구성하지 않으면 가상 허브 간의 연결이 손상됩니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "9c75dfef-573c-461c-a698-68598595581a",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+ "service": "VWAN",
"severity": "높다",
- "text": "Azure AI 콘텐츠 안전성 검토 및 구현",
- "waf": "운영 우수성"
+ "text": "가상 허브에 /23 접두사 이상을 할당하여 충분한 IP 공간을 사용할 수 있도록 합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "높다",
- "text": "분당 토큰 및 응답을 기반으로 시스템의 처리량을 정의 및 평가하고 요구 사항에 맞춥니다.",
- "waf": "공연"
+ "text": "Azure Policy를 전략적으로 활용하고, 정책 이니셔티브를 사용하여 관련 정책을 그룹화하여 환경에 대한 컨트롤을 정의합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "보통",
- "text": "토큰 크기, 스트리밍 옵션을 제한하여 시스템의 대기 시간을 개선합니다.",
- "waf": "공연"
+ "text": "규정 및 규정 준수 요구 사항을 Azure Policy 정의 및 Azure 역할 할당에 매핑합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "보통",
- "text": "탄력성 요구를 예측하여 우선 순위에 따라 동기 및 일괄 처리 요청 분리를 결정합니다. 우선 순위가 높은 경우 동기 접근 방식을 사용하고 낮은 우선 순위의 경우 큐를 사용한 비동기 일괄 처리가 선호됩니다",
- "waf": "공연"
+ "text": "상속된 범위에서 할당할 수 있도록 중간 루트 관리 그룹에서 Azure Policy 정의를 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5bda4332-4f24-4811-9331-82ba51752694",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "높다",
- "text": "소비자의 예상 수요를 기반으로 토큰 사용 요구 사항을 벤치마킹합니다. 프로비저닝된 처리량 단위 배포를 사용하는 경우 처리량의 유효성을 검사하는 데 도움이 되도록 Azure OpenAI 벤치마킹 도구를 사용하는 것이 좋습니다",
- "waf": "공연"
+ "text": "필요한 경우 최하위 수준에서 제외를 사용하여 가장 적절한 수준에서 정책 할당을 관리합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
- "severity": "보통",
- "text": "PTU(프로비저닝된 처리량 단위)를 사용하는 경우 오버플로 요청에 대한 TPM(분당 토큰) 배포를 배포하는 것이 좋습니다. 게이트웨이를 사용하여 PTU 제한에 도달할 때 TPM 배포로 요청을 라우팅합니다.",
- "waf": "공연"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "43334f24-9116-4341-a2ba-527526944008",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+ "service": "Policy",
+ "severity": "낮다",
+ "text": "Azure Policy를 사용하여 사용자가 구독/관리 그룹 수준에서 프로비전할 수 있는 서비스를 제어합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "높다",
- "text": "올바른 작업에 적합한 모델을 선택하십시오. 속도, 응답 품질 및 출력 복잡성 간에 적절한 절충점이 있는 모델 선택",
- "waf": "공연"
+ "text": "가능한 경우 기본 제공 정책을 사용하여 운영 오버헤드를 최소화합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "description": "Resource Policy Contributor 역할을 특정 범위에 할당하면 정책 관리를 관련 팀에 위임할 수 있습니다. 예를 들어 중앙 IT 팀은 관리 그룹 수준 정책을 감독하고 응용 프로그램 팀은 구독에 대한 정책을 처리하여 조직 표준을 준수하는 분산 거버넌스를 가능하게 할 수 있습니다.",
+ "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+ "service": "Policy",
"severity": "보통",
- "text": "미세 조정으로 모델 성능이 향상되었는지 여부를 파악하기 위해 미세 조정 없이 성능에 대한 기준이 있습니다.",
- "waf": "공연"
+ "text": "특정 범위에서 기본 제공 Resource Policy Contributor 역할을 할당하여 응용 프로그램 수준 거버넌스를 사용하도록 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
- "severity": "낮다",
- "text": "여러 지역에 여러 OAI 인스턴스 배포",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "19048384-5c98-46cb-8913-156a12476e49",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "보통",
+ "text": "상속된 범위에서 제외를 통해 관리하지 않도록 루트 관리 그룹 범위에서 수행된 Azure Policy 할당 수를 제한합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "APIM과 같은 게이트웨이 패턴을 사용하여 재시도 및 상태 확인 구현Implement retry & healthchecks with gateway pattern like APIM",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+ "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+ "service": "Policy",
+ "severity": "보통",
+ "text": "데이터 주권 요구 사항이 있는 경우 이를 적용하기 위해 Azure 정책을 배포해야 합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+ "service": "Policy",
"severity": "보통",
- "text": "워크로드에 대한 TPM 및 RPM의 적절한 할당량이 있는지 확인합니다.",
- "waf": "신뢰도"
+ "text": "Sovereign Landing Zone의 경우 주권 정책 기준을 배포하고 올바른 관리 그룹 수준에서 할당합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
- "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+ "service": "Policy",
"severity": "보통",
- "text": "HAI 도구 키트 지침의 고려 사항을 검토하고 slution에 대한 이러한 상호 작용 방법을 적용합니다",
- "waf": "운영 우수성"
+ "text": "Sovereign Landing Zone의 경우 정책 매핑에 대한 Sovereign Control 목표를 문서화합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
+ "service": "Policy",
"severity": "보통",
- "text": "미세 조정이 사용되는 경우 지역 간에 별도의 미세 조정된 모델을 배포합니다.",
- "waf": "신뢰도"
+ "text": "Sovereign Landing Zone의 경우 '정책 매핑에 대한 Sovereign Control 목표'를 관리하기 위한 프로세스가 마련되어 있는지 확인합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
- "link": "https://learn.microsoft.com/azure/backup/backup-overview",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
"severity": "보통",
- "text": "중요한 데이터를 정기적으로 백업 및 복제하여 데이터 손실 또는 시스템 장애 발생 시 데이터 가용성과 복구 가능성을 보장합니다. Azure의 백업 및 재해 복구 서비스를 활용하여 데이터를 보호하세요.",
- "waf": "신뢰도"
+ "text": "Azure RBAC(Azure 역할 기반 액세스 제어), 데이터 주권 요구 사항 또는 데이터 보존 정책에 따라 별도의 작업 영역이 필요한 경우를 제외하고 단일 모니터 로그 작업 영역을 사용하여 플랫폼을 중앙에서 관리합니다.",
+ "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "SLA를 갖도록 Azure AI 검색 서비스 계층을 선택해야 합니다. ",
- "waf": "신뢰도"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
- "link": "https://learn.microsoft.com/purview/purview",
- "service": "Azure OpenAI",
- "severity": "낮다",
- "text": "임베딩을 생성하기 전에 데이터 및 민감도를 분류하고 Microsoft Purview를 사용하여 레이블을 지정하고 생성된 임베딩을 동일한 민감도 및 분류로 처리해야 합니다",
- "waf": "안전"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Monitor",
+ "severity": "높다",
+ "text": "로그 보존 요구 사항이 12년을 초과하는 경우 로그를 Azure Storage로 내보냅니다. Write-once, Read-Many 정책과 함께 변경할 수 없는 스토리지를 사용하여 사용자가 지정한 간격 동안 데이터를 지우거나 수정할 수 없도록 합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "BYOK(옵션)를 사용한 SSE/디스크 암호화로 RAG에 사용되는 데이터 암호화",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+ "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+ "service": "VM",
+ "severity": "보통",
+ "text": "Azure Policy를 사용하여 OS 수준 VM(가상 머신) 구성 드리프트를 모니터링합니다. 정책을 통해 Azure Automanage Machine Configuration 감사 기능을 사용하도록 설정하면 애플리케이션 팀 워크로드가 적은 노력으로 기능 기능을 즉시 사용할 수 있습니다.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
- "link": "https://learn.microsoft.com/azure/search/search-security-overview",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "데이터 소스 간 전송 중인 데이터, RAG(Retrieval-Augmented Generation) 및 LLM 통신에 사용되는 AI 검색에 TLS가 적용되는지 확인합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
+ "service": "VM",
+ "severity": "보통",
+ "text": "Azure Update Manager를 Azure의 Windows 및 Linux VM에 대한 패치 메커니즘으로 사용합니다.",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "RBAC를 사용하여 Azure OpenAI 서비스에 대한 액세스를 관리합니다. 사용자에게 적절한 권한을 할당하고 사용자의 역할과 책임에 따라 액세스를 제한합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+ "service": "VM",
+ "severity": "보통",
+ "text": "Azure Arc를 사용하여 Azure 외부의 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure Update Manager를 사용합니다.",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/networkWatchers",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Network Watcher",
"severity": "보통",
- "text": "데이터 암호화, 마스킹 또는 수정 기술을 구현하여 비프로덕션 환경에서 또는 테스트 또는 문제 해결을 위해 데이터를 공유할 때 민감한 데이터를 숨기거나 난독화된 값으로 대체합니다.",
- "waf": "안전"
+ "text": "Network Watcher를 사용하여 트래픽 흐름을 사전에 모니터링합니다.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "Azure Defender를 활용하여 보안 위협을 탐지 및 대응하고 의심스러운 활동 또는 위반을 식별하기 위한 모니터링 및 경고 메커니즘을 설정합니다. 고급 위협 탐지 및 대응을 위해 Azure Sentinel 활용",
- "waf": "안전"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Monitor",
+ "severity": "보통",
+ "text": "인사이트 및 보고를 위해 Azure Monitor 로그를 사용합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
- "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+ "service": "Monitor",
"severity": "보통",
- "text": "규정 준수 규정을 준수하기 위해 데이터 보존 및 폐기 정책을 수립합니다. 더 이상 필요하지 않은 데이터에 대한 안전한 삭제 방법을 구현하고 데이터 보존 및 폐기 활동에 대한 감사 추적을 유지 관리합니다.",
- "waf": "안전"
+ "text": "Azure Monitor 경고를 사용하여 운영 경고를 생성합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "Content Safety를 사용하여 Prompt shields 및 groundedness detection 구현 ",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "Monitor",
+ "severity": "보통",
+ "text": "Azure Automation 계정을 통해 변경 및 인벤토리 추적을 사용하는 경우 Log Analytics 작업 영역과 자동화 계정을 함께 연결하는 데 지원되는 지역을 선택했는지 확인합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
- "link": "https://learn.microsoft.com/azure/compliance/",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "개인 정보 보호 제어를 구현하고 데이터 처리 활동에 필요한 동의 또는 권한을 얻어 GDPR 또는 HIPAA와 같은 관련 데이터 보호 규정을 준수하도록 합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Backup",
+ "severity": "낮다",
+ "text": "Azure Backup을 사용하는 경우 기본 설정은 GRS이므로 백업에 올바른 백업 유형(GRS, ZRS & LRS)을 사용합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "VM",
"severity": "보통",
- "text": "데이터 보안 모범 사례, 데이터 안전한 처리의 중요성, 데이터 침해와 관련된 잠재적 위험에 대해 직원을 교육합니다. 데이터 보안 프로토콜을 성실히 따르도록 권장합니다.",
+ "text": "Azure 게스트 정책을 사용하여 VM 확장을 통해 소프트웨어 구성을 자동으로 배포하고 규격 기준 VM 구성을 적용합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "생산 데이터를 개발 및 테스트 데이터와 분리합니다. 프로덕션에서는 실제 민감한 데이터만 사용하고 개발 및 테스트 환경에서는 익명 또는 합성 데이터를 활용합니다.",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "description": "Azure Policy의 게스트 구성 기능을 사용하여 컴퓨터 설정(예: OS, 애플리케이션, 환경)을 감사하고 수정하여 리소스가 예상 구성에 맞게 조정되도록 하고, 업데이트 관리는 VM에 대한 패치 관리를 적용할 수 있습니다.",
+ "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "VM",
+ "severity": "보통",
+ "text": "Azure Policy를 통해 VM 보안 구성 드리프트를 모니터링합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "VM",
"severity": "보통",
- "text": "데이터 민감도 수준이 다양하다면 각 수준에 대해 별도의 인덱스를 만드는 것이 좋습니다. 예를 들어, 일반 데이터에 대한 인덱스와 민감한 데이터에 대한 인덱스가 있을 수 있으며, 각각 다른 액세스 프로토콜에 의해 제어됩니다",
- "waf": "안전"
+ "text": "Azure-to-Azure Virtual Machines 재해 복구 시나리오에는 Azure Site Recovery를 사용합니다. 이렇게 하면 지역 간에 워크로드를 복제할 수 있습니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "Backup",
"severity": "보통",
- "text": "한 단계 더 나아가 중요한 데이터 세트를 서비스의 다른 인스턴스에 배치합니다. 각 인스턴스는 고유한 특정 RBAC 정책 집합으로 제어할 수 있습니다",
- "waf": "안전"
+ "text": "Azure 네이티브 백업 기능 또는 Azure 호환 타사 백업 솔루션을 사용합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "WAF",
"severity": "높다",
- "text": "민감한 정보에서 생성된 임베딩과 벡터는 그 자체로 민감하다는 점을 인식해야 합니다. 이 데이터에는 원본 자료와 동일한 보호 조치가 제공되어야 합니다",
- "waf": "안전"
+ "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 WAF 로그를 저장하는 진단 설정을 추가합니다. 로그를 정기적으로 검토하여 공격 및 가양성 탐지를 확인합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "임베딩 및 벡터가 있는 데이터 저장소에 RBAC를 적용하고 역할의 액세스 요구 사항에 따라 액세스 범위를 지정합니다.",
- "waf": "안전"
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "WAF",
+ "severity": "보통",
+ "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 Microsoft Sentinel로 WAF 로그를 보냅니다. 공격을 탐지하고 WAF 텔레메트리를 전체 Azure 환경에 통합합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "Key Vault",
"severity": "높다",
- "text": "AI 서비스에 대한 프라이빗 엔드포인트를 구성하여 네트워크 내 서비스 액세스를 제한합니다.",
+ "text": "Azure Key Vault를 사용하여 비밀과 자격 증명을 저장합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "Azure Firewall 및 UDR을 사용하여 엄격한 인바운드 및 아웃바운드 트래픽 제어를 적용하고 외부 통합 지점을 제한합니다.",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+ "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+ "service": "Key Vault",
+ "severity": "보통",
+ "text": "서로 다른 애플리케이션 및 지역에 대해 서로 다른 Azure Key Vault를 사용하여 트랜잭션 규모 제한을 방지하고 비밀에 대한 액세스를 제한합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "네트워크 세분화 및 액세스 제어를 구현하여 LLM 애플리케이션에 대한 액세스를 인증된 사용자 및 시스템으로만 제한하고 측면 이동을 방지합니다.",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "보통",
+ "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
- "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "보통",
- "text": "LLMLingua 또는 gprtrim과 같은 프롬프트 압축 도구 사용",
- "waf": "비용 최적화"
+ "text": "키, 비밀 및 인증서를 영구적으로 삭제할 수 있는 권한 부여를 특수 사용자 지정 Microsoft Entra ID 역할로 제한하여 최소 권한 모델을 따릅니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "LLM 애플리케이션에서 사용하는 API 및 엔드포인트가 관리 ID, API 키 또는 OAuth와 같은 인증 및 권한 부여 메커니즘으로 적절하게 보호되어 무단 액세스를 방지해야 합니다.",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "보통",
+ "text": "공용 인증 기관을 통해 인증서 관리 및 갱신 프로세스를 자동화하여 관리를 용이하게 합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "913156a1-2476-4e49-b541-acdce979377b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "보통",
- "text": "다단계 인증(multi-factor authentication)과 같은 강력한 최종 사용자 인증 메커니즘을 적용하여 LLM 애플리케이션 및 관련 네트워크 리소스에 대한 무단 액세스를 방지합니다.",
+ "text": "키 및 인증서 교체를 위한 자동화된 프로세스를 설정합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "보통",
- "text": "네트워크 모니터링 도구를 구현하여 의심스럽거나 악의적인 활동에 대한 네트워크 트래픽을 탐지하고 분석합니다. 로깅을 활성화하여 네트워크 이벤트를 캡처하고 보안 사고 발생 시 포렌식 분석을 용이하게 합니다.",
+ "text": "자격 증명 모음에서 방화벽 및 가상 네트워크 서비스 엔드포인트 또는 프라이빗 엔드포인트를 사용하도록 설정하여 키 자격 증명 모음에 대한 액세스를 제어합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+ "service": "Key Vault",
"severity": "보통",
- "text": "보안 감사 및 침투 테스트를 수행하여 LLM 애플리케이션의 네트워크 인프라에서 네트워크 보안 약점 또는 취약성을 식별하고 해결합니다.",
+ "text": "플랫폼 중앙 Azure Monitor Log Analytics 작업 영역을 사용하여 Key Vault의 각 인스턴스 내에서 키, 인증서 및 비밀 사용을 감사합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
- "service": "Azure OpenAI",
- "severity": "낮다",
- "text": "Azure AI 서비스는 더 나은 관리를 위해 적절하게 태그가 지정됩니다.",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "보통",
+ "text": "Key Vault 인스턴스화 및 권한 있는 액세스를 위임하고 Azure Policy를 사용하여 일관된 규정 준수 구성을 적용합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
- "service": "Azure OpenAI",
- "severity": "낮다",
- "text": "Azure AI Service 계정은 조직의 명명 규칙을 따릅니다.",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "보통",
+ "text": "애플리케이션별, 환경별, 지역별 Azure Key Vault를 사용합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "Azure AI Services 리소스의 진단 로그를 사용하도록 설정해야 함",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "보통",
+ "text": "사용자 고유의 키를 가져오려는 경우 고려되는 모든 서비스에서 지원되지 않을 수 있습니다. 불일치가 원하는 결과를 방해하지 않도록 관련 완화를 구현합니다. 대기 시간을 최소화하는 적절한 지역 쌍과 재해 복구 지역을 선택합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/ai-services/authentication",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "키 액세스(로컬 인증)는 보안을 위해 사용하지 않도록 설정하는 것이 좋습니다. 키 기반 액세스를 사용하지 않도록 설정하면 Microsoft Entra ID가 유일한 액세스 방법이 되어 최소 권한 원칙과 세분화된 제어를 유지할 수 있습니다. ",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+ "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+ "service": "Key Vault",
+ "severity": "보통",
+ "text": "Sovereign Landing Zone의 경우 Azure Key Vault 관리형 HSM을 사용하여 비밀과 자격 증명을 저장합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "Azure Key Vault를 사용하여 키를 안전하게 저장하고 관리하세요. LLM 애플리케이션의 코드 내에 중요한 키를 하드 코딩하거나 포함하지 않도록 하고 관리 ID를 사용하여 Azure Key Vault에서 안전하게 검색합니다.",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+ "service": "Entra",
+ "severity": "보통",
+ "text": "Microsoft Entra ID 보고 기능을 사용하여 액세스 제어 감사 보고서를 생성합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Azure OpenAI",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "09945bda-4333-44f2-9911-634182ba5275",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+ "service": "Defender",
"severity": "높다",
- "text": "Azure Key Vault에 저장된 키를 정기적으로 회전하고 만료하여 무단 액세스의 위험을 최소화합니다.",
+ "text": "모든 구독에 대해 Defender 클라우드 보안 태세 관리를 사용하도록 설정합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "adfe27be-e297-401a-a352-baaab79b088d",
- "link": "https://github.com/openai/tiktoken",
- "service": "Azure OpenAI",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+ "service": "Defender",
"severity": "높다",
- "text": "tiktoken을 사용하여 대화 모드에서 토큰 최적화를 위한 토큰 크기 이해",
- "waf": "비용 최적화"
+ "text": "모든 구독에서 서버에 대해 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
- "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
- "service": "Azure OpenAI",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+ "service": "Defender",
"severity": "높다",
- "text": "보안 코딩 관행에 따라 주입 공격, XSS(교차 사이트 스크립팅) 또는 보안 구성 오류와 같은 일반적인 취약성을 방지합니다",
+ "text": "모든 구독에서 Azure 리소스에 대한 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
- "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+ "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+ "service": "VM",
"severity": "높다",
- "text": "LLM 라이브러리와 다른 시스템 컴포넌트를 정기적으로 업데이트하고 패치하는 프로세스를 설정합니다.",
+ "text": "IaaS 서버에서 Endpoint Protection을 사용하도록 설정합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e29711b1-352b-4eee-879b-588defc4972c",
- "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "Azure OpenAI 또는 기타 LLM 사용 약관, 정책 및 지침, 허용되는 사용 사례 준수",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+ "link": "https://learn.microsoft.com/azure/security-center/",
+ "service": "VM",
+ "severity": "보통",
+ "text": "Azure Monitor 로그 및 클라우드용 Defender를 통해 기본 운영 체제 패치 드리프트를 모니터링합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
"severity": "보통",
- "text": "기본 모델과 미세 조정된 모델 및 토큰 단계 크기의 비용 차이를 이해합니다.",
- "waf": "비용 최적화"
+ "text": "기본 리소스 구성을 중앙 집중식 Azure Monitor Log Analytics 작업 영역에 연결합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "가능한 경우 호출당 오버헤드를 최소화하여 전체 비용을 줄일 수 있는 일괄 처리 요청. 배치 크기를 최적화해야 합니다.",
- "waf": "비용 최적화"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+ "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+ "service": "Entra",
+ "severity": "보통",
+ "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 투명 로그를 사용하도록 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
- "service": "Azure OpenAI",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+ "service": "Entra",
"severity": "보통",
- "text": "모델 사용을 모니터링하는 비용 추적 시스템을 설정하고 해당 정보를 사용하여 모델 선택 및 프롬프트 크기를 알립니다",
- "waf": "비용 최적화"
+ "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 고객 Lockbox를 사용하도록 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "166cd072-af9b-4141-a898-a535e737897e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
- "service": "Azure OpenAI",
- "severity": "보통",
- "text": "모델 응답당 토큰 수에 대한 최대 제한을 설정합니다. 유효한 응답에 사용할 수 있을 만큼 충분히 큰지 확인하기 위해 크기를 최적화합니다",
- "waf": "비용 최적화"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
- "link": "https://learn.microsoft.com/azure/search/search-reliability",
- "service": "Azure OpenAI",
- "severity": "보통",
- "text": "안정성을 위한 AI 검색 설정에 대해 제공된 지침을 검토합니다.",
- "waf": "운영 우수성"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
- "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
- "service": "Azure OpenAI",
- "severity": "보통",
- "text": "AI Search Vector 스토리지 계획 및 관리",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Storage",
+ "severity": "높다",
+ "text": "스토리지 계정에 대한 보안 전송을 사용하도록 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
- "severity": "보통",
- "text": "LLMOps 사례를 적용하여 GenAI 애플리케이션의 라이프사이클 관리를 자동화합니다.",
- "waf": "운영 우수성"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+ "service": "Storage",
+ "severity": "높다",
+ "text": "스토리지 계정에 대해 컨테이너 일시 삭제를 사용하도록 설정하여 삭제된 컨테이너와 해당 콘텐츠를 복구합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
- "service": "Azure OpenAI",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+ "service": "Key Vault",
"severity": "높다",
- "text": "청구 모델 사용 평가 - PAYG 대 PTU",
- "waf": "비용 최적화"
+ "text": "Key Vault 비밀을 사용하여 자격 증명(가상 머신 사용자 암호), 인증서 또는 키와 같은 중요한 정보를 하드 코딩하지 않도록 합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
- "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
- "service": "Azure OpenAI",
+ "checklist": "Identity Review Checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
"severity": "보통",
- "text": "모델 버전 간에 전환할 때 프롬프트와 응용 프로그램의 품질을 평가합니다.",
- "waf": "운영 우수성"
+ "text": "장기 취소 가능 토큰을 사용하고, 토큰을 캐시하고, Microsoft ID 라이브러리를 사용하여 자동으로 획득합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3418db61-2712-4650-9bb4-7a393a080327",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "checklist": "Identity Review Checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
"severity": "보통",
- "text": "GenAI 앱을 평가, 모니터링 및 개선하여 근거, 관련성, 정확성, 일관성, 유창성 등의 기능을 제공합니다.",
- "waf": "운영 우수성"
+ "text": "로그인 사용자 흐름이 백업되고 복원력이 있는지 확인합니다. 사용자를 로그인하는 데 사용하는 코드가 백업되고 복구 가능한지 확인합니다. 외부 프로세스와의 복원력 있는 인터페이스",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "294798b1-578b-4219-a46c-eb5443513592",
- "service": "Azure OpenAI",
+ "checklist": "Identity Review Checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
"severity": "보통",
- "text": "다양한 검색 매개 변수를 기반으로 Azure AI Search 결과를 평가합니다",
- "waf": "운영 우수성"
+ "text": "사용자 지정 브랜드 자산은 CDN에서 호스팅되어야 합니다.",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2744293b-b628-4537-a551-19b08e8f5854",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
- "service": "Azure OpenAI",
- "severity": "보통",
- "text": "데이터를 사용하여 프롬프트 엔지니어링 및 RAG와 같은 다른 기본 접근 방식을 시도한 경우에만 모델을 미세 조정하여 정확도를 높이는 방법으로 살펴보십시오",
- "waf": "운영 우수성"
+ "checklist": "Identity Review Checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
+ "severity": "낮다",
+ "text": "여러 ID 공급자가 있어야 합니다(예: Microsoft, Google, Facebook 계정으로 로그인).",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
- "service": "Azure OpenAI",
+ "checklist": "Identity Review Checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "보통",
- "text": "프롬프트 엔지니어링 기법을 사용하여 LLM 응답의 정확도 향상",
- "waf": "운영 우수성"
+ "text": "VM 수준에서 고가용성을 위한 VM 규칙(프리미엄 디스크, 서로 다른 가용성 영역에 있는 지역에 두 개 이상)을 따릅니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e737897e-71ca-47da-acfa-962a1594946d",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
- "service": "Azure OpenAI",
+ "checklist": "Identity Review Checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "보통",
- "text": "GenAI 애플리케이션을 위한 레드 팀",
- "waf": "안전"
+ "text": "복제하지 마세요! 복제로 인해 디렉터리 동기화에 문제가 발생할 수 있습니다",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
- "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
- "service": "Azure OpenAI",
+ "checklist": "Identity Review Checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "보통",
- "text": "최종 사용자에게 LLM 응답에 대한 점수 매기기 옵션을 제공하고 이러한 점수를 추적합니다. ",
- "waf": "운영 우수성"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
- "severity": "높다",
- "text": "할당량 관리 방법 고려",
- "waf": "비용 최적화"
+ "text": "다중 지역에 대해 활성-활성 상태 보유",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
- "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
- "service": "Azure OpenAI",
+ "checklist": "Identity Review Checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"severity": "보통",
- "text": "APIM 기반 게이트웨이와 같은 Load Balancer 솔루션을 사용하여 서비스 및 지역 간에 부하와 용량을 분산합니다",
- "waf": "운영 우수성"
+ "text": "추가 지역 및 위치에 Azure AD 도메인 서비스 스탬프 추가Add Azure AD Domain service stamps to additional regions and locations",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
+ "checklist": "Identity Review Checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"severity": "보통",
- "text": "유연한 서버 활용",
+ "text": "DR에 복제본 세트 사용",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
- "severity": "높다",
- "text": "지역적으로 적용 가능한 경우 가용 영역 활용Leverage Availability Zones where regionally applicable",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
+ "severity": "보통",
+ "text": "Azure Bot Service의 안정성 지원 권장 사항을 따릅니다",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
"severity": "보통",
- "text": "지역 간 DR 시나리오에 입력 데이터 복제 활용",
+ "text": "로컬 데이터 레지던시 및 지역 규정 준수를 통해 봇 배포Deploying bots with local data residency and regional compliance",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "severity": "높다",
- "text": "읽기 작업에 대해 99.9%의 가용성을 갖도록 복제본 2개 사용",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
+ "severity": "보통",
+ "text": "Azure Bot Service는 글로벌 및 지역 서비스 모두에 대해 활성-활성 모드로 실행됩니다. 중단이 발생하면 오류를 감지하거나 서비스를 관리할 필요가 없습니다. Azure Bot Service는 다중 지역 지리적 아키텍처에서 자동 장애 조치(failover) 및 자동 복구를 자동으로 수행합니다. EU 봇 지역 서비스의 경우 Azure Bot Service는 중복성을 보장하기 위해 활성/활성 복제가 있는 유럽 내 두 개의 전체 지역을 제공합니다. 글로벌 봇 서비스의 경우 사용 가능한 모든 지역/지역을 글로벌 공간으로 제공할 수 있습니다.",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "스토리지와 관련된 Microsoft 클라우드 보안 벤치마크의 지침 적용",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "읽기/쓰기 작업에 대해 99.9%의 가용성을 갖도록 복제본 3개 사용",
- "waf": "신뢰도"
+ "text": "'스토리지에 대한 Azure 보안 기준' 고려",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Azure Storage는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 액세스가 필요한 Azure Compute 리소스에만 Azure Storage를 안전하게 노출할 수 있으므로 공용 인터넷에 노출되지 않습니다",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "읽기 및/또는 쓰기 복제본을 활성화하여 가용 영역 활용Leverage Availability Zones by enabling read and/or write replicas",
- "waf": "신뢰도"
- },
+ "text": "Azure Storage에 프라이빗 엔드포인트를 사용하는 것이 좋습니다.",
+ "waf": "안전"
+ },
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "새로 만든 저장소 계정은 ARM 배포 모델을 사용하여 만들어지므로 RBAC, 감사 등을 모두 사용할 수 있습니다. 구독에 클래식 배포 모델이 있는 이전 저장소 계정이 없는지 확인합니다.",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "지역 중복의 경우 Manually create services in 2 or more regions for Search는 지리적 지역 간에 검색 인덱스를 복제하는 자동화된 방법을 제공하지 않습니다",
- "waf": "신뢰도"
+ "text": "이전 스토리지 계정이 '클래식 배포 모델'을 사용하지 않는지 확인",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Microsoft Defender를 활용하여 의심스러운 활동 및 잘못된 구성에 대해 알아봅니다.",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+ "service": "Azure Storage",
+ "severity": "높다",
+ "text": "모든 스토리지 계정에 대해 Microsoft Defender 사용",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "일시 삭제 메커니즘을 사용하면 실수로 삭제된 Blob을 복구할 수 있습니다.",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "여러 서비스에서 데이터를 동기화하려면 인덱서를 사용하여 여러 서비스의 콘텐츠를 업데이트하거나 REST API를 사용하여 여러 서비스에서 콘텐츠 업데이트를 푸시합니다.",
- "waf": "신뢰도"
+ "text": "Blob에 대해 '일시 삭제' 사용Enable 'soft delete' for blobs",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "Azure Traffic Manager를 사용하여 요청 조정",
- "waf": "신뢰도"
+ "text": "Blob에 대해 '일시 삭제' 사용 안 함",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "컨테이너에 대한 일시 삭제를 사용하면 컨테이너가 삭제된 후 컨테이너를 복구할 수 있습니다(예: 실수로 인한 삭제 작업에서 복구).",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "Azure Cognitive Search 인덱스를 백업 및 복원합니다. 이 샘플 코드를 사용하여 인덱스 정의 및 스냅샷을 일련의 Json 파일에 백업합니다",
- "waf": "신뢰도"
+ "text": "컨테이너에 대해 '일시 삭제' 사용Enable 'soft delete' for containers",
+ "waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "다중 테넌트에 대한 명확한 규정 또는 비즈니스 요구 사항이 없는 한 Azure 리소스를 관리하기 위해 하나의 Entra 테넌트를 사용합니다.",
- "waf": "작업"
- },
- {
- "checklist": "Azure Landing Zone Review",
- "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Entra",
- "severity": "낮다",
- "text": "다중 테넌트 자동화 접근 방식을 사용하여 Microsoft Entra ID 테넌트를 관리합니다.",
- "waf": "작업"
+ "text": "컨테이너에 대해 '일시 삭제' 사용 안 함",
+ "waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "사용자가 삭제하기 전에 먼저 삭제 잠금을 제거하도록 강제하여 저장소 계정이 실수로 삭제되는 것을 방지합니다.",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "동일한 ID로 다중 테넌트 관리에 Azure Lighthouse를 사용합니다.",
- "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
- "waf": "작업"
+ "text": "스토리지 계정에 대한 리소스 잠금 사용Enable resource locks on storage accounts",
+ "waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Blob에 대한 '법적 보존' 또는 '시간 기반 보존' 정책을 고려하면 Blob, 컨테이너 또는 스토리지 계정을 삭제할 수 없습니다. '불가능'은 실제로 '불가능'을 의미합니다. 스토리지 계정에 변경할 수 없는 Blob이 포함된 경우 해당 스토리지 계정을 '제거'하는 유일한 방법은 Azure 구독을 취소하는 것입니다.",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "파트너에게 테넌트를 관리할 수 있는 액세스 권한을 부여하는 경우 Azure Lighthouse를 사용합니다.",
- "waf": "비용"
+ "text": "변경할 수 없는 Blob 고려",
+ "waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "348ef254-c27d-442e-abba-c7571559ab91",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "모든 데이터 전송이 암호화되고, 무결성이 보호되고, 서버가 인증되도록 스토리지 계정에 대한 보호되지 않는 HTTP/80 액세스를 사용하지 않도록 설정하는 것이 좋습니다. ",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "클라우드 운영 모델에 맞는 RBAC 모델을 적용합니다. Scope and Assign across Management Groups and Subscriptions.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "text": "HTTPS 필요, 즉 스토리지 계정에서 포트 80 사용 안 함Require HTTPS, i.e. disable port 80 on the storage account",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "스토리지 계정에서 사용자 지정 도메인(호스트 이름)을 구성할 때 TLS/HTTPS가 필요한지 여부를 확인합니다. 이 경우 저장소 계정 앞에 Azure CDN을 배치해야 할 수 있습니다.",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "모든 계정 유형에 대해 회사 또는 학교 계정 인증 유형만 사용합니다. Microsoft 계정을 사용하지 마십시오.",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "text": "HTTPS를 적용할 때(HTTP 사용 안 함) 스토리지 계정에 사용자 지정 도메인(CNAME)을 사용하지 않는지 확인합니다.",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "클라이언트가 SAS 토큰을 사용하여 Blob 데이터에 액세스할 때 HTTPS를 요구하면 자격 증명 손실 위험을 최소화하는 데 도움이 됩니다.",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "그룹만 사용하여 사용 권한을 할당합니다. 그룹 관리 시스템이 이미 있는 경우 Entra ID 전용 그룹에 온-프레미스 그룹을 추가합니다.",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "안전"
- },
- {
- "checklist": "Azure Landing Zone Review",
- "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
- "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
- "service": "Entra",
- "severity": "높다",
- "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 Microsoft Entra ID 조건부 액세스 정책을 적용합니다.",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "text": "SAS(공유 액세스 서명) 토큰을 HTTPS 연결로만 제한",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
- "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "AAD 토큰은 가능한 경우 공유 액세스 서명보다 우선해야 합니다",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "Azure 환경에 대한 권한이 있는 모든 사용자에 대해 Multi-Factor Authentication을 적용합니다.",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "text": "Blob 액세스에 Azure AD(Azure Active Directory) 토큰 사용Use Azure Active Directory (Azure AD) tokens for blob access",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "사용자, 그룹 또는 응용 프로그램에 역할을 할당할 때 해당 보안 주체가 작업을 수행하는 데 필요한 권한만 부여합니다. 리소스에 대한 액세스를 제한하면 의도하지 않은 데이터 오용과 악의적인 데이터 오용을 모두 방지할 수 있습니다.",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "Microsoft Entra ID PIM(Privileged Identity Management)을 적용하여 제로 스탠딩 액세스 및 최소 권한을 설정합니다.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "IaM 권한의 최소 권한",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
- "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
- "service": "Entra",
- "severity": "보통",
- "text": "Active Directory Domain Services에서 Entra Domain Services로 전환하려는 경우 모든 워크로드의 호환성을 평가합니다.",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "사용자 위임 SAS는 Azure AD(Azure Active Directory) 자격 증명과 SAS에 지정된 권한으로 보호됩니다. 사용자 위임 SAS는 범위와 기능 측면에서 서비스 SAS와 유사하지만 서비스 SAS에 비해 보안상의 이점을 제공합니다. ",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+ "service": "Azure Storage",
+ "severity": "높다",
+ "text": "SAS를 사용하는 경우 스토리지 계정 키 기반 SAS보다 '사용자 위임 SAS'를 선호합니다.",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
- "service": "Entra",
- "severity": "보통",
- "text": "Microsoft Entra ID 로그를 플랫폼 중앙 Azure Monitor와 통합합니다. Azure Monitor는 Azure의 로그 및 모니터링 데이터에 대한 단일 정보 소스를 허용하여 조직에 로그 수집 및 보존에 대한 요구 사항을 충족하는 클라우드 네이티브 옵션을 제공합니다.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "스토리지 계정 키('공유 키')에는 감사 기능이 거의 없습니다. 누가/언제 키 사본을 가져왔는지 모니터링할 수 있지만, 키가 여러 사람의 손에 들어가면 특정 사용자의 사용을 귀속시키는 것은 불가능합니다. AAD 인증에만 의존하면 스토리지 액세스를 사용자에게 더 쉽게 연결할 수 있습니다. ",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+ "service": "Azure Storage",
+ "severity": "높다",
+ "text": "AAD 액세스(및 사용자 위임 SAS)만 지원되도록 스토리지 계정 키를 사용하지 않도록 설정하는 것이 좋습니다.",
"waf": "안전"
},
{
- "ammp": true,
- "checklist": "Azure Landing Zone Review",
- "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "활동 로그 데이터를 사용하여 스토리지 계정의 보안을 보거나 변경하는 '시기', '누가', '무엇을' 및 '방법'(예: 스토리지 계정 키, 액세스 정책 등)을 식별합니다.",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "응급 액세스 또는 비상 계정을 구현하여 테넌트 전체 계정 잠금을 방지합니다.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "Azure Monitor를 사용하여 스토리지 계정에 대한 컨트롤 플레인 작업을 감사하는 것이 좋습니다.",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "35037e68-9349-4c15-b371-228514f4cdff",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "키 만료 정책을 사용하면 계정 액세스 키 교체에 대한 미리 알림을 설정할 수 있습니다. 지정된 간격이 경과하고 키가 아직 회전되지 않은 경우 알림이 표시됩니다.",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "특별히 필요한 시나리오가 없는 한 Microsoft Entra ID 역할 할당에 온-프레미스 동기화 계정을 사용하지 마세요.",
- "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "text": "스토리지 계정 키를 사용하는 경우 '키 만료 정책'을 사용하도록 설정하는 것이 좋습니다",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS 만료 정책은 SAS가 유효한 권장 간격을 지정합니다. SAS 만료 정책은 서비스 SAS 또는 계정 SAS에 적용됩니다. 사용자가 권장 간격보다 큰 유효 간격을 사용하여 서비스 SAS 또는 계정 SAS를 생성하면 경고가 표시됩니다.",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 애플리케이션에 대한 액세스 권한을 부여하는 경우 테넌트당 하나의 인스턴스만 가질 수 있으므로 플랫폼 리소스로 관리합니다.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "text": "SAS 만료 정책 구성 고려",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
- "service": "VNet",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "저장된 액세스 정책은 스토리지 계정 키를 다시 생성할 필요 없이 서비스 SAS에 대한 권한을 취소하는 옵션을 제공합니다. ",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "최대한의 유연성이 필요한 네트워크 시나리오에는 허브 및 스포크(hub-and-spoke) 네트워크 토폴로지를 사용합니다.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "text": "SAS를 저장된 액세스 정책에 연결하는 것이 좋습니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
- "service": "VNet",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Azure Storage",
+ "severity": "보통",
+ "text": "체크 인된 연결 문자열 및 저장소 계정 키를 검색하도록 응용 프로그램의 소스 코드 리포지토리를 구성하는 것이 좋습니다.",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "이상적으로 애플리케이션은 관리 ID를 사용하여 Azure Storage에 인증해야 합니다. 이렇게 할 수 없는 경우 Azure KeyVault 또는 동등한 서비스에 스토리지 자격 증명(연결 문자열, 스토리지 계정 키, SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다.",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "ExpressRoute 게이트웨이, VPN 게이트웨이 및 Azure Firewall 또는 파트너 NVA를 포함한 공유 네트워킹 서비스를 중앙 허브 가상 네트워크에 배포합니다. 필요한 경우 DNS 서비스도 배포합니다.",
- "waf": "비용"
+ "text": "Azure KeyVault에 연결 문자열을 저장하는 것이 좋습니다(관리 ID를 사용할 수 없는 시나리오에서).",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "VNet",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "임시 SAS 서비스 SAS 또는 계정 SAS에서 단기 만료 시간을 사용합니다. 이러한 방식으로 SAS가 손상되더라도 짧은 시간 동안만 유효합니다. 이 방법은 저장된 액세스 정책을 참조할 수 없는 경우에 특히 중요합니다. 또한 단기 만료 시간은 업로드에 사용할 수 있는 시간을 제한하여 Blob에 쓸 수 있는 데이터의 양을 제한합니다.",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "임시 SAS의 유효 기간을 단축하기 위해 노력",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS를 만들 때는 가능한 한 구체적이고 제한적이어야 합니다. 훨씬 더 광범위한 액세스를 제공하는 SAS보다 단일 리소스 및 작업에 대해 SAS를 선호합니다.",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "파트너 네트워킹 기술 또는 NVA를 배포할 때 파트너 공급업체의 지침을 따릅니다.",
- "waf": "신뢰도"
+ "text": "SAS에 좁은 범위 적용",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
- "service": "ExpressRoute",
- "severity": "낮다",
- "text": "허브 및 스포크 시나리오에서 ExpressRoute와 VPN 게이트웨이 간의 전송이 필요한 경우 Azure Route Server를 사용합니다.",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS에는 SAS를 사용하여 리소스를 요청할 수 있는 권한이 있는 클라이언트 IP 주소 또는 주소 범위에 대한 매개 변수가 포함될 수 있습니다. ",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Azure Storage",
+ "severity": "보통",
+ "text": "가능한 경우 SAS의 범위를 특정 클라이언트 IP 주소로 지정하는 것이 좋습니다",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualHubs",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
- "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
- "service": "ARS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS는 클라이언트가 업로드하는 데이터의 양을 제한할 수 없습니다. 시간 경과에 따른 스토리지 양의 가격 책정 모델을 고려할 때 클라이언트가 악의적으로 큰 콘텐츠를 업로드했는지 여부를 확인하는 것이 합리적일 수 있습니다.",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Azure Storage",
"severity": "낮다",
- "text": "Route Server를 사용하는 경우 Route Server 서브넷에 /27 접두사를 사용합니다.",
+ "text": "클라이언트가 SAS를 사용하여 파일을 업로드한 후 업로드된 데이터를 확인하는 것이 좋습니다. ",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
- "service": "VNet",
- "severity": "보통",
- "text": "Azure 지역 간에 여러 허브 및 스포크 토폴로지가 있는 네트워크 아키텍처의 경우 허브 VNet 간의 글로벌 가상 네트워크 피어링을 사용하여 지역을 서로 연결합니다.",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
- "waf": "공연"
- },
- {
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
- "service": "VNet",
- "severity": "보통",
- "text": "네트워크용 Azure Monitor를 사용하여 Azure에서 네트워크의 엔드투엔드 상태를 모니터링합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
- "waf": "작업"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "'로컬 사용자 계정'을 사용하여 SFTP를 통해 Blob Storage에 액세스하는 경우 '일반적인' RBAC 컨트롤이 적용되지 않습니다. NFS 또는 REST를 통한 Blob 액세스는 SFTP 액세스보다 더 제한적일 수 있습니다. 안타깝게도 2023년 초부터 로컬 사용자는 현재 SFTP 엔드포인트에 대해 지원되는 유일한 ID 관리 형태입니다",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Azure Storage",
+ "severity": "높다",
+ "text": "SFTP: SFTP 액세스에 대한 '로컬 사용자'의 수를 제한하고 시간이 지남에 따라 액세스가 필요한지 여부를 감사합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
- "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "한 지역에 400개 이상의 스포크 네트워크가 있는 경우 VNet 피어링 제한(500) 및 ExpressRoute를 통해 보급할 수 있는 최대 접두사 수(1000)를 우회하기 위해 추가 허브를 배포합니다.",
- "waf": "신뢰도"
+ "text": "SFTP: SFTP 엔드포인트는 POSIX와 유사한 ACL을 지원하지 않습니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
- "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
- "severity": "보통",
- "text": "경로 테이블당 경로 수를 400개로 제한합니다.",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "스토리지는 CORS(Cross-Origin Resource Sharing), 즉 다른 도메인의 웹앱이 동일 출처 정책을 완화할 수 있도록 하는 HTTP 기능을 지원합니다. CORS를 사용하도록 설정할 때 CorsRules를 최소 권한으로 유지합니다.",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Azure Storage",
+ "severity": "높다",
+ "text": "지나치게 광범위한 CORS 정책 방지",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
- "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
- "service": "VNet",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "미사용 데이터는 항상 서버 쪽에서 암호화되며 클라이언트 쪽에서도 암호화될 수 있습니다. 서버 쪽 암호화는 플랫폼 관리형 키(기본값) 또는 고객 관리형 키를 사용하여 발생할 수 있습니다. 클라이언트 쪽 암호화는 클라이언트가 Azure Storage에 Blob별로 암호화/암호 해독 키를 제공하거나 클라이언트 쪽에서 암호화를 완전히 처리하여 발생할 수 있습니다. 따라서 기밀성 보장을 위해 Azure Storage에 전혀 의존하지 않습니다.",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "VNet 피어링을 구성할 때 '원격 가상 네트워크에 대한 트래픽 허용' 설정을 사용합니다.",
- "waf": "신뢰도"
+ "text": "미사용 데이터를 암호화하는 방법을 결정합니다. 데이터에 대한 스레드 모델을 이해합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "ExpressRoute Direct를 사용하는 경우 조직의 라우터와 MSEE 간의 계층 2 레벨에서 트래픽을 암호화하도록 MACsec을 구성합니다. 다이어그램은 흐름에서 이 암호화를 보여 줍니다.",
+ "text": "사용해야 하는 플랫폼 암호화를 결정합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Azure Storage",
"severity": "보통",
- "text": "MACsec을 사용할 수 없는 시나리오(예: ExpressRoute Direct를 사용하지 않음)의 경우 VPN 게이트웨이를 사용하여 ExpressRoute 개인 피어링을 통해 IPsec 터널을 설정합니다.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "text": "사용해야 하는 클라이언트 쪽 암호화를 결정합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Resource Graph Explorer(resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)를 활용하여 익명 Blob 액세스를 허용하는 스토리지 계정을 찾습니다.",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Azure Storage",
"severity": "높다",
- "text": "Azure 지역 및 온-프레미스 위치에서 겹치는 IP 주소 공간이 사용되지 않는지 확인합니다.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "text": "공용 Blob 액세스가 필요한지 또는 특정 스토리지 계정에 대해 사용하지 않도록 설정할 수 있는지 여부를 고려합니다. ",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
- "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
"severity": "보통",
- "text": "개인 인터넷(RFC 1918)에 대한 주소 할당 범위의 IP 주소를 사용합니다.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "안전"
+ "text": "유연한 서버 활용",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
- "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
"severity": "높다",
- "text": "IP 주소 공간이 낭비되지 않는지 확인하고 불필요하게 큰 가상 네트워크(예: /16)를 만들지 마세요.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "공연"
- },
- {
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
- "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
- "service": "VNet",
- "severity": "높다",
- "text": "프로덕션 및 재해 복구 사이트에 대해 겹치는 IP 주소 범위를 사용하지 마세요.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "text": "지역적으로 적용 가능한 경우 가용 영역 활용Leverage Availability Zones where regionally applicable",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
- "service": "DNS",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
"severity": "보통",
- "text": "Azure의 이름 확인만 필요한 환경의 경우 이름 확인을 위해 위임된 영역(예: 'azure.contoso.com')을 사용하여 확인을 위해 Azure 프라이빗 DNS를 사용합니다.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "작업"
+ "text": "지역 간 DR 시나리오에 입력 데이터 복제 활용",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
- "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
- "service": "DNS",
- "severity": "보통",
- "text": "Azure 및 온-프레미스에서 이름 확인이 필요하고 Active Directory와 같은 기존 엔터프라이즈 DNS 서비스가 없는 환경의 경우 Azure DNS Private Resolver를 사용하여 DNS 요청을 Azure 또는 온-프레미스 DNS 서버로 라우팅합니다.",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
- "waf": "안전"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "service": "Azure Monitor",
+ "text": "Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview 의 데이터 수집 규칙",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
- "service": "DNS",
- "severity": "낮다",
- "text": "자체 DNS(예: Red Hat OpenShift)가 필요하고 배포하는 특수 워크로드는 선호하는 DNS 솔루션을 사용해야 합니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "45901365-d38e-443f-abcb-d868266abca2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Azure Backup",
+ "text": "기본 데이터 원본을 찾을 수 없는 백업 인스턴스 확인",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "614658d3-558f-4d77-849b-821112df27ee",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
- "service": "DNS",
- "severity": "높다",
- "text": "Azure DNS에 대한 자동 등록을 사용하도록 설정하여 가상 네트워크 내에 배포된 가상 머신에 대한 DNS 레코드의 수명 주기를 자동으로 관리합니다.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "작업"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "VM",
+ "text": "연결되지 않은 서비스(디스크, NIC, IP 주소 등) 삭제 또는 보관",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "Azure Landing Zone Review",
- "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
- "service": "Bastion",
- "severity": "보통",
- "text": "Azure Bastion을 사용하여 네트워크에 안전하게 연결합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Azure Backup",
+ "text": "중요 업무용 응용 프로그램에 대한 Site Recovery 저장소와 백업 간의 적절한 균형을 고려합니다.",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
- "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
- "service": "Bastion",
- "severity": "보통",
- "text": "서브넷 /26 이상에서 Azure Bastion을 사용합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "service": "Azure Monitor",
+ "text": "40개의 서로 다른 로그 분석 작업 영역 간의 지출 및 절감 기회 확인 - 비프로덕션 작업 영역에 대해 서로 다른 보존 및 데이터 수집 사용-인식 및 계층 크기 조정을 위한 일일 한도 만들기 - 일일 한도를 설정하는 경우 한도에 도달할 때 경고를 만드는 것 외에도 특정 비율(예: 90%)에 도달했을 때 알림을 받을 경고 규칙도 만들어야 합니다. - 가능한 경우 작업 영역 변환 고려 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "WAF",
- "severity": "보통",
- "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역 전체에서 전역 보호를 제공합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "안전"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Azure Monitor",
+ "text": "제거 로그 정책 및 자동화 적용(필요한 경우 로그를 콜드 스토리지로 이동할 수 있음)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "severity": "낮다",
- "text": "Azure Front Door 및 Azure Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Azure Front Door에서 WAF 정책을 사용합니다. Azure Front Door에서만 트래픽을 수신하도록 Azure Application Gateway를 잠급니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
+ "text": "디스크가 실제로 필요한지 확인하고, 그렇지 않은 경우 삭제하십시오. 필요한 경우 더 낮은 스토리지 계층을 찾거나 백업을 사용합니다.",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "severity": "높다",
- "text": "인바운드 HTTP/S 연결에 WAF 및 기타 역방향 프록시가 필요한 경우 랜딩 존 가상 네트워크 내에 배포하고 보호하고 인터넷에 노출하는 앱과 함께 배포합니다.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "안전"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
+ "text": "사용자 지정 규칙을 사용하여 사용하지 않는 스토리지를 하위 계층으로 이동하는 것이 좋습니다 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
- "severity": "높다",
- "text": "Azure DDoS 네트워크 또는 IP 보호 플랜을 사용하여 가상 네트워크 내의 공용 IP 주소 엔드포인트를 보호할 수 있습니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
+ "text": "Advisor가 VM 올바른 크기 조정에 대해 구성되어 있는지 확인합니다. ",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
- "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
- "service": "VNet",
- "severity": "높다",
- "text": "예정된 호환성이 손상되는 변경 전에 네트워크 아웃바운드 트래픽 구성 및 전략을 관리하는 방법을 계획합니다. 2025년 9월 30일에 새 배포에 대한 기본 아웃바운드 액세스가 사용 중지되고 명시적 액세스 구성만 허용됩니다.",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "description": "Cost analysys에서 Meter Category Licenses를 검색하여 확인합니다.",
+ "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "service": "VM",
+ "text": "모든 Windows VM에서 스크립트 실행 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM을 자주 만드는 경우 정책 구현을 고려합니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
- "severity": "높다",
- "text": "보호된 모든 공용 IP 주소(DDoS IP 또는 네트워크 보호)에 대한 DDoS 관련 로그를 저장하는 진단 설정을 추가합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "VM",
+ "text": " 이미 라이선스가 있는 경우 AHUB에 넣을 수도 https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
- "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
- "service": "Policy",
- "severity": "높다",
- "text": "Virtual Machines에 직접 연결된 공용 IP 주소를 거부하는 정책 할당이 있는지 확인합니다. 특정 VM에서 공용 IP가 필요한 경우 제외를 사용합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "VM",
+ "text": "유연성 옵션을 사용하여 예약된 VM 제품군 통합(4-5개 이하의 제품군)",
+ "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "ExpressRoute를 Azure에 대한 기본 연결로 사용합니다. VPN을 백업 연결의 소스로 사용합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "공연"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "service": "VM",
+ "text": "Azure Reserved Instances 활용: 이 기능을 사용하면 1년 또는 3년 동안 VM을 예약할 수 있으므로 PAYG 가격에 비해 상당한 비용 절감 효과를 얻을 수 있습니다.",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "description": "AS-path 접두사 및 연결 가중치를 사용하여 Azure에서 온-프레미스로의 트래픽에 영향을 주고, 자체 라우터의 전체 BGP 특성 범위를 사용하여 온-프레미스에서 Azure로의 트래픽에 영향을 줄 수 있습니다.",
- "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "여러 ExpressRoute 회로 또는 여러 온-프레미스 위치를 사용하는 경우 BGP 특성을 사용하여 라우팅을 최적화합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+ "service": "VM",
+ "text": "더 큰 디스크만 예약할 수 있습니다 => 1TiB -",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
- "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "대역폭 및 성능 요구 사항에 따라 ExpressRoute/VPN 게이트웨이에 적합한 SKU를 선택합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "공연"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
- "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
- "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
- "service": "ExpressRoute",
- "severity": "높다",
- "text": "비용을 정당화하는 대역폭에 도달하는 경우에만 무제한 데이터 ExpressRoute 회로를 사용해야 합니다.",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "service": "VM",
+ "text": "적절한 크기 최적화 후",
"waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
- "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
- "service": "ExpressRoute",
- "severity": "높다",
- "text": "회로 피어링 위치가 로컬 SKU에 대한 Azure 지역을 지원하는 경우 ExpressRoute의 로컬 SKU를 활용하여 회로 비용을 줄입니다.",
+ "arm-service": "Microsoft.Sql/servers",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Azure SQL",
+ "text": "적용 가능한 경우 확인 및 정책/변경 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations 시행",
"waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
- "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "지원되는 Azure 지역에 영역 중복 ExpressRoute 게이트웨이를 배포합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "10Gbps보다 높은 대역폭 또는 전용 10/100Gbps 포트가 필요한 시나리오의 경우 ExpressRoute Direct를 사용합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "공연"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
- "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "짧은 대기 시간이 필요하거나 온-프레미스에서 Azure로의 처리량이 10Gbps보다 커야 하는 경우 FastPath를 사용하도록 설정하여 데이터 경로에서 ExpressRoute 게이트웨이를 우회합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "공연"
- },
- {
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
- "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
- "service": "VPN",
- "severity": "보통",
- "text": "영역 중복 VPN 게이트웨이를 사용하여 분기 또는 원격 위치를 Azure(사용 가능한 경우)에 연결합니다.",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "Azure Landing Zone Review",
- "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
- "service": "VPN",
- "severity": "보통",
- "text": "온-프레미스에서 중복 VPN 어플라이언스(활성/활성 또는 활성/수동)를 사용합니다.",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
- "service": "ExpressRoute",
- "severity": "높다",
- "text": "ExpressRoute Direct를 사용하는 경우 비용을 절감하기 위해 로컬 Azure 지역에 대한 ExpressRoute 로컬 회로를 사용하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "VM",
+ "text": "VM + 라이선스 부분 할인(ahub + 3YRI)은 약 70% 할인입니다.",
"waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "트래픽 격리 또는 전용 대역폭이 필요한 경우(예: 프로덕션 환경과 비프로덕션 환경 분리) 다른 ExpressRoute 회로를 사용합니다. 이는 격리된 라우팅 도메인을 보장하고 시끄러운 이웃 위험을 완화하는 데 도움이 됩니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "안전"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "기본 제공 Express Route Insights를 사용하여 ExpressRoute 가용성 및 사용률을 모니터링합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "작업"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "VM",
+ "text": "플랫 사이징보다는 VMSS를 사용하여 수요에 맞추는 것이 좋습니다",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
- "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "네트워크 전반, 특히 온-프레미스와 Azure 간의 연결을 모니터링하려면 연결 모니터를 사용합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "작업"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "AKS",
+ "text": "AKS 자동 크기 조정기를 사용하여 클러스터 사용량과 일치시킵니다(Pod 요구 사항이 스케일러와 일치하는지 확인).",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
- "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "중복성을 위해 서로 다른 피어링 위치의 ExpressRoute 회로를 사용합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Azure Backup",
+ "text": "해당하는 경우 복구 지점을 자격 증명 모음 보관으로 이동(유효성 검사)Move recovery points to vault-archive where applicable (Validate)",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "단일 ExpressRoute 회로만 사용하는 경우 사이트 간 VPN을 ExpressRoute의 장애 조치(failover)로 사용합니다.",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Databricks/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+ "service": "Databricks",
+ "text": "가능한 경우 대체와 함께 스폿 VM을 사용하는 것이 좋습니다. 클러스터의 자동 종료를 고려합니다.",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
- "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
- "service": "ExpressRoute",
- "severity": "높다",
- "text": "GatewaySubnet에서 경로 테이블을 사용하는 경우 게이트웨이 경로가 전파되었는지 확인합니다.",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+ "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+ "service": "Azure Functions",
+ "text": "함수 - 연결 재사용",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "d581a947-69a2-4783-942e-9df3664324c8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
- "service": "ExpressRoute",
- "severity": "높다",
- "text": "ExpressRoute를 사용하는 경우 온-프레미스 라우팅은 동적이어야 하며, 연결 오류가 발생할 경우 회로의 나머지 연결로 수렴해야 합니다. 로드는 두 연결 모두에서 이상적으로는 액티브/액티브로 공유해야 하지만 액티브/패시브도 지원됩니다.",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+ "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "service": "Azure Functions",
+ "text": "함수 - 로컬에 데이터 캐시",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "ExpressRoute 회로의 두 물리적 링크가 네트워크에 있는 두 개의 고유한 에지 디바이스에 연결되어 있는지 확인합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Azure Functions",
+ "text": "기능 - 콜드 스타트 - '패키지에서 실행' 기능을 사용합니다. 이렇게 하면 코드가 단일 zip 파일로 다운로드됩니다. 예를 들어, 이것은 많은 노드 모듈이 있는 Javascript 함수를 크게 개선할 수 있습니다. 언어별 도구를 사용하여 패키지 크기를 줄입니다(예: 트리 쉐이킹 Javascript 애플리케이션).",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "BFD(Bidirectional Forwarding Detection)가 고객 또는 프로바이더 에지 라우팅 디바이스에서 활성화되고 구성되도록 보장합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "Azure Functions",
+ "text": "기능 - 기능을 따뜻하게 유지",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "ExpressRoute",
- "severity": "높다",
- "text": "복원력을 높이기 위해 ExpressRoute 게이트웨이를 서로 다른 피어링 위치에서 둘 이상의 회로에 연결합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Azure Functions",
+ "text": "다른 함수와 함께 자동 크기 조정을 사용하는 경우 모든 리소스에 대한 모든 자동 크기 조정을 구동하는 것이 있을 수 있으므로 별도의 소비 계획으로 이동하는 것이 좋습니다(CPU에 대한 더 높은 계획 고려).",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "ExpressRoute 가상 네트워크 게이트웨이에 대한 진단 로그 및 경고를 구성합니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "작업"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+ "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+ "service": "Azure Functions",
+ "text": "지정된 계획의 함수 앱은 모두 함께 크기가 조정되므로 크기 조정과 관련된 모든 문제는 계획의 모든 앱에 영향을 줄 수 있습니다.",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
- "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
- "service": "ExpressRoute",
- "severity": "보통",
- "text": "VNet 간 통신에 ExpressRoute 회로를 사용하지 마세요.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "공연"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+ "service": "Azure Functions",
+ "text": "'대기 시간'에 대한 요금이 청구되나요? 이 질문은 일반적으로 비동기 작업을 수행하고 결과를 기다리는 C # 함수 (예 : await Task.Delay(1000) 또는 await client )의 컨텍스트에서 묻습니다. GetAsync('http://google.com')입니다. 대답은 '예'입니다 - GB 초 계산은 함수의 시작 및 종료 시간과 해당 기간 동안의 메모리 사용량을 기반으로 합니다. CPU 작업 측면에서 해당 시간 동안 실제로 발생하는 일은 계산에 포함되지 않습니다. 이 규칙의 한 가지 예외는 지속성 함수를 사용하는 경우입니다. 오케스트레이터 함수에서 대기하는 데 소요된 시간에 대해서는 요금이 청구되지 않습니다.가능한 경우 수요 형성 기술을 적용합니다(개발 환경?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+ "waf": "비용"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "service": "N/A",
- "severity": "낮다",
- "text": "검사를 위해 Azure 트래픽을 하이브리드 위치로 보내지 마세요. 대신 'Azure의 트래픽이 Azure에 유지됨' 원칙을 따라 Azure의 리소스 간 통신이 Microsoft 백본 네트워크를 통해 발생하도록 합니다.",
- "waf": "공연"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Front Door",
+ "text": "Frontdoor - 기본 홈페이지 끄기앱의 애플리케이션 설정에서 AzureWebJobsDisableHomepage를 true로 설정합니다. 이렇게 하면 PoP에 204(콘텐츠 없음)가 반환되므로 헤더 데이터만 반환됩니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
- "link": "https://learn.microsoft.com/azure/firewall/overview",
- "service": "Firewall",
- "severity": "높다",
- "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, HTTP/S가 아닌 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Front Door",
+ "text": "Frontdoor 프론트도어 - 아무것도 반환하지 않는 무언가로 라우팅합니다. 함수, 함수 프록시를 설정하거나 WebApp에서 200(정상)을 반환하고 콘텐츠를 보내지 않거나 최소한으로 보내는 경로를 추가합니다. 이것의 장점은 호출될 때 로그아웃할 수 있다는 것입니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
- "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
- "service": "Firewall",
- "severity": "보통",
- "text": "글로벌 Azure Firewall 정책을 만들어 글로벌 네트워크 환경에서 보안 태세를 제어하고 모든 Azure Firewall 인스턴스에 할당합니다. Azure 역할 기반 액세스 제어를 통해 증분 방화벽 정책을 로컬 보안 팀에 위임하여 특정 지역의 요구 사항을 충족하는 세분화된 정책을 허용합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+ "service": "Storage",
+ "text": "덜 사용되는 데이터에 대한 보관 계층 고려",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
- "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
- "service": "Firewall",
- "severity": "낮다",
- "text": "조직에서 아웃바운드 연결을 보호하기 위해 이러한 솔루션을 사용하려는 경우 Firewall Manager 내에서 지원되는 파트너 SaaS 보안 공급자를 구성합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "VM",
+ "text": "크기가 계층과 일치하지 않는 디스크 크기를 확인합니다(예: 513GiB 디스크는 P30(1TiB)를 지불하고 크기 조정을 고려합니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
- "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
- "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
- "service": "Firewall",
- "severity": "높다",
- "text": "응용 프로그램 규칙을 사용하여 지원되는 프로토콜에 대한 대상 호스트 이름에서 아웃바운드 트래픽을 필터링합니다. FQDN 기반 네트워크 규칙 및 DNS 프록시와 함께 Azure Firewall을 사용하여 다른 프로토콜을 통해 인터넷으로의 송신 트래픽을 필터링합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "Storage",
+ "text": "가능하면 프리미엄 또는 울트라 대신 표준 SSD를 사용하는 것이 좋습니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
- "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features",
- "service": "Firewall",
- "severity": "높다",
- "text": "Azure Firewall 프리미엄을 사용하여 추가 보안 기능을 사용하도록 설정합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "Storage",
+ "text": "스토리지 계정의 경우 선택한 계층이 트랜잭션 요금을 합산하지 않는지 확인합니다(다음 계층으로 이동하는 것이 더 저렴할 수 있음).",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
- "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
- "service": "Firewall",
- "severity": "높다",
- "text": "추가 보호를 위해 Azure Firewall 위협 인텔리전스 모드를 경고 및 거부로 구성합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "Site Recovery",
+ "text": "ASR의 경우 RPO/RTO 및 복제 처리량이 허용하는 경우 표준 SSD 디스크를 사용하는 것이 좋습니다",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
- "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
- "service": "Firewall",
- "severity": "높다",
- "text": "추가 보호를 위해 Azure Firewall IDPS 모드를 거부로 구성합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+ "service": "Storage",
+ "text": "스토리지 계정: 핫 계층 및/또는 GRS 필요 확인",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
- "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
- "service": "Firewall",
- "severity": "높다",
- "text": "Virtual WAN에 연결되지 않은 VNet의 서브넷의 경우 인터넷 트래픽이 Azure Firewall 또는 네트워크 가상 어플라이언스로 리디렉션되도록 경로 테이블을 연결합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "VM",
+ "text": "디스크 - 모든 곳에서 프리미엄 SSD 디스크 사용의 유효성을 검사합니다. 예를 들어 비프로덕션은 표준 SSD 또는 주문형 프리미엄 SSD로 교환할 수 있습니다. ",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
- "service": "Firewall",
- "severity": "보통",
- "text": "모든 Azure Firewall 배포에 대해 리소스별 대상 테이블을 사용하여 로그를 저장하는 진단 설정을 추가합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "작업"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "Synapse",
+ "text": "예산을 만들어 비용을 관리하고 이해 관계자에게 지출 이상 및 초과 지출 위험을 자동으로 알리는 경고를 만듭니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
- "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
- "service": "Firewall",
- "severity": "중요하다",
- "text": "Azure Firewall 클래식 규칙(있는 경우)에서 방화벽 정책으로 마이그레이션합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "작업"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "Synapse",
+ "text": "추가 데이터 분석을 위해 비용 데이터를 스토리지 계정으로 내보냅니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
- "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
- "service": "Firewall",
- "severity": "높다",
- "text": "Azure Firewall 서브넷에 /26 접두사를 사용합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Synapse",
+ "text": "리소스를 사용하지 않을 때 일시 중지하여 전용 SQL 풀에 대한 비용을 제어합니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
- "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
- "service": "Firewall",
- "severity": "보통",
- "text": "방화벽 정책 내의 규칙을 Rule Collection Groups(규칙 컬렉션 그룹) 및 Rule Collections(규칙 컬렉션)로 정렬하고 사용 빈도에 따라 정렬합니다.",
- "waf": "공연"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+ "service": "Synapse",
+ "text": "서버리스 Apache Spark 자동 일시 중지 기능을 활성화하고 그에 따라 제한 시간 값을 설정합니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
- "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
- "service": "Firewall",
- "severity": "보통",
- "text": "IP 그룹 또는 IP 접두사를 사용하여 IP 테이블 규칙의 수를 줄입니다.",
- "waf": "공연"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Synapse",
+ "text": "다양한 크기의 Apache Spark 풀 정의를 여러 개 만듭니다.",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
- "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
- "service": "Firewall",
- "severity": "보통",
- "text": "와일드카드를 DNAT의 소스 IP로 사용하지 마십시오(예: * 또는 any). 들어오는 DNAT에 대한 소스 IP를 지정해야 합니다.",
- "waf": "공연"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "service": "Synapse",
+ "text": "사전 구매 플랜으로 1년 동안 Azure Synapse SCU(커밋 단위)를 구매하여 Azure Synapse Analytics 비용을 절감하세요.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
- "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
- "service": "Firewall",
- "severity": "보통",
- "text": "SNAT 포트 사용량을 모니터링하고, NAT 게이트웨이 설정을 평가하고, 원활한 장애 조치(failover)를 보장하여 SNAT 포트 고갈을 방지합니다. 포트 수가 제한에 가까워지면 SNAT 고갈이 임박했을 수 있다는 신호입니다.",
- "waf": "공연"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "VM",
+ "text": "인터럽트 가능한 작업에 스폿 VM 사용: 할인된 가격으로 입찰 및 구매할 수 있는 VM으로, 중요하지 않은 워크로드에 비용 효율적인 솔루션을 제공합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "346840b8-1064-496e-8396-4b1340172d52",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
- "service": "Firewall",
- "severity": "높다",
- "text": "Azure Firewall 프리미엄을 사용하는 경우 TLS 검사를 사용하도록 설정합니다.",
- "waf": "공연"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "VM",
+ "text": "모든 VM의 적절한 크기 조정",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
- "service": "Firewall",
- "severity": "낮다",
- "text": "웹 범주를 사용하여 특정 주제에 대한 아웃바운드 액세스를 허용하거나 거부할 수 있습니다.",
- "waf": "공연"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "VM",
+ "text": "VM 크기를 정규화된 최신 크기로 바꾸기",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
- "service": "Firewall",
- "severity": "보통",
- "text": "TLS 검사의 일환으로 검사를 위해 Azure App Gateway에서 트래픽을 수신하도록 계획합니다.",
- "waf": "공연"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "적절한 크기 조정 VM - 사용량을 5% 미만으로 모니터링하는 것으로 시작한 다음 최대 40%까지 작업",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
- "link": "https://learn.microsoft.com/azure/firewall/dns-details",
- "service": "Firewall",
- "severity": "보통",
- "text": "Azure Firewall DNS 프록시 구성을 사용하도록 설정합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "애플리케이션을 컨테이너화하면 VM 밀도를 개선하고 확장 비용을 절감할 수 있습니다",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "비용"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
- "service": "Firewall",
- "severity": "높다",
- "text": "Azure Firewall을 Azure Monitor와 통합하고 진단 로깅을 사용하도록 설정하여 방화벽 로그를 저장하고 분석합니다.",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "service": "APIM",
+ "severity": "보통",
+ "text": "전역 수준에서 오류 처리 정책 구현",
"waf": "작업"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
- "service": "Firewall",
- "severity": "낮다",
- "text": "방화벽 규칙에 대한 백업 구현Implement backups for your firewall rules",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "service": "APIM",
+ "severity": "보통",
+ "text": "모든 API 정책에 요소가 포함되어 있는지 확인합니다.",
"waf": "작업"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Landing Zone Review",
- "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "App Gateway",
- "severity": "높다",
- "text": "컨트롤 플레인 트래픽을 차단하는 0.0.0.0/0 경로 또는 NSG 규칙과 같이 가상 네트워크에 삽입된 Azure PaaS 서비스에 대한 컨트롤 플레인 통신을 중단하지 마세요.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
- "waf": "안전"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+ "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "service": "APIM",
+ "severity": "보통",
+ "text": "정책 조각을 사용하여 여러 API에서 동일한 정책 정의를 반복하지 않도록 합니다.",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
- "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+ "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "service": "APIM",
"severity": "보통",
- "text": "프라이빗 엔드포인트 및 ExpressRoute 프라이빗 피어링을 통해 온-프레미스에서 Azure PaaS 서비스에 액세스하세요. 이 방법을 사용하면 공용 인터넷을 통해 전송되지 않습니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "안전"
+ "text": "API로 수익을 창출할 계획이라면 '수익 창출 지원' 도움말에서 권장사항을 확인하세요",
+ "waf": "작업"
},
- {
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
- "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
- "service": "VNet",
+ {
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "service": "APIM",
"severity": "높다",
- "text": "모든 서브넷에서 기본적으로 가상 네트워크 서비스 엔드포인트를 사용하도록 설정하지 마세요.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
- "waf": "안전"
+ "text": "진단 설정을 사용하도록 설정하여 로그를 Azure Monitor로 내보내기",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
- "link": "azure/private-link/inspect-traffic-with-azure-firewall",
- "service": "Firewall",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "service": "APIM",
"severity": "보통",
- "text": "Azure Firewall 또는 NVA의 IP 주소 대신 FQDN을 사용하여 Azure PaaS 서비스에 대한 송신 트래픽을 필터링하여 데이터 반출을 방지합니다. Private Link를 사용하는 경우 모든 FQDN을 차단할 수 있으며, 그렇지 않으면 필요한 PaaS 서비스만 허용할 수 있습니다.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
- "waf": "안전"
+ "text": "더 자세한 원격 분석을 위해 Application Insights 사용",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "service": "APIM",
"severity": "높다",
- "text": "게이트웨이 서브넷에 /27 이상의 접두사를 사용합니다.",
- "waf": "안전"
+ "text": "가장 중요한 메트릭에 대한 경고 구성",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
- "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
- "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
- "service": "NSG",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "service": "APIM",
"severity": "높다",
- "text": "VirtualNetwork 서비스 태그를 사용하여 연결을 제한하는 NSG 인바운드 기본 규칙에 의존하지 마세요.",
+ "text": "사용자 지정 SSL 인증서가 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되어 있는지 확인합니다",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
- "service": "NSG",
- "severity": "보통",
- "text": "NSG를 사용하여 서브넷 간의 트래픽과 플랫폼 전체의 동쪽/서쪽 트래픽(랜딩 존 간 트래픽)을 보호할 수 있습니다.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "service": "APIM",
+ "severity": "높다",
+ "text": "Azure AD를 사용하여 API(데이터 평면)에 들어오는 요청 보호",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "NSG",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "service": "APIM",
"severity": "보통",
- "text": "NSG 및 애플리케이션 보안 그룹을 사용하여 랜딩 존 내의 트래픽을 마이크로 세그먼트화하고 중앙 NVA를 사용하여 트래픽 흐름을 필터링하지 않도록 합니다.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "text": "Microsoft Entra ID를 사용하여 개발자 포털에서 사용자 인증",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
- "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
- "service": "NSG",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "service": "APIM",
"severity": "보통",
- "text": "VNet 흐름 로그를 사용하도록 설정하고 트래픽 분석에 제공하여 내부 및 외부 트래픽 흐름에 대한 인사이트를 얻을 수 있습니다.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "text": "제품의 가시성을 제어하기 위해 적절한 그룹을 만듭니다",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
- "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "NSG",
- "severity": "보통",
- "text": "1,000개의 규칙 제한으로 인해 NSG당 900개 이상의 NSG 규칙을 구현하지 마세요.",
- "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+ "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "service": "APIM",
"severity": "보통",
- "text": "시나리오가 Virtual WAN 라우팅 디자인 목록에 명시적으로 설명된 경우 Virtual WAN을 사용합니다.",
- "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+ "text": "백엔드 기능을 사용하여 중복 API 백엔드 구성 제거",
"waf": "작업"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
- "service": "VWAN",
- "severity": "보통",
- "text": "Azure 지역당 Virtual WAN 허브를 사용하여 공통 글로벌 Azure Virtual WAN을 통해 Azure 지역 간에 여러 랜딩 존을 함께 연결합니다.",
- "waf": "공연"
- },
- {
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
- "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
- "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "service": "APIM",
"severity": "보통",
- "text": "아웃바운드 인터넷 트래픽 보호 및 필터링을 위해 보안 허브에 Azure Firewall을 배포합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "text": "명명된 값을 사용하여 정책에서 사용할 수 있는 공통 값 저장",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "service": "APIM",
"severity": "보통",
- "text": "Virtual WAN 네트워크 아키텍처가 식별된 아키텍처 시나리오에 맞는지 확인합니다.",
+ "text": "DR의 경우 99.99% SLA를 위해 둘 이상의 지역에 걸쳐 확장된 배포와 함께 프리미엄 계층을 활용합니다",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
- "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+ "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "service": "APIM",
"severity": "보통",
- "text": "Virtual WAN용 Azure Monitor Insights를 사용하여 Virtual WAN의 엔드투엔드 토폴로지, 상태 및 주요 메트릭을 모니터링합니다.",
- "waf": "작업"
+ "text": "99.99%의 SLA 증가를 위해 둘 이상의 가용성 영역에 하나 이상의 단위를 배포합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
- "service": "VWAN",
- "severity": "보통",
- "text": "이러한 흐름을 명시적으로 차단해야 하는 경우가 아니면 Virtual WAN에서 분기 간 트래픽을 사용하지 않도록 설정하지 마세요.",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+ "service": "APIM",
+ "severity": "높다",
+ "text": "자동화된 백업 루틴이 있는지 확인",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
- "service": "VWAN",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+ "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+ "service": "APIM",
"severity": "보통",
- "text": "AS-Path는 ExpressRoute 또는 VPN보다 유연하므로 허브 라우팅 기본 설정으로 사용합니다.",
+ "text": "정책을 사용하여 장애 조치 백엔드 URL 및 캐싱을 추가하여 실패한 호출을 줄입니다.",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
- "service": "VWAN",
- "severity": "보통",
- "text": "Virtual WAN에서 레이블 기반 전파를 구성하지 않으면 가상 허브 간의 연결이 손상됩니다.",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+ "service": "APIM",
+ "severity": "낮다",
+ "text": "고성능 수준에서 기록해야 하는 경우 Event Hubs 정책을 고려합니다",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "9c75dfef-573c-461c-a698-68598595581a",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
- "service": "VWAN",
- "severity": "높다",
- "text": "가상 허브에 /23 접두사 이상을 할당하여 충분한 IP 공간을 사용할 수 있도록 합니다.",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+ "service": "APIM",
+ "severity": "보통",
+ "text": "제한 정책을 적용하여 초당 요청 수 제어Apply throttling policies to control the number of requests per second",
+ "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "높다",
- "text": "Azure Policy를 전략적으로 활용하고, 정책 이니셔티브를 사용하여 관련 정책을 그룹화하여 환경에 대한 컨트롤을 정의합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+ "service": "APIM",
+ "severity": "보통",
+ "text": "부하가 증가할 때 인스턴스 수를 확장하도록 자동 크기 조정 구성Configure autoscaling to scale out the number of instances when the load increases",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+ "service": "APIM",
"severity": "보통",
- "text": "규정 및 규정 준수 요구 사항을 Azure Policy 정의 및 Azure 역할 할당에 매핑합니다.",
- "waf": "안전"
+ "text": "Azure에 백 엔드 API에 가까운 지역이 없는 자체 호스팅 게이트웨이를 배포합니다.",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+ "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+ "service": "APIM",
"severity": "보통",
- "text": "상속된 범위에서 할당할 수 있도록 중간 루트 관리 그룹에서 Azure Policy 정의를 설정합니다.",
- "waf": "안전"
- },
- {
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "높다",
- "text": "필요한 경우 최하위 수준에서 제외를 사용하여 가장 적절한 수준에서 정책 할당을 관리합니다.",
- "waf": "안전"
+ "text": "프로덕션 워크로드에 프리미엄 계층을 사용합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "43334f24-9116-4341-a2ba-527526944008",
- "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
- "service": "Policy",
- "severity": "낮다",
- "text": "Azure Policy를 사용하여 사용자가 구독/관리 그룹 수준에서 프로비전할 수 있는 서비스를 제어합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+ "service": "APIM",
+ "severity": "보통",
+ "text": "다중 리전 모델에서는 Policies를 사용하여 가용성 또는 지연 시간에 따라 리전 백엔드로 요청을 라우팅합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+ "service": "APIM",
"severity": "높다",
- "text": "가능한 경우 기본 제공 정책을 사용하여 운영 오버헤드를 최소화합니다.",
- "waf": "안전"
+ "text": "APIM의 제한에 유의해야 합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "description": "Resource Policy Contributor 역할을 특정 범위에 할당하면 정책 관리를 관련 팀에 위임할 수 있습니다. 예를 들어 중앙 IT 팀은 관리 그룹 수준 정책을 감독하고 응용 프로그램 팀은 구독에 대한 정책을 처리하여 조직 표준을 준수하는 분산 거버넌스를 가능하게 할 수 있습니다.",
- "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
- "service": "Policy",
- "severity": "보통",
- "text": "특정 범위에서 기본 제공 Resource Policy Contributor 역할을 할당하여 응용 프로그램 수준 거버넌스를 사용하도록 설정합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+ "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+ "service": "APIM",
+ "severity": "높다",
+ "text": "자체 호스팅 게이트웨이 배포가 복원력이 있는지 확인합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "19048384-5c98-46cb-8913-156a12476e49",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+ "service": "APIM",
"severity": "보통",
- "text": "상속된 범위에서 제외를 통해 관리하지 않도록 루트 관리 그룹 범위에서 수행된 Azure Policy 할당 수를 제한합니다.",
- "waf": "안전"
+ "text": "다중 지역 배포를 위해 APIM 앞에서 Azure Front Door 사용Use Azure Front Door in front of APIM for multi-region deployment",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
- "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+ "service": "APIM",
"severity": "보통",
- "text": "데이터 주권 요구 사항이 있는 경우 이를 적용하기 위해 Azure 정책을 배포해야 합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "text": "VNet(Virtual Network) 내에 서비스 배포Deploy the service within a Virtual Network (VNet)",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+ "service": "APIM",
"severity": "보통",
- "text": "Sovereign Landing Zone의 경우 주권 정책 기준을 배포하고 올바른 관리 그룹 수준에서 할당합니다.",
+ "text": "서브넷에 NSG(네트워크 보안 그룹)를 배포하여 APIM에서 들어오고 나가는 트래픽을 제한하거나 모니터링합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
- "service": "Policy",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+ "service": "APIM",
"severity": "보통",
- "text": "Sovereign Landing Zone의 경우 정책 매핑에 대한 Sovereign Control 목표를 문서화합니다.",
+ "text": "프라이빗 엔드포인트를 배포하여 APIM이 VNet에 배포되지 않은 경우 들어오는 트래픽을 필터링합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
- "service": "Policy",
- "severity": "보통",
- "text": "Sovereign Landing Zone의 경우 '정책 매핑에 대한 Sovereign Control 목표'를 관리하기 위한 프로세스가 마련되어 있는지 확인합니다.",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+ "service": "APIM",
+ "severity": "높다",
+ "text": "공용 네트워크 액세스 사용 안 함",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+ "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+ "service": "APIM",
"severity": "보통",
- "text": "Azure RBAC(Azure 역할 기반 액세스 제어), 데이터 주권 요구 사항 또는 데이터 보존 정책에 따라 별도의 작업 영역이 필요한 경우를 제외하고 단일 모니터 로그 작업 영역을 사용하여 플랫폼을 중앙에서 관리합니다.",
- "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "waf": "작업"
- },
- {
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Monitor",
- "severity": "높다",
- "text": "로그 보존 요구 사항이 12년을 초과하는 경우 로그를 Azure Storage로 내보냅니다. Write-once, Read-Many 정책과 함께 변경할 수 없는 스토리지를 사용하여 사용자가 지정한 간격 동안 데이터를 지우거나 수정할 수 없도록 합니다.",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "text": "PowerShell 자동화 스크립트로 관리 간소화",
"waf": "작업"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
- "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
- "service": "VM",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+ "service": "APIM",
"severity": "보통",
- "text": "Azure Policy를 사용하여 OS 수준 VM(가상 머신) 구성 드리프트를 모니터링합니다. 정책을 통해 Azure Automanage Machine Configuration 감사 기능을 사용하도록 설정하면 애플리케이션 팀 워크로드가 적은 노력으로 기능 기능을 즉시 사용할 수 있습니다.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "text": "Infrastructure-as-code를 통해 APIM을 구성합니다. Cloud Adaption Framework APIM 랜딩 존 가속기에서 DevOps 모범 사례 검토",
"waf": "작업"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
- "service": "VM",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+ "service": "APIM",
"severity": "보통",
- "text": "Azure Update Manager를 Azure의 Windows 및 Linux VM에 대한 패치 메커니즘으로 사용합니다.",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "text": "더 빠른 API 개발을 위해 Visual Studio Code APIM 확장 사용 촉진",
"waf": "작업"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
- "service": "VM",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+ "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+ "service": "APIM",
"severity": "보통",
- "text": "Azure Arc를 사용하여 Azure 외부의 Windows 및 Linux VM에 대한 패치 메커니즘으로 Azure Update Manager를 사용합니다.",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "text": "워크플로에서 DevOps 및 CI/CD 구현",
"waf": "작업"
},
{
- "arm-service": "microsoft.network/networkWatchers",
- "checklist": "Azure Landing Zone Review",
- "guid": "90483845-c986-4cb2-a131-56a12476e49f",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Network Watcher",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+ "service": "APIM",
"severity": "보통",
- "text": "Network Watcher를 사용하여 트래픽 흐름을 사전에 모니터링합니다.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "작업"
+ "text": "클라이언트 인증서 인증을 사용하여 API 보안",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Monitor",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+ "service": "APIM",
"severity": "보통",
- "text": "인사이트 및 보고를 위해 Azure Monitor 로그를 사용합니다.",
- "waf": "작업"
+ "text": "클라이언트 인증서 인증을 사용한 보안 백엔드 서비스",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
- "service": "Monitor",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+ "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+ "service": "APIM",
"severity": "보통",
- "text": "Azure Monitor 경고를 사용하여 운영 경고를 생성합니다.",
- "waf": "작업"
+ "text": "'OWASP API 보안 상위 10개 위협을 완화하기 위한 권장 사항' 문서를 검토하고 API에 적용할 수 있는 항목을 확인합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "Monitor",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+ "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+ "service": "APIM",
"severity": "보통",
- "text": "Azure Automation 계정을 통해 변경 및 인벤토리 추적을 사용하는 경우 Log Analytics 작업 영역과 자동화 계정을 함께 연결하는 데 지원되는 지역을 선택했는지 확인합니다.",
- "waf": "작업"
+ "text": "권한 부여 기능을 사용하여 백엔드 API에 대한 OAuth 2.0 토큰 관리 간소화",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Backup",
- "severity": "낮다",
- "text": "Azure Backup을 사용하는 경우 기본 설정은 GRS이므로 백업에 올바른 백업 유형(GRS, ZRS & LRS)을 사용합니다.",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+ "service": "APIM",
+ "severity": "높다",
+ "text": "전송 중인 정보를 암호화할 때 최신 TLS 버전을 사용합니다. 가능한 경우 오래되고 불필요한 프로토콜과 암호를 사용하지 않도록 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "VM",
- "severity": "보통",
- "text": "Azure 게스트 정책을 사용하여 VM 확장을 통해 소프트웨어 구성을 자동으로 배포하고 규격 기준 VM 구성을 적용합니다.",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+ "service": "APIM",
+ "severity": "높다",
+ "text": "비밀(명명된 값)이 안전하게 액세스하고 업데이트할 수 있도록 Azure Key Vault에 저장되었는지 확인합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "description": "Azure Policy의 게스트 구성 기능을 사용하여 컴퓨터 설정(예: OS, 애플리케이션, 환경)을 감사하고 수정하여 리소스가 예상 구성에 맞게 조정되도록 하고, 업데이트 관리는 VM에 대한 패치 관리를 적용할 수 있습니다.",
- "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "VM",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+ "service": "APIM",
"severity": "보통",
- "text": "Azure Policy를 통해 VM 보안 구성 드리프트를 모니터링합니다.",
+ "text": "가능할 때마다 관리 ID를 사용하여 다른 Azure 리소스에 인증",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
- "severity": "보통",
- "text": "Azure-to-Azure Virtual Machines 재해 복구 시나리오에는 Azure Site Recovery를 사용합니다. 이렇게 하면 지역 간에 워크로드를 복제할 수 있습니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+ "service": "APIM",
+ "severity": "높다",
+ "text": "APIM 앞에 Application Gateway를 배포하여 WAF(웹 애플리케이션 방화벽) 사용Use Web Application Firewall (WAF) by deploying Application Gateway in of APIM",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "Backup",
- "severity": "보통",
- "text": "Azure 네이티브 백업 기능 또는 Azure 호환 타사 백업 솔루션을 사용합니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
+ "severity": "높다",
+ "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "WAF",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
"severity": "높다",
- "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 WAF 로그를 저장하는 진단 설정을 추가합니다. 로그를 정기적으로 검토하여 공격 및 가양성 탐지를 확인합니다.",
- "waf": "작업"
+ "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "WAF",
- "severity": "보통",
- "text": "Azure Front Door 및 Azure Application Gateway와 같은 애플리케이션 배달 서비스에서 Microsoft Sentinel로 WAF 로그를 보냅니다. 공격을 탐지하고 WAF 텔레메트리를 전체 Azure 환경에 통합합니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
+ "severity": "높다",
+ "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "5017f154-e3ab-4369-9829-e7e316183687",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "Key Vault",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
"severity": "높다",
- "text": "Azure Key Vault를 사용하여 비밀과 자격 증명을 저장합니다.",
- "waf": "안전"
+ "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
- "guid": "a0477a20-9945-4bda-9333-4f2491163418",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
- "service": "Key Vault",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
"severity": "보통",
- "text": "서로 다른 애플리케이션 및 지역에 대해 서로 다른 Azure Key Vault를 사용하여 트랜잭션 규모 제한을 방지하고 비밀에 대한 액세스를 제한합니다.",
- "waf": "안전"
+ "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Front Door",
"severity": "보통",
- "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.",
- "waf": "안전"
+ "text": "Azure Front Door에서 고객 관리형 TLS 인증서를 사용하는 경우 '최신' 인증서 버전을 사용합니다. 수동 인증서 갱신으로 인한 중단 위험 감소",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+ "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "App Gateway",
"severity": "보통",
- "text": "키, 비밀 및 인증서를 영구적으로 삭제할 수 있는 권한 부여를 특수 사용자 지정 Microsoft Entra ID 역할로 제한하여 최소 권한 모델을 따릅니다.",
+ "text": "Application Gateway v2 SKU를 사용하고 있는지 확인합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+ "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Load Balancer",
"severity": "보통",
- "text": "공용 인증 기관을 통해 인증서 관리 및 갱신 프로세스를 자동화하여 관리를 용이하게 합니다.",
+ "text": "Azure Load Balancer에 표준 SKU를 사용하고 있는지 확인합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "913156a1-2476-4e49-b541-acdce979377b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+ "service": "Load Balancer",
"severity": "보통",
- "text": "키 및 인증서 교체를 위한 자동화된 프로세스를 설정합니다.",
+ "text": "Load Balancer 프런트 엔드 IP 주소가 영역 중복인지 확인합니다(영역 프런트 엔드가 필요하지 않은 경우).",
"waf": "안전"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+ "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "App Gateway",
"severity": "보통",
- "text": "자격 증명 모음에서 방화벽 및 가상 네트워크 서비스 엔드포인트 또는 프라이빗 엔드포인트를 사용하도록 설정하여 키 자격 증명 모음에 대한 액세스를 제어합니다.",
+ "text": "Application Gateways v2는 IP 접두사가 /24보다 크거나 같은 서브넷에 배포해야 합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
- "service": "Key Vault",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "description": "일반적으로 역방향 프록시 및 특히 WAF의 관리는 네트워킹보다 애플리케이션에 더 가깝기 때문에 앱과 동일한 구독에 속합니다. 연결 구독에서 Application Gateway 및 WAF를 중앙 집중화하는 것은 단일 팀에서 관리하는 경우 괜찮을 수 있습니다.",
+ "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
"severity": "보통",
- "text": "플랫폼 중앙 Azure Monitor Log Analytics 작업 영역을 사용하여 Key Vault의 각 인스턴스 내에서 키, 인증서 및 비밀 사용을 감사합니다.",
+ "text": "랜딩 존 가상 네트워크 내에서 그리고 보안 중인 앱을 사용하여 인바운드 HTTP(S) 연결을 프록시하는 데 사용되는 Azure Application Gateway v2 또는 파트너 NVA를 배포합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
"severity": "보통",
- "text": "Key Vault 인스턴스화 및 권한 있는 액세스를 위임하고 Azure Policy를 사용하여 일관된 규정 준수 구성을 적용합니다.",
+ "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+ "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+ "service": "App Gateway",
"severity": "보통",
- "text": "애플리케이션별, 환경별, 지역별 Azure Key Vault를 사용합니다.",
- "waf": "안전"
+ "text": "최소 2개의 인스턴스로 자동 크기 조정을 구성합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+ "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+ "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+ "service": "App Gateway",
"severity": "보통",
- "text": "사용자 고유의 키를 가져오려는 경우 고려되는 모든 서비스에서 지원되지 않을 수 있습니다. 불일치가 원하는 결과를 방해하지 않도록 관련 완화를 구현합니다. 대기 시간을 최소화하는 적절한 지역 쌍과 재해 복구 지역을 선택합니다.",
- "waf": "안전"
+ "text": "가용성 영역에 Application Gateway 배포Deploy Application Gateway across Availability Zones",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
- "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
- "service": "Key Vault",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Front Door",
"severity": "보통",
- "text": "Sovereign Landing Zone의 경우 Azure Key Vault 관리형 HSM을 사용하여 비밀과 자격 증명을 저장합니다.",
+ "text": "WAF 정책과 함께 Azure Front Door를 사용하여 여러 Azure 지역에 걸쳐 있는 글로벌 HTTP/S 앱을 제공하고 보호할 수 있습니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
- "service": "Entra",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "Front Door",
"severity": "보통",
- "text": "Microsoft Entra ID 보고 기능을 사용하여 액세스 제어 감사 보고서를 생성합니다.",
+ "text": "Front Door 및 Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Front Door에서 WAF 정책을 사용합니다. Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "09945bda-4333-44f2-9911-634182ba5275",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
- "service": "Defender",
+ "ammp": true,
+ "arm-service": "microsoft.network/trafficManagerProfiles",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Traffic Manager",
"severity": "높다",
- "text": "모든 구독에 대해 Defender 클라우드 보안 태세 관리를 사용하도록 설정합니다.",
+ "text": "Traffic Manager를 사용하여 HTTP/S 이외의 프로토콜에 걸쳐 있는 글로벌 앱을 제공합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "신뢰도"
+ },
+ {
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
+ "severity": "낮다",
+ "text": "사용자가 내부 애플리케이션에만 액세스해야 하는 경우 Microsoft Entra ID 애플리케이션 프록시를 AVD(Azure Virtual Desktop)의 대안으로 고려했나요?",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
- "service": "Defender",
- "severity": "높다",
- "text": "모든 구독에서 서버에 대해 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
+ "severity": "보통",
+ "text": "네트워크에서 들어오는 연결에 대해 열려 있는 방화벽 포트 수를 줄이려면 Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 내부 애플리케이션에 대한 안전하고 인증된 액세스를 제공하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "안전"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
- "service": "Defender",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "Front Door",
"severity": "높다",
- "text": "모든 구독에서 Azure 리소스에 대한 Defender 클라우드 워크로드 보호 계획을 사용하도록 설정합니다.",
+ "text": "Web Application Firewall이 트래픽을 허용하거나 거부하기 위해 적절한 조치를 취하도록 Front Door에 대한 WAF 정책을 '방지' 모드'에 배포합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
- "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
- "service": "VM",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "Front Door",
"severity": "높다",
- "text": "IaaS 서버에서 Endpoint Protection을 사용하도록 설정합니다.",
+ "text": "Azure Traffic Manager와 Azure Front Door를 결합하지 마세요.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
- "link": "https://learn.microsoft.com/azure/security-center/",
- "service": "VM",
- "severity": "보통",
- "text": "Azure Monitor 로그 및 클라우드용 Defender를 통해 기본 운영 체제 패치 드리프트를 모니터링합니다.",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "Front Door",
+ "severity": "높다",
+ "text": "Azure Front Door 및 원본에서 동일한 도메인 이름을 사용합니다. 일치하지 않는 호스트 이름은 미묘한 버그를 유발할 수 있습니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
- "severity": "보통",
- "text": "기본 리소스 구성을 중앙 집중식 Azure Monitor Log Analytics 작업 영역에 연결합니다.",
- "waf": "안전"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+ "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "Front Door",
+ "severity": "낮다",
+ "text": "Azure Front Door 원본 그룹에 원본이 하나만 있는 경우 상태 프로브를 사용하지 않도록 설정합니다.",
+ "waf": "공연"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
- "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
- "service": "Entra",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "Front Door",
"severity": "보통",
- "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 투명 로그를 사용하도록 설정합니다.",
- "waf": "안전"
+ "text": "Azure Front Door에 대한 양호한 상태 프로브 엔드포인트를 선택합니다. 애플리케이션의 모든 종속성을 확인하는 상태 엔드포인트를 구축하는 것이 좋습니다.",
+ "waf": "신뢰도"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
- "service": "Entra",
- "severity": "보통",
- "text": "Sovereign Landing Zone의 경우 Entra ID 테넌트에서 고객 Lockbox를 사용하도록 설정합니다.",
- "waf": "안전"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+ "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "Front Door",
+ "severity": "낮다",
+ "text": "Azure Front Door와 함께 HEAD 상태 프로브를 사용하여 Front Door가 애플리케이션으로 보내는 트래픽을 줄입니다.",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Landing Zone Review",
- "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Storage",
+ "ammp": true,
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+ "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "Load Balancer",
"severity": "높다",
- "text": "스토리지 계정에 대한 보안 전송을 사용하도록 설정합니다.",
- "waf": "안전"
+ "text": "SNAT 확장성 향상을 위해 Load Balancer 아웃바운드 규칙 대신 Azure NAT Gateway 사용",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Landing Zone Review",
- "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
- "service": "Storage",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+ "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "Front Door",
"severity": "높다",
- "text": "스토리지 계정에 대해 컨테이너 일시 삭제를 사용하도록 설정하여 삭제된 컨테이너와 해당 콘텐츠를 복구합니다.",
- "waf": "안전"
+ "text": "Azure Front Door에서 관리형 TLS 인증서를 사용합니다. 운영 비용을 줄이고 인증서 갱신으로 인한 중단 위험을 줄입니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
- "service": "Key Vault",
- "severity": "높다",
- "text": "Key Vault 비밀을 사용하여 자격 증명(가상 머신 사용자 암호), 인증서 또는 키와 같은 중요한 정보를 하드 코딩하지 않도록 합니다.",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+ "service": "Front Door",
+ "severity": "보통",
+ "text": "Azure Front Door WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.",
"waf": "작업"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "service": "Azure Monitor",
- "text": "Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview 의 데이터 수집 규칙",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+ "service": "Front Door",
+ "severity": "높다",
+ "text": "Azure Front Door에서 엔드투엔드 TLS를 사용합니다. 클라이언트에서 Front Door로, Front Door에서 원본으로 연결하는 데 TLS를 사용합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "45901365-d38e-443f-abcb-d868266abca2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Azure Backup",
- "text": "기본 데이터 원본을 찾을 수 없는 백업 인스턴스 확인",
- "waf": "비용"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+ "service": "Front Door",
+ "severity": "보통",
+ "text": "Azure Front Door에서 HTTP를 HTTPS로 리디렉션을 사용합니다. 이전 클라이언트를 HTTPS 요청으로 자동으로 리디렉션하여 지원합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "VM",
- "text": "연결되지 않은 서비스(디스크, NIC, IP 주소 등) 삭제 또는 보관",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+ "service": "Front Door",
+ "severity": "높다",
+ "text": "Azure Front Door WAF를 사용하도록 설정합니다. 다양한 공격으로부터 응용 프로그램을 보호합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Azure Backup",
- "text": "중요 업무용 응용 프로그램에 대한 Site Recovery 저장소와 백업 간의 적절한 균형을 고려합니다.",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+ "service": "Front Door",
+ "severity": "높다",
+ "text": "검색 모드에서 WAF를 구성하여 가양성 검색을 줄이고 수정하여 워크로드에 맞게 Azure Front Door WAF를 조정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
- "service": "Azure Monitor",
- "text": "40개의 서로 다른 로그 분석 작업 영역 간의 지출 및 절감 기회 확인 - 비프로덕션 작업 영역에 대해 서로 다른 보존 및 데이터 수집 사용-인식 및 계층 크기 조정을 위한 일일 한도 만들기 - 일일 한도를 설정하는 경우 한도에 도달할 때 경고를 만드는 것 외에도 특정 비율(예: 90%)에 도달했을 때 알림을 받을 경고 규칙도 만들어야 합니다. - 가능한 경우 작업 영역 변환 고려 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "Front Door",
+ "severity": "높다",
+ "text": "Azure Front Door WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Azure Monitor",
- "text": "제거 로그 정책 및 자동화 적용(필요한 경우 로그를 콜드 스토리지로 이동할 수 있음)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+ "service": "Front Door",
+ "severity": "높다",
+ "text": "Azure Front Door WAF 기본 규칙 집합을 사용하도록 설정합니다. 기본 규칙 집합은 일반적인 공격을 탐지하고 차단합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "VM",
- "text": "디스크가 실제로 필요한지 확인하고, 그렇지 않은 경우 삭제하십시오. 필요한 경우 더 낮은 스토리지 계층을 찾거나 백업을 사용합니다.",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+ "service": "Front Door",
+ "severity": "높다",
+ "text": "Azure Front Door WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
- "text": "사용자 지정 규칙을 사용하여 사용하지 않는 스토리지를 하위 계층으로 이동하는 것이 좋습니다 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "waf": "비용"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+ "service": "Front Door",
+ "severity": "보통",
+ "text": "최신 Azure Front Door WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "VM",
- "text": "Advisor가 VM 올바른 크기 조정에 대해 구성되어 있는지 확인합니다. ",
- "waf": "비용"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+ "service": "Front Door",
+ "severity": "보통",
+ "text": "Azure Front Door WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 짧은 시간에 많은 양의 트래픽을 보내는 것을 차단합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "description": "Cost analysys에서 Meter Category Licenses를 검색하여 확인합니다.",
- "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
- "service": "VM",
- "text": "모든 Windows VM에서 스크립트 실행 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- Windows VM을 자주 만드는 경우 정책 구현을 고려합니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+ "service": "Front Door",
+ "severity": "보통",
+ "text": "Azure Front Door WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호를 제공합니다. ",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "VM",
- "text": " 이미 라이선스가 있는 경우 AHUB에 넣을 수도 https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
- "waf": "비용"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+ "service": "Front Door",
+ "severity": "낮다",
+ "text": "모든 지역에서 트래픽이 발생할 것으로 예상되지 않는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "VM",
- "text": "유연성 옵션을 사용하여 예약된 VM 제품군 통합(4-5개 이하의 제품군)",
- "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
- "waf": "비용"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+ "service": "Front Door",
+ "severity": "보통",
+ "text": "Azure Front Door WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 마세요.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
- "service": "VM",
- "text": "Azure Reserved Instances 활용: 이 기능을 사용하면 1년 또는 3년 동안 VM을 예약할 수 있으므로 PAYG 가격에 비해 상당한 비용 절감 효과를 얻을 수 있습니다.",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+ "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+ "service": "App Gateway",
+ "severity": "높다",
+ "text": "Azure Application Gateway WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "service": "VM",
- "text": "더 큰 디스크만 예약할 수 있습니다 => 1TiB -",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "App Gateway",
+ "severity": "높다",
+ "text": "Azure Application Gateway WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
- "service": "VM",
- "text": "적절한 크기 최적화 후",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+ "service": "App Gateway",
+ "severity": "높다",
+ "text": "워크로드에 대한 검색 모드에서 Azure Application Gateway WAF를 조정합니다. 거짓 긍정 탐지를 줄입니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Sql/servers",
- "checklist": "Cost Optimization Checklist",
- "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Azure SQL",
- "text": "적용 가능한 경우 확인 및 정책/변경 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations 시행",
- "waf": "비용"
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "App Gateway",
+ "severity": "높다",
+ "text": "'방지' 모드에서 Application Gateway에 대한 WAF 정책을 배포합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "VM",
- "text": "VM + 라이선스 부분 할인(ahub + 3YRI)은 약 70% 할인입니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "Azure Application Gateway WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 짧은 시간에 많은 양의 트래픽을 보내는 것을 차단합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "VM",
- "text": "플랫 사이징보다는 VMSS를 사용하여 수요에 맞추는 것이 좋습니다",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "Azure Application Gateway WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호를 제공합니다. ",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Cost Optimization Checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "AKS",
- "text": "AKS 자동 크기 조정기를 사용하여 클러스터 사용량과 일치시킵니다(Pod 요구 사항이 스케일러와 일치하는지 확인).",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+ "service": "App Gateway",
+ "severity": "낮다",
+ "text": "모든 지역에서 트래픽이 발생할 것으로 예상되지 않는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Azure Backup",
- "text": "해당하는 경우 복구 지점을 자격 증명 모음 보관으로 이동(유효성 검사)Move recovery points to vault-archive where applicable (Validate)",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "Azure Application Gateway WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 마세요.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Databricks/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
- "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
- "service": "Databricks",
- "text": "가능한 경우 대체와 함께 스폿 VM을 사용하는 것이 좋습니다. 클러스터의 자동 종료를 고려합니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "최신 Azure Application Gateway WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
- "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
- "service": "Azure Functions",
- "text": "함수 - 연결 재사용",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "진단 설정을 추가하여 Azure Application Gateway WAF 로그를 저장합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
- "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "service": "Azure Functions",
- "text": "함수 - 로컬에 데이터 캐시",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
- "waf": "비용"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "Front Door",
+ "severity": "보통",
+ "text": "진단 설정을 추가하여 Azure Front Door WAF 로그를 저장합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Azure Functions",
- "text": "기능 - 콜드 스타트 - '패키지에서 실행' 기능을 사용합니다. 이렇게 하면 코드가 단일 zip 파일로 다운로드됩니다. 예를 들어, 이것은 많은 노드 모듈이 있는 Javascript 함수를 크게 개선할 수 있습니다. 언어별 도구를 사용하여 패키지 크기를 줄입니다(예: 트리 쉐이킹 Javascript 애플리케이션).",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "Azure Application Gateway WAF 로그를 Microsoft Sentinel로 보냅니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "Azure Functions",
- "text": "기능 - 기능을 따뜻하게 유지",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "비용"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "Front Door",
+ "severity": "보통",
+ "text": "Azure Front Door WAF 로그를 Microsoft Sentinel로 보냅니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Azure Functions",
- "text": "다른 함수와 함께 자동 크기 조정을 사용하는 경우 모든 리소스에 대한 모든 자동 크기 조정을 구동하는 것이 있을 수 있으므로 별도의 소비 계획으로 이동하는 것이 좋습니다(CPU에 대한 더 높은 계획 고려).",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "Azure Application Gateway WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
- "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
- "service": "Azure Functions",
- "text": "지정된 계획의 함수 앱은 모두 함께 크기가 조정되므로 크기 조정과 관련된 모든 문제는 계획의 모든 앱에 영향을 줄 수 있습니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "레거시 WAF 구성 대신 WAF 정책을 사용합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
- "service": "Azure Functions",
- "text": "'대기 시간'에 대한 요금이 청구되나요? 이 질문은 일반적으로 비동기 작업을 수행하고 결과를 기다리는 C # 함수 (예 : await Task.Delay(1000) 또는 await client )의 컨텍스트에서 묻습니다. GetAsync('http://google.com')입니다. 대답은 '예'입니다 - GB 초 계산은 함수의 시작 및 종료 시간과 해당 기간 동안의 메모리 사용량을 기반으로 합니다. CPU 작업 측면에서 해당 시간 동안 실제로 발생하는 일은 계산에 포함되지 않습니다. 이 규칙의 한 가지 예외는 지속성 함수를 사용하는 경우입니다. 오케스트레이터 함수에서 대기하는 데 소요된 시간에 대해서는 요금이 청구되지 않습니다.가능한 경우 수요 형성 기술을 적용합니다(개발 환경?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "예를 들어 NSG를 사용하여 Application Gateway 서브넷의 연결만 허용하도록 백 엔드에서 인바운드 트래픽을 필터링합니다.",
+ "waf": "안전"
},
{
"arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
"service": "Front Door",
- "text": "Frontdoor - 기본 홈페이지 끄기앱의 애플리케이션 설정에서 AzureWebJobsDisableHomepage를 true로 설정합니다. 이렇게 하면 PoP에 204(콘텐츠 없음)가 반환되므로 헤더 데이터만 반환됩니다.",
- "waf": "비용"
+ "severity": "보통",
+ "text": "원본이 Azure Front Door 인스턴스의 트래픽만 가져와야 합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Front Door",
- "text": "Frontdoor 프론트도어 - 아무것도 반환하지 않는 무언가로 라우팅합니다. 함수, 함수 프록시를 설정하거나 WebApp에서 200(정상)을 반환하고 콘텐츠를 보내지 않거나 최소한으로 보내는 경로를 추가합니다. 이것의 장점은 호출될 때 로그아웃할 수 있다는 것입니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+ "service": "App Gateway",
+ "severity": "높다",
+ "text": "백엔드 서버에 대한 트래픽을 암호화해야 합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
- "service": "Storage",
- "text": "덜 사용되는 데이터에 대한 보관 계층 고려",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+ "service": "App Gateway",
+ "severity": "높다",
+ "text": "웹 응용 프로그램 방화벽을 사용해야 합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "VM",
- "text": "크기가 계층과 일치하지 않는 디스크 크기를 확인합니다(예: 513GiB 디스크는 P30(1TiB)를 지불하고 크기 조정을 고려합니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "HTTP를 HTTPS로 리디렉션",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "Storage",
- "text": "가능하면 프리미엄 또는 울트라 대신 표준 SSD를 사용하는 것이 좋습니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+ "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "게이트웨이 관리 쿠키를 사용하여 처리를 위해 사용자 세션에서 동일한 서버로 트래픽을 전달합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "Storage",
- "text": "스토리지 계정의 경우 선택한 계층이 트랜잭션 요금을 합산하지 않는지 확인합니다(다음 계층으로 이동하는 것이 더 저렴할 수 있음).",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+ "service": "App Gateway",
+ "severity": "높다",
+ "text": "계획된 서비스 업데이트 중에 연결 드레이닝을 사용하도록 설정하여 백 엔드 풀의 기존 멤버에 대한 연결 손실을 방지합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "Site Recovery",
- "text": "ASR의 경우 RPO/RTO 및 복제 처리량이 허용하는 경우 표준 SSD 디스크를 사용하는 것이 좋습니다",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+ "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+ "service": "App Gateway",
+ "severity": "낮다",
+ "text": "사용자 지정 오류 페이지를 만들어 개인화된 사용자 환경을 표시합니다.",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
- "service": "Storage",
- "text": "스토리지 계정: 핫 계층 및/또는 GRS 필요 확인",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+ "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "클라이언트와 서버 간의 더 쉬운 라우팅 및 정보 교환을 위해 HTTP 요청 및 응답 헤더를 편집합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "VM",
- "text": "디스크 - 모든 곳에서 프리미엄 SSD 디스크 사용의 유효성을 검사합니다. 예를 들어 비프로덕션은 표준 SSD 또는 주문형 프리미엄 SSD로 교환할 수 있습니다. ",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "Front Door를 구성하여 글로벌 웹 트래픽 라우팅, 최상위 최종 사용자 성능 및 빠른 글로벌 장애 조치(failover)를 통해 안정성을 최적화합니다.",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "Synapse",
- "text": "예산을 만들어 비용을 관리하고 이해 관계자에게 지출 이상 및 초과 지출 위험을 자동으로 알리는 경고를 만듭니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "전송 계층 부하 분산 사용",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "Synapse",
- "text": "추가 데이터 분석을 위해 비용 데이터를 스토리지 계정으로 내보냅니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+ "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "단일 게이트웨이에서 여러 웹 응용 프로그램에 대한 호스트 또는 도메인 이름을 기반으로 라우팅을 구성합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Synapse",
- "text": "리소스를 사용하지 않을 때 일시 중지하여 전용 SQL 풀에 대한 비용을 제어합니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+ "service": "App Gateway",
+ "severity": "보통",
+ "text": "SSL 인증서 관리를 중앙 집중화하여 백엔드 서버 팜의 암호화 및 암호 해독 오버헤드를 줄입니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
- "service": "Synapse",
- "text": "서버리스 Apache Spark 자동 일시 중지 기능을 활성화하고 그에 따라 제한 시간 값을 설정합니다.",
- "waf": "비용"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+ "service": "App Gateway",
+ "severity": "낮다",
+ "text": "WebSocket 및 HTTP/2 프로토콜에 대한 기본 지원을 위해 Application Gateway 사용",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Synapse",
- "text": "다양한 크기의 Apache Spark 풀 정의를 여러 개 만듭니다.",
- "waf": "비용"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "severity": "높다",
+ "text": "읽기 작업에 대해 99.9%의 가용성을 갖도록 복제본 2개 사용",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "service": "Synapse",
- "text": "사전 구매 플랜으로 1년 동안 Azure Synapse SCU(커밋 단위)를 구매하여 Azure Synapse Analytics 비용을 절감하세요.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "비용"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "severity": "보통",
+ "text": "읽기/쓰기 작업에 대해 99.9%의 가용성을 갖도록 복제본 3개 사용",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "VM",
- "text": "인터럽트 가능한 작업에 스폿 VM 사용: 할인된 가격으로 입찰 및 구매할 수 있는 VM으로, 중요하지 않은 워크로드에 비용 효율적인 솔루션을 제공합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "비용"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+ "service": "Cognitive Search",
+ "severity": "높다",
+ "text": "읽기 및/또는 쓰기 복제본을 활성화하여 가용 영역 활용Leverage Availability Zones by enabling read and/or write replicas",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "VM",
- "text": "모든 VM의 적절한 크기 조정",
- "waf": "비용"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+ "service": "Cognitive Search",
+ "severity": "보통",
+ "text": "지역 중복의 경우 Manually create services in 2 or more regions for Search는 지리적 지역 간에 검색 인덱스를 복제하는 자동화된 방법을 제공하지 않습니다",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "VM",
- "text": "VM 크기를 정규화된 최신 크기로 바꾸기",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "비용"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+ "service": "Cognitive Search",
+ "severity": "보통",
+ "text": "여러 서비스에서 데이터를 동기화하려면 인덱서를 사용하여 여러 서비스의 콘텐츠를 업데이트하거나 REST API를 사용하여 여러 서비스에서 콘텐츠 업데이트를 푸시합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "적절한 크기 조정 VM - 사용량을 5% 미만으로 모니터링하는 것으로 시작한 다음 최대 40%까지 작업",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "비용"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+ "service": "Cognitive Search",
+ "severity": "보통",
+ "text": "Azure Traffic Manager를 사용하여 요청 조정",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "애플리케이션을 컨테이너화하면 VM 밀도를 개선하고 확장 비용을 절감할 수 있습니다",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "비용"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+ "service": "Cognitive Search",
+ "severity": "높다",
+ "text": "Azure Cognitive Search 인덱스를 백업 및 복원합니다. 이 샘플 코드를 사용하여 인덱스 정의 및 스냅샷을 일련의 Json 파일에 백업합니다",
+ "waf": "신뢰도"
},
{
"arm-service": "microsoft.cache/redis",
@@ -4923,3969 +4849,3943 @@
"service": "AVS",
"severity": "높다",
"text": "확장된 클러스터를 사용하는 경우 두 ExpressRoute 회로 모두에서 GlobalReach를 사용하도록 설정되어 있는지 확인합니다.",
- "waf": "신뢰도"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
- "severity": "높다",
- "text": "사이트 재해 허용 범위 설정을 적절하게 고려하고 필요한 경우 비즈니스에 맞게 변경하십시오.",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
- "service": "AKS",
- "severity": "낮다",
- "text": "AKS Windows 워크로드에 필요한 경우 HostProcess 컨테이너를 사용할 수 있습니다.",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
- "service": "AKS",
- "severity": "낮다",
- "text": "이벤트 기반 워크로드를 실행하는 경우 KEDA 사용Use KEDA if running event-driven workloads",
- "waf": "공연"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
- "service": "AKS",
- "severity": "낮다",
- "text": "Dapr을 사용하여 마이크로 서비스 개발 용이",
- "waf": "작업"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
- "service": "AKS",
- "severity": "높다",
- "text": "SLA 지원 AKS 제품 사용",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "낮다",
- "text": "Pod 및 배포 정의에서 중단 예산 사용Use Disruption Budgets in your pod and deployment definitions",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
- "severity": "높다",
- "text": "개인 레지스트리를 사용하는 경우 여러 지역에 이미지를 저장하도록 지역 복제를 구성합니다",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
- "service": "AKS",
- "severity": "낮다",
- "text": "kubecost와 같은 외부 애플리케이션을 사용하여 다른 사용자에게 비용 할당",
- "waf": "비용"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
- "service": "AKS",
- "severity": "낮다",
- "text": "축소 모드를 사용하여 노드 삭제/할당 취소",
- "waf": "비용"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
- "service": "AKS",
- "severity": "보통",
- "text": "필요한 경우 AKS 클러스터에서 다중 인스턴스 분할 GPU 사용",
- "waf": "비용"
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
- "service": "AKS",
- "severity": "낮다",
- "text": "개발/테스트 클러스터를 실행하는 경우 NodePool 시작/중지를 사용합니다.",
- "waf": "비용"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
+ "severity": "높다",
+ "text": "사이트 재해 허용 범위 설정을 적절하게 고려하고 필요한 경우 비즈니스에 맞게 변경하십시오.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
- "service": "AKS",
- "severity": "보통",
- "text": "Kubernetes용 Azure Policy를 사용하여 클러스터 규정 준수 보장",
- "waf": "안전"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+ "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+ "service": "Logic Apps",
+ "severity": "높다",
+ "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
- "severity": "보통",
- "text": "사용자/시스템 노드 풀이 있는 컨트롤 플레인에서 응용 프로그램 분리",
- "waf": "안전"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+ "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "Logic Apps",
+ "severity": "높다",
+ "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
- "severity": "낮다",
- "text": "시스템 nodepool에 taint를 추가하여 전용으로 만듭니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+ "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Logic Apps",
+ "severity": "높다",
+ "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
- "service": "AKS",
- "severity": "보통",
- "text": "이미지에 개인 레지스트리(예: ACR) 사용",
- "waf": "안전"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+ "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+ "service": "Logic Apps",
+ "severity": "높다",
+ "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+ "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+ "service": "Logic Apps",
"severity": "보통",
- "text": "이미지에서 취약성 검사",
- "waf": "안전"
+ "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
- "service": "AKS",
- "severity": "높다",
- "text": "앱 분리 요구 사항 정의(네임스페이스/노드 풀/클러스터)",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "ACSS(Azure Center for SAP solutions)는 SAP를 Azure의 최상위 워크로드로 만드는 Azure 제품입니다. ACSS는 Azure에서 SAP 시스템을 통합 워크로드로 만들고 실행할 수 있도록 하는 엔드투엔드 솔루션으로, 혁신을 위한 보다 원활한 기반을 제공합니다. 신규 및 기존 Azure 기반 SAP 시스템 모두에 대한 관리 기능을 활용할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "service": "SAP",
"severity": "보통",
- "text": "CSI 비밀 저장소 드라이버를 사용하여 Azure Key Vault에 비밀 저장",
- "waf": "안전"
+ "text": "Azure는 Linux 및 Windows에서 SAP 배포 자동화를 지원합니다. SAP Deployment Automation Framework는 SAP 환경을 배포, 설치 및 유지 관리할 수 있는 오픈 소스 오케스트레이션 도구입니다.",
+ "training": "https://github.com/Azure/sap-automation",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
- "service": "AKS",
- "severity": "높다",
- "text": "클러스터에 서비스 주체를 사용하는 경우 주기적으로(예: 분기별) 자격 증명을 새로 고칩니다",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "RTO를 충족하는 시점과 시간 프레임에서 프로덕션 데이터베이스에 대한 특정 시점으로 복구를 수행합니다. 특정 시점 복구에는 일반적으로 DBMS 계층 또는 SAP를 통해 데이터를 삭제하는 운영자 오류가 포함됩니다",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "service": "SAP",
"severity": "보통",
- "text": "필요한 경우 키 관리 서비스 etcd 암호화를 추가합니다.",
- "waf": "안전"
+ "text": "백업 및 복구 시간을 테스트하여 재해 발생 후 모든 시스템을 동시에 복원하기 위한 RTO 요구 사항을 충족하는지 확인합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
- "service": "AKS",
- "severity": "낮다",
- "text": "필요한 경우 AKS용 기밀 컴퓨팅을 사용하는 것이 좋습니다.",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "쌍을 이루는 지역 간에 표준 스토리지를 복제할 수 있지만 표준 스토리지를 사용하여 데이터베이스 또는 가상 하드 디스크를 저장할 수는 없습니다. 사용하는 쌍을 이루는 지역 간에만 백업을 복제할 수 있습니다. 다른 모든 데이터의 경우 SQL Server Always On 또는 SAP HANA 시스템 복제와 같은 네이티브 DBMS 기능을 사용하여 복제를 실행합니다. SAP 애플리케이션 계층에 Site Recovery, rsync 또는 robocopy 및 기타 타사 소프트웨어의 조합을 사용합니다.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"severity": "보통",
- "text": "컨테이너용 Defender 사용 고려",
- "waf": "안전"
+ "text": "Azure 가용성 영역을 사용하여 고가용성을 달성하는 경우 SAP 애플리케이션 서버와 데이터베이스 서버 간의 대기 시간을 고려해야 합니다. 대기 시간이 긴 영역의 경우 SAP 애플리케이션 서버와 데이터베이스 서버가 항상 동일한 영역에서 실행되도록 운영 절차를 마련해야 합니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "SAP",
"severity": "높다",
- "text": "서비스 주체 대신 관리 ID 사용",
- "waf": "안전"
+ "text": "온-프레미스에서 기본 및 보조 Azure 재해 복구 지역으로의 ExpressRoute 연결을 설정합니다. 또한 ExpressRoute를 사용하는 대신 온-프레미스에서 주 및 보조 Azure 재해 복구 지역으로 VPN 연결을 설정하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
- "service": "AKS",
- "severity": "보통",
- "text": "AAD와 인증 통합(관리형 통합 사용)",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "SAP",
+ "severity": "낮다",
+ "text": "DR 지역에서 데이터의 암호를 해독할 수 있도록 지역 간에 인증서, 비밀 또는 키와 같은 키 자격 증명 모음 콘텐츠를 복제합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "service": "SAP",
"severity": "보통",
- "text": "관리자 kubeconfig에 대한 액세스 제한(get-credentials --admin)",
- "waf": "안전"
+ "text": "기본 및 재해 복구 가상 네트워크를 피어링합니다. 예를 들어 HANA 시스템 복제의 경우 SAP HANA DB 가상 네트워크를 재해 복구 사이트의 SAP HANA DB 가상 네트워크에 피어링해야 합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
- "service": "AKS",
- "severity": "보통",
- "text": "AAD RBAC와 권한 부여 통합",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "service": "SAP",
+ "severity": "낮다",
+ "text": "SAP 배포에 Azure NetApp Files 스토리지를 사용하는 경우 최소한 두 지역의 프리미엄 계층에 두 개의 Azure NetApp Files 계정을 만듭니다.",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"severity": "높다",
- "text": "쿠버네티스에서 RBAC 권한을 제한하기 위해 네임스페이스 사용",
- "waf": "안전"
+ "text": "기본 데이터베이스 복제 기술을 사용하여 HA 쌍의 데이터베이스를 동기화해야 합니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
- "service": "AKS",
- "severity": "보통",
- "text": "Pod ID 액세스 관리의 경우 Azure AD 워크로드 ID(미리 보기)를 사용합니다.",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "기본 VNet(가상 네트워크)에 대한 CIDR은 DR 사이트 VNet의 CIDR과 충돌하거나 겹치지 않아야 합니다",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
- "service": "AKS",
- "severity": "보통",
- "text": "AKS 비대화형 로그인의 경우 kubelogin(미리 보기)을 사용합니다.",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "Site Recovery를 사용하여 응용 프로그램 서버를 DR 사이트에 복제합니다. Site Recovery는 중앙 서비스 클러스터 VM을 DR 사이트에 복제하는 데도 도움이 될 수 있습니다. DR을 호출할 때 DR 사이트에서 Linux Pacemaker 클러스터를 다시 구성해야 합니다(예: VIP 또는 SBD 바꾸기, corosync.conf 실행 등).",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
- "service": "AKS",
- "severity": "보통",
- "text": "AKS 로컬 계정 사용 안 함",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "단일 장애 지점에 대한 SAP 소프트웨어의 가용성을 고려합니다. 여기에는 SAP NetWeaver 및 SAP S/4HANA 아키텍처, SAP ABAP 및 ASCS + SCS에서 사용되는 DBMS와 같은 애플리케이션 내의 단일 실패 지점이 포함됩니다. 또한 SAP Web Dispatcher와 같은 다른 도구도 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "낮다",
- "text": "필요한 경우 Just-in-time 클러스터 액세스 구성",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "SAP 및 SAP 데이터베이스의 경우 자동 장애 조치(failover) 클러스터를 구현하는 것이 좋습니다. Windows에서 Windows Server 장애 조치(failover) 클러스터링은 장애 조치(failover)를 지원합니다. Linux에서 Linux Pacemaker 또는 SIOS Protection Suite 및 Veritas InfoScale과 같은 타사 툴은 장애 조치를 지원합니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "낮다",
- "text": "AKS에 필요한 경우 AAD 조건부 액세스 구성",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "Azure는 기본 및 보조 VM이 DBMS 데이터에 대한 스토리지를 공유하는 아키텍처를 지원하지 않습니다. DBMS 계층의 경우 일반적인 아키텍처 패턴은 기본 및 보조 VM에서 사용하는 것과 다른 스토리지 스택을 사용하여 동시에 데이터베이스를 복제하는 것입니다.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
- "service": "AKS",
- "severity": "낮다",
- "text": "Windows AKS 워크로드에 필요한 경우 gMSA를 구성합니다. ",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "DBMS 데이터 및 트랜잭션/다시 실행 로그 파일은 Azure 지원 블록 스토리지 또는 Azure NetApp Files에 저장됩니다. Azure Files 또는 Azure Premium Files는 DBMS 데이터 및/또는 SAP 워크로드가 있는 다시 실행 로그 파일에 대한 스토리지로 지원되지 않습니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
- "service": "AKS",
- "severity": "보통",
- "text": "더 세밀하게 제어하려면 관리형 Kubelet ID를 사용하는 것이 좋습니다.",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "ASCS + SCS 구성 요소 및 특정 고가용성 시나리오에 대해 Windows에서 Azure 공유 디스크를 사용할 수 있습니다. SAP 애플리케이션 계층 구성 요소 및 DBMS 계층에 대해 장애 조치(failover) 클러스터를 별도로 설정합니다. Azure는 현재 SAP 애플리케이션 계층 구성 요소와 DBMS 계층을 하나의 장애 조치(failover) 클러스터로 결합하는 고가용성 아키텍처를 지원하지 않습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
- "service": "AKS",
- "severity": "보통",
- "text": "AGIC를 사용하는 경우 클러스터 간에 AppGW를 공유하지 마세요",
+ "checklist": "SAP Checklist",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "SAP ASCS(애플리케이션 계층 구성 요소) 및 DBMS 계층에 대한 대부분의 장애 조치(failover) 클러스터에는 장애 조치(failover) 클러스터에 대한 가상 IP 주소가 필요합니다. Azure Load Balancer는 다른 모든 경우에 대한 가상 IP 주소를 처리해야 합니다. 한 가지 설계 원칙은 클러스터 구성당 하나의 부하 분산 장치를 사용하는 것입니다. 부하 분산 장치의 표준 버전(표준 Load Balancer SKU)을 사용하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "service": "SAP",
"severity": "높다",
- "text": "AKS HTTP 라우팅 추가 기능을 사용하지 말고, 애플리케이션 라우팅 추가 기능과 함께 관리되는 NGINX 수신을 대신 사용합니다.",
+ "text": "로드 밸런서에서 유동 IP가 사용하도록 설정되어 있는지 확인합니다.",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
- "service": "AKS",
- "severity": "보통",
- "text": "Windows 워크로드의 경우 가속화된 네트워킹을 사용합니다.",
- "waf": "공연"
+ "checklist": "SAP Checklist",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "고가용성 인프라를 배포하기 전에 선택한 지역에 따라 Azure 가용성 집합 또는 가용성 영역을 사용하여 배포할지 여부를 결정합니다.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "SAP",
"severity": "높다",
- "text": "표준 ALB 사용(기본 ALB와 반대)",
+ "text": "SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)용 애플리케이션에 대한 인프라 SLA를 충족하려면 모든 구성 요소에 대해 동일한 고가용성 옵션(VM, 가용성 집합, 가용성 영역)을 선택해야 합니다.",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
- "service": "AKS",
- "severity": "보통",
- "text": "Azure CNI를 사용하는 경우 NodePools에 다른 서브넷을 사용하는 것이 좋습니다.",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "동일한 가용성 집합에 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합으로 유지",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "service": "SAP",
"severity": "보통",
- "text": "프라이빗 엔드포인트(기본 설정) 또는 Virtual Network 서비스 엔드포인트를 사용하여 클러스터에서 PaaS 서비스에 액세스",
- "waf": "안전"
+ "text": "근접 배치 그룹을 사용하지 않는 한 Azure 가용성 영역 내에 Azure 가용성 집합을 배포할 수 없습니다.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
"severity": "높다",
- "text": "요구 사항에 가장 적합한 CNI 네트워크 플러그 인 선택(Azure CNI 권장)",
+ "text": "가용성 집합을 만들 때 사용 가능한 최대 장애 도메인 및 업데이트 도메인 수를 사용합니다. 예를 들어 하나의 가용성 집합에 두 개 이상의 VM을 배포하는 경우 Azure의 계획된 유지 관리 외에도 잠재적인 물리적 하드웨어 오류, 네트워크 중단 또는 전원 중단의 영향을 제한하기 위해 최대 장애 도메인 수(3개)와 충분한 업데이트 도메인을 사용합니다. 장애 도메인의 기본 수는 2개이며 나중에 온라인으로 변경할 수 없습니다.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "높다",
- "text": "Azure CNI를 사용하는 경우 노드당 최대 Pod 수를 고려하여 서브넷 크기를 적절하게 조정합니다",
- "waf": "공연"
+ "text": "가용성 집합 배포에서 Azure 근접 배치 그룹을 사용하는 경우 세 가지 SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)가 모두 동일한 근접 배치 그룹에 있어야 합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "높다",
- "text": "Azure CNI를 사용하는 경우 최대 Pod/노드(기본값 30)를 확인합니다.",
- "waf": "공연"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "내부 앱의 경우 조직은 방화벽에서 전체 AKS 서브넷을 여는 경우가 많습니다. 이렇게 하면 노드에 대한 네트워크 액세스도 열리고 잠재적으로 Pod에 대한 액세스도 열립니다(Azure CNI를 사용하는 경우). LoadBalancer IP가 다른 서브넷에 있는 경우 앱 클라이언트에서 이 IP만 사용할 수 있어야 합니다. 또 다른 이유는 AKS 서브넷의 IP 주소가 부족한 리소스인 경우 서비스에 해당 IP 주소를 사용하면 클러스터의 최대 확장성이 감소하기 때문입니다.",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
- "service": "AKS",
- "severity": "낮다",
- "text": "개인 IP LoadBalancer 서비스를 사용하는 경우 AKS 서브넷이 아닌 전용 서브넷을 사용합니다",
- "waf": "안전"
+ "text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹은 가용성 영역 또는 Azure 지역에 걸쳐 있지 않습니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "높다",
- "text": "그에 따라 서비스 IP 주소 범위의 크기를 조정합니다(클러스터 확장성이 제한됨).",
+ "text": "운영 체제에 따라 다음 서비스 중 하나를 사용하여 SAP 중앙 서비스 클러스터를 실행합니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
- "service": "AKS",
- "severity": "낮다",
- "text": "필요한 경우 자체 CNI 플러그인을 추가합니다.",
- "waf": "안전"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
- "service": "AKS",
- "severity": "낮다",
- "text": "필요한 경우 AKS에서 노드당 공용 IP 구성",
- "waf": "공연"
+ "checklist": "SAP Checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "Azure는 현재 동일한 Linux Pacemaker 클러스터에서 ASCS와 DB HA의 결합을 지원하지 않습니다. 개별 클러스터로 분리합니다. 그러나 최대 5개의 여러 중앙 서비스 클러스터를 한 쌍의 VM으로 결합할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "보통",
- "text": "수신 컨트롤러를 사용하여 LoadBalancer 유형 서비스를 사용하여 노출하는 대신 웹 기반 앱을 노출합니다",
+ "text": "가용성 집합 또는 가용성 영역의 고가용성 쌍에 두 VM을 모두 배포합니다. 이러한 VM은 크기가 동일하고 스토리지 구성이 동일해야 합니다.",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
- "service": "AKS",
- "severity": "낮다",
- "text": "송신 트래픽 크기 조정을 위해 Azure NAT Gateway를 outboundType으로 사용",
+ "checklist": "SAP Checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "Azure는 RHEL(Red Hat Enterprise Linux)에서 실행되는 동일한 고가용성 클러스터에 SAP HANA, ASCS/SCS 및 ERS 인스턴스의 설치 및 구성을 지원합니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
- "service": "AKS",
- "severity": "보통",
- "text": "Azure CNI IP 소모를 방지하기 위해 IP의 동적 할당 사용",
+ "checklist": "SAP Checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "프리미엄 관리형 SSD에서 모든 프로덕션 시스템을 실행하고 Azure NetApp Files 또는 Ultra Disk Storage를 사용합니다. 적어도 OS 디스크는 프리미엄 계층에 있어야 더 나은 성능과 최상의 SLA를 달성할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
"waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
"severity": "높다",
- "text": "보안 요구 사항에 필요한 경우 AzFW/NVA를 사용하여 송신 트래픽 필터링",
- "waf": "안전"
+ "text": "Azure의 SAP HANA는 SAP에서 인증한 스토리지 유형에서만 실행해야 합니다. 특정 볼륨은 해당되는 경우 특정 디스크 구성에서 실행되어야 합니다. 이러한 구성에는 Write Accelerator 사용 및 Premium Storage 사용이 포함됩니다. 또한 스토리지에서 실행되는 파일 시스템이 시스템에서 실행되는 DBMS와 호환되는지 확인해야 합니다.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
- "service": "AKS",
- "severity": "보통",
- "text": "퍼블릭 API 엔드포인트를 사용하는 경우 액세스할 수 있는 IP 주소를 제한합니다",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "SAP 워크로드에 사용하는 스토리지 유형에 따라 고가용성을 구성하는 것이 좋습니다. Azure에서 사용할 수 있는 일부 스토리지 서비스는 Azure Site Recovery에서 지원되지 않으므로 고가용성 구성이 다를 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"severity": "높다",
- "text": "요구 사항에 따라 개인 클러스터를 사용합니다",
- "waf": "안전"
+ "text": "일부 지역에서는 다양한 네이티브 Azure Storage 서비스(예: Azure Files, Azure NetApp Files, Azure Shared Disk)를 사용하지 못할 수 있습니다. 따라서 장애 조치(failover) 후 DR 지역에서 유사한 SAP를 설정하려면 해당 스토리지 서비스가 DR 사이트에서 제공되는지 확인합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
"severity": "보통",
- "text": "Windows 2019 및 2022 AKS 노드의 경우 Calico 네트워크 정책을 사용할 수 있습니다. ",
- "waf": "안전"
+ "text": "SAP System Start-Stop을 자동화하여 비용을 관리합니다.",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
- "severity": "높다",
- "text": "Kubernetes 네트워크 정책 옵션 사용(Calico/Azure)",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "낮다",
+ "text": "SAP HANA와 함께 Azure Premium Storage를 사용하는 경우 Azure 표준 SSD 스토리지를 사용하여 비용에 민감한 스토리지 솔루션을 선택할 수 있습니다. 그러나 표준 SSD 또는 표준 HDD Azure Storage를 선택하면 개별 VM의 SLA에 영향을 줍니다. 또한 비프로덕션 환경과 같이 I/O 처리량이 낮고 대기 시간이 짧은 시스템의 경우 더 낮은 시리즈 VM을 사용할 수 있습니다.",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "높다",
- "text": "쿠버네티스 네트워크 정책을 사용하여 클러스터 내 보안 강화",
- "waf": "안전"
+ "checklist": "SAP Checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "낮다",
+ "text": "저렴한 대체 구성(다목적)으로 비프로덕션 HANA 데이터베이스 서버 VM에 대해 저성능 SKU를 선택할 수 있습니다. 그러나 E 시리즈와 같은 일부 VM 유형은 HANA 인증(SAP HANA 하드웨어 디렉터리)되지 않았거나 1ms 미만의 스토리지 대기 시간을 달성할 수 없습니다.",
+ "waf": "비용"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
"severity": "높다",
- "text": "웹 워크로드(UI 또는 API)에 WAF 사용Use a WAF for web workloads (UIs or APIs)",
+ "text": "관리 그룹, 구독, 리소스 그룹 및 리소스에 대한 RBAC 모델 적용Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
"waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"severity": "보통",
- "text": "AKS Virtual Network에서 DDoS 표준 사용Use DDoS Standard in the AKS Virtual Network",
+ "text": "클라우드 커넥터를 통해 SAP 클라우드 애플리케이션에서 SAP 온-프레미스(IaaS 포함)로 ID를 전달하기 위한 보안 주체 전파 적용",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
"waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
- "service": "AKS",
- "severity": "낮다",
- "text": "필요한 경우 회사 HTTP 프록시를 추가합니다.",
+ "checklist": "SAP Checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAML을 사용하여 Azure AD로 SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics 및 SAP C4C와 같은 SAP SaaS 애플리케이션에 대한 SSO를 구현합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"severity": "보통",
- "text": "고급 마이크로서비스 통신 관리를 위해 서비스 메시를 사용하는 것이 좋습니다",
+ "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
"waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
- "service": "AKS",
- "severity": "높다",
- "text": "가장 중요한 메트릭에 대한 경고 구성(권장 사항은 Container Insights 참조)",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
- "service": "AKS",
- "severity": "낮다",
- "text": "Azure Advisor에서 클러스터에 대한 권장 사항을 정기적으로 확인합니다.",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP NetWeaver SSO 또는 파트너 솔루션을 사용하여 SAP GUI에 대한 SSO를 구현할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
- "service": "AKS",
- "severity": "낮다",
- "text": "AKS 자동 인증서 회전 사용",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
- "service": "AKS",
- "severity": "높다",
- "text": "kubernetes 버전을 주기적으로(예: 분기별) 업그레이드하거나 AKS 자동 업그레이드 기능을 사용하는 정기적인 프로세스가 있습니다.",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
- "service": "AKS",
- "severity": "높다",
- "text": "node-image upgrade를 사용하지 않는 경우 Linux 노드 업그레이드에 kured를 사용합니다.",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP NetWeaver용 OAuth를 사용하여 SSO를 구현하여 타사 또는 사용자 지정 애플리케이션이 SAP NetWeaver OData 서비스에 액세스할 수 있도록 합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
- "service": "AKS",
- "severity": "높다",
- "text": "클러스터 노드 이미지를 주기적으로(예: 매주) 업그레이드하는 정기적인 프로세스가 있습니다.",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP HANA에 대한 SSO 구현",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
- "service": "AKS",
- "severity": "낮다",
- "text": "gitops를 고려하여 애플리케이션 또는 클러스터 구성을 여러 클러스터에 배포합니다.",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "Azure AD를 RISE에서 호스트되는 SAP 시스템의 ID 공급자로 간주합니다. 자세한 내용은 Azure AD와 서비스 통합을 참조하세요.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
- "service": "AKS",
- "severity": "낮다",
- "text": "프라이빗 클러스터에서 AKS 명령 호출을 사용하는 것이 좋습니다.",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP에 액세스하는 애플리케이션의 경우 보안 주체 전파를 사용하여 SSO를 설정할 수 있습니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
- "service": "AKS",
- "severity": "낮다",
- "text": "계획된 이벤트의 경우 노드 자동 드레인 사용을 고려하십시오.",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP IAS(Identity Authentication Service)가 필요한 SAP BTP 서비스 또는 SaaS 솔루션을 사용하는 경우 SAP Cloud Identity Authentication Services와 Azure AD 간에 SSO를 구현하여 해당 SAP 서비스에 액세스하는 것이 좋습니다. 이 통합을 통해 SAP IAS는 프록시 ID 공급자 역할을 하고 중앙 사용자 저장소 및 ID 공급자인 Azure AD에 인증 요청을 전달할 수 있습니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
- "service": "AKS",
- "severity": "높다",
- "text": "노드 RG(일명 '인프라 RG')의 운영자가 변경을 수행하지 않도록 자체 거버넌스 관행을 개발합니다.",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP BTP에 대한 SSO 구현",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "낮다",
- "text": "사용자 정의 노드 RG (일명 '인프라 RG') 이름 사용",
- "waf": "작업"
+ "checklist": "SAP Checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP SuccessFactors를 사용하는 경우 Azure AD 자동화된 사용자 프로비저닝을 사용하는 것이 좋습니다. 이 통합을 통해 SAP SuccessFactors에 새 직원을 추가할 때 Azure AD에서 해당 사용자 계정을 자동으로 만들 수 있습니다. 필요에 따라 Microsoft 365 또는 Azure AD 지원하는 기타 SaaS 애플리케이션에서 사용자 계정을 만들 수 있습니다. SAP SuccessFactors에 이메일 주소의 쓰기 저장을 사용합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
"severity": "보통",
- "text": "YAML 매니페스트에서 더 이상 사용되지 않는 Kubernetes API를 사용하지 마십시오.",
+ "text": "SAP 구독에 기존 관리 그룹 정책 적용",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
- "service": "AKS",
- "severity": "낮다",
- "text": "테인트 Windows 노드",
+ "checklist": "SAP Checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "긴밀하게 결합된 애플리케이션을 동일한 SAP 구독에 통합하여 추가적인 라우팅 및 관리 복잡성 방지",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
- "service": "AKS",
- "severity": "낮다",
- "text": "Windows 컨테이너 패치 수준을 호스트 패치 수준과 동기화된 상태로 유지",
+ "checklist": "SAP Checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "구독을 배율 단위로 활용하고 리소스를 확장하려면 환경별로 구독을 배포하는 것이 좋습니다. 샌드박스, 비프로덕션, 프로덕션 ",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "클러스터 수준의 진단 설정을 통해Via Diagnostic Settings at the cluster level",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
- "severity": "낮다",
- "text": "마스터 로그(즉, API 로그)를 Azure Monitor 또는 기본 로그 관리 솔루션으로 보냅니다",
+ "checklist": "SAP Checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "구독 프로비저닝의 일부로 할당량 증가 확인(예: 구독 내에서 사용 가능한 총 VM 코어)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
"severity": "낮다",
- "text": "필요한 경우 nodePool 스냅샷을 사용합니다.",
- "waf": "비용"
+ "text": "할당량 API는 Azure 서비스에 대한 할당량을 보고 관리하는 데 사용할 수 있는 REST API입니다. 필요한 경우 사용을 고려하십시오.",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
- "severity": "낮다",
- "text": "시간에 민감하지 않은 워크로드에 대한 스폿 노드 풀 고려",
+ "checklist": "SAP Checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "가용성 영역에 배포하는 경우 할당량이 승인되면 VM의 영역 배포를 사용할 수 있는지 확인합니다. 필요한 구독, VM 시리즈, CPU 수 및 가용성 영역을 사용하여 지원 요청을 제출합니다.",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
- "severity": "낮다",
- "text": "빠른 버스팅을 위해 AKS 가상 노드 고려",
+ "checklist": "SAP Checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "예를 들어 선택한 배포 지역 내에서 필요한 서비스 및 기능을 사용할 수 있는지 확인합니다. ANF, 지역 등.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
- "severity": "높다",
- "text": "Container Insights(또는 Prometheus와 같은 다른 도구)를 사용하여 클러스터 지표 모니터링",
+ "checklist": "SAP Checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "비용 분류 및 리소스 그룹화를 위해 Azure 리소스 태그 활용(BillTo, 부서(또는 사업부), 환경(프로덕션, 스테이지, 개발), 계층(웹 계층, 애플리케이션 계층), 애플리케이션 소유자, 프로젝트 이름)",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "높다",
- "text": "Container Insights(또는 Telegraf/ElasticSearch와 같은 다른 도구)를 사용하여 클러스터 로그를 저장하고 분석합니다.",
- "waf": "작업"
+ "text": "Azure Backup 서비스를 사용하여 HANA 데이터베이스를 보호할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
"severity": "보통",
- "text": "노드의 CPU 및 메모리 사용률 모니터링",
- "waf": "작업"
+ "text": "HANA, Oracle 또는 DB2 데이터베이스용 Azure NetApp Files를 배포하는 경우 Azure 애플리케이션 일치 스냅샷 도구(AzAcSnap)를 사용하여 애플리케이션 일치 스냅샷을 만듭니다. AzAcSnap은 Oracle 데이터베이스도 지원합니다. 개별 VM이 아닌 중앙 VM에서 AzAcSnap을 사용하는 것이 좋습니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "보통",
- "text": "Azure CNI를 사용하는 경우 노드당 사용되는 Pod IP의 %를 모니터링합니다.",
+ "checklist": "SAP Checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
+ "severity": "높다",
+ "text": "운영 체제와 SAP 시스템 간의 표준 시간대 일치를 확인합니다.",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "OS 디스크의 I/O는 중요한 리소스입니다. 노드의 OS가 I/O에서 제한되면 예측할 수 없는 동작이 발생할 수 있으며, 일반적으로 노드가 NotReady로 선언됩니다",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
"severity": "보통",
- "text": "노드에서 OS 디스크 큐 크기 모니터링Monitor OS disk queue depth in nodes",
- "waf": "작업"
+ "text": "동일한 클러스터에서 서로 다른 애플리케이션 서비스를 그룹화하지 마세요. 예를 들어 DRBD와 중앙 서비스 클러스터를 동일한 클러스터에 결합하지 마세요. 그러나 동일한 Pacemaker 클러스터를 사용하여 약 5개의 서로 다른 중앙 서비스(다중 SID 클러스터)를 관리할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
+ "severity": "낮다",
+ "text": "Azure 실행 비용을 절감하고 최적화하기 위해 다시 알림 모델에서 개발/테스트 시스템을 실행하는 것이 좋습니다.",
+ "waf": "비용"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
"severity": "보통",
- "text": "AzFW/NVA에서 송신 필터링을 사용하지 않는 경우 표준 ALB 할당 SNAT 포트를 모니터링합니다",
+ "text": "SAP 자산을 관리하여 고객과 파트너 관계를 맺는 경우 Azure Lighthouse를 사용하는 것이 좋습니다. Azure Lighthouse를 사용하면 관리 서비스 공급자가 Azure 네이티브 ID 서비스를 사용하여 고객 환경에 인증할 수 있습니다. 고객은 언제든지 액세스 권한을 취소하고 서비스 제공업체의 조치를 감사할 수 있으므로 고객의 손에 제어 권한을 부여합니다.",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
"severity": "보통",
- "text": "AKS 클러스터에 대한 Resource Health 알림 구독Subscribe to resource health notifications for your AKS cluster",
+ "text": "Azure Update Manager를 사용하여 단일 VM 또는 여러 VM에 대해 사용 가능한 업데이트의 상태를 확인하고 정기적인 패치를 예약하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "높다",
- "text": "Pod 규격에서 요청 및 제한 구성",
+ "checklist": "SAP Checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
+ "severity": "낮다",
+ "text": "SAP Landscape Management(LaMa)를 사용하여 SAP Basis 운영을 최적화하고 관리합니다. Azure용 SAP LaMa 커넥터를 사용하여 SAP 시스템을 재배치, 복사, 복제 및 새로 고칩니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
"severity": "보통",
- "text": "네임스페이스에 대한 리소스 할당량 적용Enforce resource quotas for namespaces",
+ "text": "SAP용 Azure Monitor 솔루션을 사용하여 Azure에서 SAP 워크로드(SAP HANA, 고가용성 SUSE 클러스터 및 SQL 시스템)를 모니터링합니다. SAP Solution Manager를 사용하여 SAP용 Azure Monitor 솔루션을 보완하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
"severity": "높다",
- "text": "구독에 노드 풀을 확장할 수 있는 충분한 할당량이 있는지 확인합니다.",
+ "text": "SAP용 VM 확장 검사를 실행합니다. SAP용 VM 확장은 VM(가상 머신)의 할당된 관리 ID를 사용하여 VM 모니터링 및 구성 데이터에 액세스합니다. 이 검사는 SAP 애플리케이션의 모든 성능 메트릭이 기본 SAP용 Azure 확장에서 제공되는지 확인합니다.",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
"waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
"severity": "보통",
- "text": "Cluster Autoscaler 사용",
- "waf": "공연"
+ "text": "액세스 제어 및 규정 준수 보고에 Azure Policy를 사용합니다. Azure Policy는 일관된 정책 준수와 빠른 위반 감지를 보장하기 위해 조직 전체 설정을 적용하는 기능을 제공합니다. ",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
- "severity": "낮다",
- "text": "AKS 노드 풀에 대한 노드 구성 사용자 지정",
- "waf": "공연"
+ "checklist": "SAP Checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "Azure Network Watcher의 연결 모니터를 사용하여 SAP 데이터베이스 및 애플리케이션 서버에 대한 대기 시간 메트릭을 모니터링합니다. 또는 Azure Monitor를 사용하여 네트워크 대기 시간 측정값을 수집하고 표시합니다.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
"severity": "보통",
- "text": "필요한 경우 Horizontal Pod Autoscaler 사용",
- "waf": "공연"
+ "text": "프로비저닝된 Azure 인프라에서 SAP HANA에 대한 품질 검사를 수행하여 프로비저닝된 VM이 Azure의 SAP HANA 모범 사례를 준수하는지 확인합니다.",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "노드가 클수록 임시 디스크 및 가속화된 네트워킹과 같은 더 높은 성능과 기능을 제공하지만 폭발 반경이 증가하고 크기 조정 세분성이 감소합니다",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"severity": "높다",
- "text": "너무 크거나 너무 작지 않은 적절한 노드 크기를 고려합니다",
+ "text": "각 Azure 구독에 대해 영역 배포 전에 Azure 가용성 영역에서 대기 시간 테스트를 실행하여 Azure에서 SAP를 배포하기 위한 대기 시간이 짧은 영역을 선택합니다.",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
"waf": "공연"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
- "severity": "낮다",
- "text": "확장성을 위해 5,000개 이상의 노드가 필요한 경우 추가 AKS 클러스터를 사용하는 것이 좋습니다",
- "waf": "공연"
+ "checklist": "SAP Checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "복원력 보고서를 실행하여 프로비저닝된 전체 Azure 인프라(컴퓨팅, 데이터베이스, 네트워킹, 스토리지, Site Recovery)의 구성이 Azure용 클라우드 적응 프레임워크에서 정의한 구성을 준수하는지 확인합니다.",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
- "severity": "낮다",
- "text": "AKS 자동화를 위해 EventGrid 이벤트를 구독하는 것이 좋습니다.",
- "waf": "공연"
+ "checklist": "SAP Checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "SAP용 Microsoft Sentinel 솔루션을 사용하여 위협 방지를 구현합니다. 이 솔루션을 사용하여 SAP 시스템을 모니터링하고 비즈니스 로직 및 애플리케이션 계층 전체에서 정교한 위협을 탐지할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
- "severity": "낮다",
- "text": "AKS 클러스터에서 장기 실행 작업의 경우 이벤트 종료를 고려합니다.",
- "waf": "공연"
+ "checklist": "SAP Checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "Azure 태그 지정을 활용하여 리소스를 논리적으로 그룹화 및 추적하고, 배포를 자동화하고, 가장 중요한 것은 발생한 비용에 대한 가시성을 제공할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "작업"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
"severity": "낮다",
- "text": "필요한 경우 AKS 노드에 Azure Dedicated Host를 사용하는 것이 좋습니다",
- "waf": "공연"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "높다",
- "text": "임시 OS 디스크 사용",
+ "text": "대기 시간에 민감한 애플리케이션에 대해 VM 간 대기 시간 모니터링을 사용합니다.",
"waf": "공연"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
- "severity": "높다",
- "text": "임시 디스크가 아닌 디스크의 경우 여러 Pod를 실행하는 데 고성능이 필요하고 기본 AKS 로그 회전 임계값을 사용하여 대규모 로그를 생성하므로 많은 Pod/노드를 실행할 때 노드에 높은 IOPS 및 더 큰 OS 디스크를 사용합니다",
- "waf": "공연"
+ "checklist": "SAP Checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
- "severity": "낮다",
- "text": "고성능 스토리지 옵션의 경우 AKS에서 Ultra Disks를 사용합니다.",
+ "checklist": "SAP Checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "모든 데이터베이스 파일 시스템 및 실행 프로그램을 바이러스 백신 검사에서 제외합니다. 이를 포함하면 성능 문제가 발생할 수 있습니다. 제외 목록에 대한 규범적 세부 정보는 데이터베이스 공급업체에 문의하십시오. 예를 들어 Oracle은 바이러스 백신 검사에서 /oracle//sapdata를 제외할 것을 권장합니다.",
"waf": "공연"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
- "severity": "보통",
- "text": "클러스터에서 상태를 유지하지 않고 외부(AzStorage, AzSQL, Cosmos 등)에 데이터를 저장합니다.",
+ "checklist": "SAP Checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
+ "severity": "낮다",
+ "text": "마이그레이션 후 비 HANA 데이터베이스에 대한 전체 데이터베이스 통계를 수집하는 것이 좋습니다. 예를 들어 SAP Note 1020260 - Oracle 통계 제공을 구현합니다.",
"waf": "공연"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
"severity": "보통",
- "text": "AzFiles 표준을 사용하는 경우 성능상의 이유로 AzFiles 프리미엄 및/또는 ANF를 고려합니다",
+ "text": "Azure에서 SAP를 사용하는 모든 Oracle 배포에 Oracle ASM(Automatic Storage Management)을 사용하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
"waf": "공연"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
"severity": "보통",
- "text": "Azure 디스크 및 AZ를 사용하는 경우 올바른 영역에 스토리지를 프로비전하기 위해 VolumeBindingMode::WaitForFirstConsumer를 사용하여 LRS 디스크의 영역 내에 노드 풀을 사용하거나 여러 영역에 걸쳐 있는 노드 풀에 ZRS 디스크를 사용하는 것이 좋습니다",
+ "text": "Oracle을 실행하는 Azure의 SAP의 경우 SQL 스크립트 컬렉션은 성능 문제를 진단하는 데 도움이 될 수 있습니다. AWR(Automatic Workload Repository) 보고서에는 Oracle 시스템의 문제점을 진단하는 데 유용한 정보가 포함되어 있습니다. 여러 세션 동안 AWR 보고서를 실행하고 피크 시간을 선택하여 광범위한 분석 범위를 보장하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
"waf": "공연"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"severity": "높다",
- "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 기능 호스팅 계획을 선택하십시오.",
- "waf": "신뢰도"
+ "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "severity": "높다",
- "text": "지역적으로 적용 가능한 가용성 영역 활용(소비 계층에는 사용할 수 없음)",
- "waf": "신뢰도"
+ "checklist": "SAP Checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "HTTP/S 앱을 안전하게 배달하려면 Application Gateway v2를 사용하고 WAF 보호 및 정책이 사용하도록 설정되어 있는지 확인합니다.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "보통",
- "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
- "waf": "신뢰도"
+ "text": "Azure로 마이그레이션하는 동안 가상 머신의 DNS 또는 가상 이름이 변경되지 않은 경우 백그라운드 DNS 및 가상 이름은 SAP 환경의 많은 시스템 인터페이스를 연결하며, 고객은 시간이 지남에 따라 개발자가 정의하는 인터페이스를 인식하는 경우에만 인식할 수 있습니다. 마이그레이션 후 가상 또는 DNS 이름이 변경될 때 다양한 시스템 간에 연결 문제가 발생하며, 이러한 유형의 문제를 방지하기 위해 DNS 별칭을 유지하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Azure Functions",
- "severity": "높다",
- "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
+ "checklist": "SAP Checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "서로 다른 DNS 영역을 사용하여 각 환경(샌드박스, 개발, 사전 프로덕션 및 프로덕션)을 서로 구분합니다. 예외는 자체 VNet을 사용하는 SAP 배포의 경우입니다. 여기서는 프라이빗 DNS 영역이 필요하지 않을 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "작업"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "로컬 및 글로벌 VNet 피어링은 연결을 제공하며, 여러 Azure 지역에서 SAP 배포를 위한 랜딩 존 간의 연결을 보장하기 위해 선호되는 접근 방식입니다",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
"severity": "높다",
- "text": "App Service 계획에서 실행되는 모든 함수 앱에 대해 'Always On'이 사용하도록 설정되어 있는지 확인합니다.",
- "waf": "신뢰도"
+ "text": "SAP 애플리케이션과 SAP 데이터베이스 서버 간에 NVA를 배포하는 것은 지원되지 않습니다",
+ "training": "https://me.sap.com/notes/2731110",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
"severity": "보통",
- "text": "함수 앱을 자체 스토리지 계정에 페어링합니다. 긴밀하게 결합되지 않는 한 함수 앱에 대한 스토리지 계정을 다시 사용하지 마세요",
- "waf": "신뢰도"
+ "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 신규, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
"severity": "보통",
- "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 함수 앱 코드를 보호합니다.",
+ "text": "파트너 NVA를 사용하는 경우에만 지역 간에 NVA(네트워크 가상 어플라이언스)를 배포하는 것이 좋습니다. 네이티브 NVA가 있는 경우 지역 또는 VNet 간의 NVA가 필요하지 않습니다. 파트너 네트워킹 기술 및 NVA를 배포하는 경우 공급업체의 지침에 따라 Azure 네트워킹과 충돌하는 구성을 확인합니다.",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
"waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
- "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
- "service": "Logic Apps",
- "severity": "높다",
- "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements",
- "waf": "신뢰도"
+ "checklist": "SAP Checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
+ "severity": "보통",
+ "text": "Virtual WAN은 가상 WAN 기반 토폴로지에 대한 스포크 VNet 간의 연결을 관리하며(UDR[사용자 정의 라우팅] 또는 NVA를 설정할 필요 없음) 동일한 가상 허브의 VNet 간 트래픽에 대한 최대 네트워크 처리량은 초당 50기가비트입니다. 필요한 경우 SAP 랜딩 존은 VNet 피어링을 사용하여 다른 랜딩 존에 연결하고 이 대역폭 제한을 극복할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
- "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "Logic Apps",
+ "checklist": "SAP Checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"severity": "높다",
- "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones",
- "waf": "신뢰도"
+ "text": "SAP 워크로드를 실행하는 VM에 대한 공용 IP 할당은 권장되지 않습니다.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
- "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Logic Apps",
+ "checklist": "SAP Checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
"severity": "높다",
- "text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
- "waf": "신뢰도"
+ "text": "ASR을 구성할 때 DR 쪽에서 IP 주소를 예약하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
- "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
- "service": "Logic Apps",
+ "checklist": "SAP Checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"severity": "높다",
- "text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
- "waf": "신뢰도"
+ "text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "작업"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
- "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
- "service": "Logic Apps",
+ "checklist": "SAP Checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
"severity": "보통",
- "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
+ "text": "Azure는 VNet에서 여러 위임된 서브넷을 만드는 데 도움이 되지만 Azure NetApp Files용 VNet에는 위임된 서브넷이 하나만 존재할 수 있습니다. Azure NetApp Files에 대해 둘 이상의 위임된 서브넷을 사용하는 경우 새 볼륨을 만들려는 시도가 실패합니다.",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
"waf": "작업"
},
{
"checklist": "SAP Checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
"service": "SAP",
"severity": "보통",
- "text": "ACSS(Azure Center for SAP solutions)는 SAP를 Azure의 최상위 워크로드로 만드는 Azure 제품입니다. ACSS는 Azure에서 SAP 시스템을 통합 워크로드로 만들고 실행할 수 있도록 하는 엔드투엔드 솔루션으로, 혁신을 위한 보다 원활한 기반을 제공합니다. 신규 및 기존 Azure 기반 SAP 시스템 모두에 대한 관리 기능을 활용할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
- "waf": "작업"
+ "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
"service": "SAP",
"severity": "보통",
- "text": "Azure는 Linux 및 Windows에서 SAP 배포 자동화를 지원합니다. SAP Deployment Automation Framework는 SAP 환경을 배포, 설치 및 유지 관리할 수 있는 오픈 소스 오케스트레이션 도구입니다.",
- "training": "https://github.com/Azure/sap-automation",
- "waf": "작업"
+ "text": "Application Gateway, SAP Web Dispatcher 및 기타 타사 서비스 간의 비교에서 볼 수 있듯이 Application Gateway가 SAP 웹앱에 대한 역방향 프록시 역할을 하는 경우 Application Gateway 및 Web Application Firewall에 제한 사항이 있습니다.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "SAP",
"severity": "보통",
- "text": "RTO를 충족하는 시점과 시간 프레임에서 프로덕션 데이터베이스에 대한 특정 시점으로 복구를 수행합니다. 특정 시점 복구에는 일반적으로 DBMS 계층 또는 SAP를 통해 데이터를 삭제하는 운영자 오류가 포함됩니다",
- "waf": "신뢰도"
+ "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역에서 전역 보호를 제공합니다.",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
"service": "SAP",
"severity": "보통",
- "text": "백업 및 복구 시간을 테스트하여 재해 발생 후 모든 시스템을 동시에 복원하기 위한 RTO 요구 사항을 충족하는지 확인합니다.",
- "waf": "신뢰도"
+ "text": "Azure Front Door 및 Application Gateway를 사용하여 HTTP/S 애플리케이션을 보호하는 경우 Azure Front Door의 Web Application Firewall 정책을 활용합니다. Azure Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
"service": "SAP",
- "severity": "높다",
- "text": "쌍을 이루는 지역 간에 표준 스토리지를 복제할 수 있지만 표준 스토리지를 사용하여 데이터베이스 또는 가상 하드 디스크를 저장할 수는 없습니다. 사용하는 쌍을 이루는 지역 간에만 백업을 복제할 수 있습니다. 다른 모든 데이터의 경우 SQL Server Always On 또는 SAP HANA 시스템 복제와 같은 네이티브 DBMS 기능을 사용하여 복제를 실행합니다. SAP 애플리케이션 계층에 Site Recovery, rsync 또는 robocopy 및 기타 타사 소프트웨어의 조합을 사용합니다.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "웹 애플리케이션 방화벽을 사용하여 트래픽이 인터넷에 노출될 때 트래픽을 검사합니다. 또 다른 옵션은 부하 분산 장치 또는 Application Gateway 또는 타사 솔루션과 같은 기본 제공 방화벽 기능이 있는 리소스와 함께 사용하는 것입니다.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"service": "SAP",
"severity": "보통",
- "text": "Azure 가용성 영역을 사용하여 고가용성을 달성하는 경우 SAP 애플리케이션 서버와 데이터베이스 서버 간의 대기 시간을 고려해야 합니다. 대기 시간이 긴 영역의 경우 SAP 애플리케이션 서버와 데이터베이스 서버가 항상 동일한 영역에서 실행되도록 운영 절차를 마련해야 합니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "신뢰도"
+ "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 신규, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
"service": "SAP",
- "severity": "높다",
- "text": "온-프레미스에서 기본 및 보조 Azure 재해 복구 지역으로의 ExpressRoute 연결을 설정합니다. 또한 ExpressRoute를 사용하는 대신 온-프레미스에서 주 및 보조 Azure 재해 복구 지역으로 VPN 연결을 설정하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "데이터 유출을 방지하려면 Azure Private Link를 사용하여 Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory 등과 같은 PaaS(Platform as a Service) 리소스에 안전하게 액세스합니다. Azure 프라이빗 엔드포인트는 VNet과 Azure Storage, Azure Backup 등과 같은 서비스 간의 트래픽을 보호하는 데도 도움이 될 수 있습니다. VNet과 프라이빗 엔드포인트 사용 서비스 간의 트래픽은 Microsoft 글로벌 네트워크를 통해 이동하므로 공용 인터넷에 노출되지 않습니다.",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
"service": "SAP",
- "severity": "낮다",
- "text": "DR 지역에서 데이터의 암호를 해독할 수 있도록 지역 간에 인증서, 비밀 또는 키와 같은 키 자격 증명 모음 콘텐츠를 복제합니다.",
- "waf": "신뢰도"
+ "severity": "높다",
+ "text": "SAP 애플리케이션 및 DBMS 계층에 사용되는 VM에서 Azure 가속 네트워킹이 사용하도록 설정되어 있는지 확인합니다.",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
"service": "SAP",
"severity": "보통",
- "text": "기본 및 재해 복구 가상 네트워크를 피어링합니다. 예를 들어 HANA 시스템 복제의 경우 SAP HANA DB 가상 네트워크를 재해 복구 사이트의 SAP HANA DB 가상 네트워크에 피어링해야 합니다.",
- "waf": "신뢰도"
+ "text": "Azure Load Balancer에 대한 내부 배포가 DSR(Direct Server Return)을 사용하도록 설정되어 있는지 확인합니다. 이 설정(유동 IP 사용)은 DBMS 계층의 고가용성 구성에 내부 부하 분산 장치 구성을 사용할 때 대기 시간을 줄입니다.",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
"service": "SAP",
- "severity": "낮다",
- "text": "SAP 배포에 Azure NetApp Files 스토리지를 사용하는 경우 최소한 두 지역의 프리미엄 계층에 두 개의 Azure NetApp Files 계정을 만듭니다.",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "ASG(애플리케이션 보안 그룹) 및 NSG 규칙을 사용하여 SAP 애플리케이션과 DBMS 계층 간에 네트워크 보안 액세스 제어 목록을 정의할 수 있습니다. ASG는 보안을 관리하는 데 도움이 되도록 가상 머신을 그룹화합니다.",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
"service": "SAP",
"severity": "높다",
- "text": "기본 데이터베이스 복제 기술을 사용하여 HA 쌍의 데이터베이스를 동기화해야 합니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
- "waf": "신뢰도"
+ "text": "피어링되지 않은 다른 Azure VNet에 SAP 애플리케이션 계층 및 SAP DBMS를 배치하는 것은 지원되지 않습니다.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
"service": "SAP",
- "severity": "높다",
- "text": "기본 VNet(가상 네트워크)에 대한 CIDR은 DR 사이트 VNet의 CIDR과 충돌하거나 겹치지 않아야 합니다",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "SAP 애플리케이션에서 네트워크 대기 시간을 최적화하려면 Azure 근접 배치 그룹을 사용하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
"service": "SAP",
"severity": "높다",
- "text": "Site Recovery를 사용하여 응용 프로그램 서버를 DR 사이트에 복제합니다. Site Recovery는 중앙 서비스 클러스터 VM을 DR 사이트에 복제하는 데도 도움이 될 수 있습니다. DR을 호출할 때 DR 사이트에서 Linux Pacemaker 클러스터를 다시 구성해야 합니다(예: VIP 또는 SBD 바꾸기, corosync.conf 실행 등).",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "신뢰도"
+ "text": "온-프레미스와 Azure 간에 분할된 SAP 애플리케이션 서버 계층 및 DBMS 계층을 실행하는 것은 전혀 지원되지 않습니다. 두 계층 모두 온-프레미스 또는 Azure에 완전히 상주해야 합니다.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
"service": "SAP",
"severity": "높다",
- "text": "단일 장애 지점에 대한 SAP 소프트웨어의 가용성을 고려합니다. 여기에는 SAP NetWeaver 및 SAP S/4HANA 아키텍처, SAP ABAP 및 ASCS + SCS에서 사용되는 DBMS와 같은 애플리케이션 내의 단일 실패 지점이 포함됩니다. 또한 SAP Web Dispatcher와 같은 다른 도구도 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
- "waf": "신뢰도"
+ "text": "계층 간의 과도한 네트워크 트래픽으로 인해 발생할 수 있는 상당한 비용 때문에 다른 VNet에서 SAP 시스템의 DBMS(데이터베이스 관리 시스템) 및 애플리케이션 계층을 호스트하고 VNet 피어링과 연결하는 것은 권장되지 않습니다. Azure 가상 네트워크 내에서 서브넷을 사용하여 SAP 애플리케이션 계층과 DBMS 계층을 분리하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "비용"
},
{
"checklist": "SAP Checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
"service": "SAP",
"severity": "높다",
- "text": "SAP 및 SAP 데이터베이스의 경우 자동 장애 조치(failover) 클러스터를 구현하는 것이 좋습니다. Windows에서 Windows Server 장애 조치(failover) 클러스터링은 장애 조치(failover)를 지원합니다. Linux에서 Linux Pacemaker 또는 SIOS Protection Suite 및 Veritas InfoScale과 같은 타사 툴은 장애 조치를 지원합니다.",
+ "text": "Linux 게스트 운영 체제에서 Load Balancer를 사용하는 경우 Linux 네트워크 매개 변수 net.ipv4.tcp_timestamps가 0으로 설정되어 있는지 확인합니다.",
"training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "신뢰도"
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
"service": "SAP",
- "severity": "높다",
- "text": "Azure는 기본 및 보조 VM이 DBMS 데이터에 대한 스토리지를 공유하는 아키텍처를 지원하지 않습니다. DBMS 계층의 경우 일반적인 아키텍처 패턴은 기본 및 보조 VM에서 사용하는 것과 다른 스토리지 스택을 사용하여 동시에 데이터베이스를 복제하는 것입니다.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "SAP RISE/ECS 배포의 경우 가상 피어링은 고객의 기존 Azure 환경과의 연결을 설정하는 기본 방법입니다. SAP vnet과 고객 vnet은 모두 NSG(네트워크 보안 그룹)로 보호되므로 vnet 피어링을 통해 SAP 및 데이터베이스 포트에서 통신할 수 있습니다",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
"service": "SAP",
"severity": "높다",
- "text": "DBMS 데이터 및 트랜잭션/다시 실행 로그 파일은 Azure 지원 블록 스토리지 또는 Azure NetApp Files에 저장됩니다. Azure Files 또는 Azure Premium Files는 DBMS 데이터 및/또는 SAP 워크로드가 있는 다시 실행 로그 파일에 대한 스토리지로 지원되지 않습니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "신뢰도"
+ "text": "Azure VM에 대한 SAP HANA 데이터베이스 백업을 검토합니다.",
+ "waf": "비용"
},
{
"checklist": "SAP Checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
"service": "SAP",
- "severity": "높다",
- "text": "ASCS + SCS 구성 요소 및 특정 고가용성 시나리오에 대해 Windows에서 Azure 공유 디스크를 사용할 수 있습니다. SAP 애플리케이션 계층 구성 요소 및 DBMS 계층에 대해 장애 조치(failover) 클러스터를 별도로 설정합니다. Azure는 현재 SAP 애플리케이션 계층 구성 요소와 DBMS 계층을 하나의 장애 조치(failover) 클러스터로 결합하는 고가용성 아키텍처를 지원하지 않습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "SAP에 사용되는 Site Recovery 기본 제공 모니터링을 검토합니다.",
+ "waf": "비용"
},
{
"checklist": "SAP Checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
"service": "SAP",
"severity": "높다",
- "text": "SAP ASCS(애플리케이션 계층 구성 요소) 및 DBMS 계층에 대한 대부분의 장애 조치(failover) 클러스터에는 장애 조치(failover) 클러스터에 대한 가상 IP 주소가 필요합니다. Azure Load Balancer는 다른 모든 경우에 대한 가상 IP 주소를 처리해야 합니다. 한 가지 설계 원칙은 클러스터 구성당 하나의 부하 분산 장치를 사용하는 것입니다. 부하 분산 장치의 표준 버전(표준 Load Balancer SKU)을 사용하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "신뢰도"
+ "text": "SAP HANA 시스템 환경 모니터링 지침을 검토합니다.",
+ "waf": "작업"
},
{
"checklist": "SAP Checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
"service": "SAP",
- "severity": "높다",
- "text": "로드 밸런서에서 유동 IP가 사용하도록 설정되어 있는지 확인합니다.",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "Azure Linux VM 백업 전략에서 Oracle Database를 검토합니다.",
+ "waf": "작업"
},
{
"checklist": "SAP Checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
"service": "SAP",
- "severity": "높다",
- "text": "고가용성 인프라를 배포하기 전에 선택한 지역에 따라 Azure 가용성 집합 또는 가용성 영역을 사용하여 배포할지 여부를 결정합니다.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "SQL Server 2016에서 Azure Blob Storage 사용을 검토합니다.",
+ "waf": "작업"
},
{
"checklist": "SAP Checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
"service": "SAP",
- "severity": "높다",
- "text": "SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)용 애플리케이션에 대한 인프라 SLA를 충족하려면 모든 구성 요소에 대해 동일한 고가용성 옵션(VM, 가용성 집합, 가용성 영역)을 선택해야 합니다.",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "Azure VM에 대한 자동화된 Backup v2 사용을 검토합니다.",
+ "waf": "작업"
},
{
"checklist": "SAP Checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
"service": "SAP",
"severity": "높다",
- "text": "동일한 가용성 집합에 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합으로 유지",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "신뢰도"
+ "text": "프리미엄 디스크(V1)를 사용할 때 M 시리즈에 쓰기 가속기 사용Enabling Write accelerator for M series when using premium disks(V1)",
+ "waf": "작업"
},
{
"checklist": "SAP Checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
"service": "SAP",
"severity": "보통",
- "text": "근접 배치 그룹을 사용하지 않는 한 Azure 가용성 영역 내에 Azure 가용성 집합을 배포할 수 없습니다.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "waf": "신뢰도"
+ "text": "가용성 영역 대기 시간을 테스트합니다.",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
"service": "SAP",
- "severity": "높다",
- "text": "가용성 집합을 만들 때 사용 가능한 최대 장애 도메인 및 업데이트 도메인 수를 사용합니다. 예를 들어 하나의 가용성 집합에 두 개 이상의 VM을 배포하는 경우 Azure의 계획된 유지 관리 외에도 잠재적인 물리적 하드웨어 오류, 네트워크 중단 또는 전원 중단의 영향을 제한하기 위해 최대 장애 도메인 수(3개)와 충분한 업데이트 도메인을 사용합니다. 장애 도메인의 기본 수는 2개이며 나중에 온라인으로 변경할 수 없습니다.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "모든 SAP 구성 요소에 대해 SAP EarlyWatch Alert를 활성화합니다.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
"service": "SAP",
- "severity": "높다",
- "text": "가용성 집합 배포에서 Azure 근접 배치 그룹을 사용하는 경우 세 가지 SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)가 모두 동일한 근접 배치 그룹에 있어야 합니다.",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "SAP ABAPMeter 보고서 /SSA/CAT를 사용하여 SAP 애플리케이션 서버-데이터베이스 서버 대기 시간을 검토합니다.",
+ "training": "https://me.sap.com/notes/0002879613",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
"service": "SAP",
- "severity": "높다",
- "text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹은 가용성 영역 또는 Azure 지역에 걸쳐 있지 않습니다.",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "CCMS를 사용하여 SQL Server 성능 모니터링을 검토합니다.",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
"service": "SAP",
- "severity": "높다",
- "text": "운영 체제에 따라 다음 서비스 중 하나를 사용하여 SAP 중앙 서비스 클러스터를 실행합니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "SAP 애플리케이션 계층 VM과 DBMS VM(NIPING) 간의 네트워크 대기 시간을 테스트합니다.",
+ "training": "https://me.sap.com/notes/1100926/E",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
"service": "SAP",
- "severity": "보통",
- "text": "Azure는 현재 동일한 Linux Pacemaker 클러스터에서 ASCS와 DB HA의 결합을 지원하지 않습니다. 개별 클러스터로 분리합니다. 그러나 최대 5개의 여러 중앙 서비스 클러스터를 한 쌍의 VM으로 결합할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "SAP HANA Studio 경고를 검토합니다.",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
"service": "SAP",
"severity": "보통",
- "text": "가용성 집합 또는 가용성 영역의 고가용성 쌍에 두 VM을 모두 배포합니다. 이러한 VM은 크기가 동일하고 스토리지 구성이 동일해야 합니다.",
- "waf": "신뢰도"
+ "text": "HANA_Configuration_Minichecks를 사용하여 SAP HANA 상태 검사를 수행합니다.",
+ "waf": "공연"
},
{
"checklist": "SAP Checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
"service": "SAP",
"severity": "보통",
- "text": "Azure는 RHEL(Red Hat Enterprise Linux)에서 실행되는 동일한 고가용성 클러스터에 SAP HANA, ASCS/SCS 및 ERS 인스턴스의 설치 및 구성을 지원합니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "신뢰도"
+ "text": "Azure, 온-프레미스 또는 기타 클라우드 환경에서 Windows 및 Linux VM을 실행하는 경우 Azure Automation의 업데이트 관리 센터를 사용하여 보안 패치를 포함한 운영 체제 업데이트를 관리할 수 있습니다.",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
"service": "SAP",
- "severity": "높다",
- "text": "프리미엄 관리형 SSD에서 모든 프로덕션 시스템을 실행하고 Azure NetApp Files 또는 Ultra Disk Storage를 사용합니다. 적어도 OS 디스크는 프리미엄 계층에 있어야 더 나은 성능과 최상의 SLA를 달성할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "신뢰도"
+ "severity": "보통",
+ "text": "SAP는 SAP 시스템을 보호하기 위해 즉각적인 조치가 필요한 매우 중요한 보안 패치 또는 핫픽스를 릴리스하므로 SAP 보안 OSS 노트를 정기적으로 검토합니다.",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
"service": "SAP",
- "severity": "높다",
- "text": "Azure의 SAP HANA는 SAP에서 인증한 스토리지 유형에서만 실행해야 합니다. 특정 볼륨은 해당되는 경우 특정 디스크 구성에서 실행되어야 합니다. 이러한 구성에는 Write Accelerator 사용 및 Premium Storage 사용이 포함됩니다. 또한 스토리지에서 실행되는 파일 시스템이 시스템에서 실행되는 DBMS와 호환되는지 확인해야 합니다.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
- "waf": "신뢰도"
+ "severity": "낮다",
+ "text": "SQL Server SAP의 경우 SQL Server SAP 시스템에서 계정을 사용하지 않으므로 SQL Server 시스템 관리자 계정을 사용하지 않도록 설정할 수 있습니다. 원래 시스템 관리자 계정을 비활성화하기 전에 시스템 관리자 권한이 있는 다른 사용자가 서버에 액세스할 수 있는지 확인합니다.",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
"service": "SAP",
"severity": "높다",
- "text": "SAP 워크로드에 사용하는 스토리지 유형에 따라 고가용성을 구성하는 것이 좋습니다. Azure에서 사용할 수 있는 일부 스토리지 서비스는 Azure Site Recovery에서 지원되지 않으므로 고가용성 구성이 다를 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
- "waf": "신뢰도"
+ "text": "xp_cmdshell 비활성화합니다. SQL Server 기능 xp_cmdshell SQL Server 내부 운영 체제 명령 셸을 사용할 수 있습니다. 이는 보안 감사에서 발생할 수 있는 잠재적 위험입니다.",
+ "training": "https://me.sap.com/notes/3019299/E",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
"service": "SAP",
"severity": "높다",
- "text": "일부 지역에서는 다양한 네이티브 Azure Storage 서비스(예: Azure Files, Azure NetApp Files, Azure Shared Disk)를 사용하지 못할 수 있습니다. 따라서 장애 조치(failover) 후 DR 지역에서 유사한 SAP를 설정하려면 해당 스토리지 서비스가 DR 사이트에서 제공되는지 확인합니다.",
- "waf": "신뢰도"
+ "text": "Azure에서 SAP HANA 데이터베이스 서버를 암호화하는 데는 SAP HANA 네이티브 암호화 기술이 사용됩니다. 또한 Azure에서 SQL Server를 사용하는 경우 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
"service": "SAP",
"severity": "보통",
- "text": "SAP System Start-Stop을 자동화하여 비용을 관리합니다.",
- "waf": "비용"
+ "text": "Azure Storage 암호화는 모든 Azure Resource Manager 및 클래식 스토리지 계정에 대해 사용하도록 설정되며 사용하지 않도록 설정할 수 없습니다. 데이터는 기본적으로 암호화되므로 Azure Storage 암호화를 사용하기 위해 코드 또는 애플리케이션을 수정할 필요가 없습니다.",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
"service": "SAP",
- "severity": "낮다",
- "text": "SAP HANA와 함께 Azure Premium Storage를 사용하는 경우 Azure 표준 SSD 스토리지를 사용하여 비용에 민감한 스토리지 솔루션을 선택할 수 있습니다. 그러나 표준 SSD 또는 표준 HDD Azure Storage를 선택하면 개별 VM의 SLA에 영향을 줍니다. 또한 비프로덕션 환경과 같이 I/O 처리량이 낮고 대기 시간이 짧은 시스템의 경우 더 낮은 시리즈 VM을 사용할 수 있습니다.",
- "waf": "비용"
+ "severity": "높다",
+ "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
"service": "SAP",
- "severity": "낮다",
- "text": "저렴한 대체 구성(다목적)으로 비프로덕션 HANA 데이터베이스 서버 VM에 대해 저성능 SKU를 선택할 수 있습니다. 그러나 E 시리즈와 같은 일부 VM 유형은 HANA 인증(SAP HANA 하드웨어 디렉터리)되지 않았거나 1ms 미만의 스토리지 대기 시간을 달성할 수 없습니다.",
- "waf": "비용"
+ "severity": "보통",
+ "text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다. 사용자 지정된 Azure 정책(Custome 역할)을 사용하여 구독별로 LOCK 제약 조건 및 규칙을 적용할 수도 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+ "waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
"service": "SAP",
- "severity": "높다",
- "text": "관리 그룹, 구독, 리소스 그룹 및 리소스에 대한 RBAC 모델 적용Enforce a RBAC model for management groups, subscriptions, resource groups and resources",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "severity": "보통",
+ "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
"service": "SAP",
- "severity": "보통",
- "text": "클라우드 커넥터를 통해 SAP 클라우드 애플리케이션에서 SAP 온-프레미스(IaaS 포함)로 ID를 전달하기 위한 보안 주체 전파 적용",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "severity": "높다",
+ "text": "기존 요구 사항에 따라 규정 및 규정 준수 제어(내부/외부) - 필요한 Azure 정책 및 Azure RBAC 역할 결정",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
"service": "SAP",
- "severity": "보통",
- "text": "SAML을 사용하여 Azure AD로 SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics 및 SAP C4C와 같은 SAP SaaS 애플리케이션에 대한 SSO를 구현합니다.",
+ "severity": "높다",
+ "text": "SAP 환경에서 엔드포인트용 Microsoft Defender 사용하도록 설정하는 경우 모든 서버를 대상으로 하는 대신 DBMS 서버에서 데이터 및 로그 파일을 제외하는 것이 좋습니다. 대상 파일을 제외할 때 DBMS 공급업체의 권장 사항을 따릅니다.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
"service": "SAP",
- "severity": "보통",
- "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "severity": "높다",
+ "text": "클라우드용 Microsoft Defender의 Just-In-Time 액세스 권한이 있는 SAP 관리자 사용자 지정 역할을 위임합니다.",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
"service": "SAP",
- "severity": "보통",
- "text": "SAML을 사용하여 SAP Fiori 및 SAP Web GUI와 같은 SAP NetWeaver 기반 웹 애플리케이션에 대한 SSO를 구현합니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "severity": "낮다",
+ "text": "타사 보안 제품을 DIAG(SAP GUI)용 SNC(Secure Network Communications), RFC 및 HTTPS용 SPNEGO와 통합하여 전송 중인 데이터를 암호화합니다.",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
"service": "SAP",
"severity": "보통",
- "text": "SAP NetWeaver SSO 또는 파트너 솔루션을 사용하여 SAP GUI에 대한 SSO를 구현할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "text": "보안 주체 암호화 기능을 위해 기본적으로 Microsoft 관리형 키를 사용하고 필요한 경우 고객 관리형 키를 사용합니다.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
"service": "SAP",
- "severity": "보통",
- "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "severity": "높다",
+ "text": "애플리케이션, 환경, 지역당 Azure Key Vault를 사용합니다.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
"service": "SAP",
- "severity": "보통",
- "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC/Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.",
+ "severity": "높다",
+ "text": "비 HANA Windows 및 비 Windows 운영 체제에 대한 디스크 암호화 키 및 비밀을 제어하고 관리하려면 Azure Key Vault를 사용합니다. SAP HANA는 Azure Key Vault에서 지원되지 않으므로 SAP ABAP 또는 SSH 키와 같은 대체 방법을 사용해야 합니다.",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
"service": "SAP",
- "severity": "보통",
- "text": "SAP NetWeaver용 OAuth를 사용하여 SSO를 구현하여 타사 또는 사용자 지정 애플리케이션이 SAP NetWeaver OData 서비스에 액세스할 수 있도록 합니다.",
+ "severity": "높다",
+ "text": "실수로 인한 네트워크 관련 변경을 방지하기 위해 Azure의 SAP 스포크 구독에 대한 RBAC(역할 기반 액세스 제어) 역할 사용자 지정",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
"service": "SAP",
- "severity": "보통",
- "text": "SAP HANA에 대한 SSO 구현",
+ "severity": "높다",
+ "text": "나머지 SAP 자산에서 DMZ 및 NVA를 격리하고, Azure Private Link를 구성하고, Azure의 SAP 리소스를 안전하게 관리 및 제어합니다",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
"service": "SAP",
- "severity": "보통",
- "text": "Azure AD를 RISE에서 호스트되는 SAP 시스템의 ID 공급자로 간주합니다. 자세한 내용은 Azure AD와 서비스 통합을 참조하세요.",
+ "severity": "낮다",
+ "text": "Azure에서 Microsoft 맬웨어 방지 소프트웨어를 사용하여 악성 파일, 애드웨어 및 기타 위협으로부터 가상 머신을 보호하는 것이 좋습니다.",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
"service": "SAP",
- "severity": "보통",
- "text": "SAP에 액세스하는 애플리케이션의 경우 보안 주체 전파를 사용하여 SSO를 설정할 수 있습니다.",
+ "severity": "낮다",
+ "text": "더욱 강력한 보호를 위해 엔드포인트용 Microsoft Defender 사용하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
"service": "SAP",
- "severity": "보통",
- "text": "SAP IAS(Identity Authentication Service)가 필요한 SAP BTP 서비스 또는 SaaS 솔루션을 사용하는 경우 SAP Cloud Identity Authentication Services와 Azure AD 간에 SSO를 구현하여 해당 SAP 서비스에 액세스하는 것이 좋습니다. 이 통합을 통해 SAP IAS는 프록시 ID 공급자 역할을 하고 중앙 사용자 저장소 및 ID 공급자인 Azure AD에 인증 요청을 전달할 수 있습니다.",
+ "severity": "높다",
+ "text": "가상 네트워크 피어링을 통해 스포크 네트워크에 연결된 허브 가상 네트워크를 통해 모든 트래픽을 전달하여 SAP 애플리케이션 및 데이터베이스 서버를 인터넷 또는 온-프레미스 네트워크에서 격리합니다. 피어링된 가상 네트워크는 Azure의 SAP 솔루션이 공용 인터넷에서 격리되도록 보장합니다.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
"service": "SAP",
- "severity": "보통",
- "text": "SAP BTP에 대한 SSO 구현",
+ "severity": "낮다",
+ "text": "SAP Fiori와 같은 인터넷 연결 애플리케이션의 경우 보안 수준을 유지하면서 애플리케이션 요구 사항에 따라 부하를 분산해야 합니다. 계층 7 보안의 경우 Azure Marketplace에서 사용할 수 있는 타사 WAF(Web Application Firewall)를 사용할 수 있습니다.",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
"waf": "안전"
},
{
"checklist": "SAP Checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
"service": "SAP",
"severity": "보통",
- "text": "SAP SuccessFactors를 사용하는 경우 Azure AD 자동화된 사용자 프로비저닝을 사용하는 것이 좋습니다. 이 통합을 통해 SAP SuccessFactors에 새 직원을 추가할 때 Azure AD에서 해당 사용자 계정을 자동으로 만들 수 있습니다. 필요에 따라 Microsoft 365 또는 Azure AD 지원하는 기타 SaaS 애플리케이션에서 사용자 계정을 만들 수 있습니다. SAP SuccessFactors에 이메일 주소의 쓰기 저장을 사용합니다.",
+ "text": "SAP용 Azure Monitor 솔루션에서 보안 통신을 사용하도록 설정하려면 루트 인증서 또는 서버 인증서를 사용하도록 선택할 수 있습니다. 루트 인증서를 사용하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+ "service": "Azure Data Factory",
"severity": "보통",
- "text": "SAP 구독에 기존 관리 그룹 정책 적용",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
- "waf": "작업"
+ "text": "Azure Data Factory에 대한 FTA 복원력 플레이북 활용",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "높다",
- "text": "긴밀하게 결합된 애플리케이션을 동일한 SAP 구독에 통합하여 추가적인 라우팅 및 관리 복잡성 방지",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
- "waf": "작업"
+ "text": "가용성 영역을 지원하는 지역에서 영역 중복 파이프라인 사용Use zone redundant pipelines in regions that support Availability Zones",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "높다",
- "text": "구독을 배율 단위로 활용하고 리소스를 확장하려면 환경별로 구독을 배포하는 것이 좋습니다. 샌드박스, 비프로덕션, 프로덕션 ",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
- "waf": "작업"
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+ "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+ "service": "Azure Data Factory",
+ "severity": "보통",
+ "text": "DevOps를 사용하여 Github/Azure DevOps 통합으로 ARM 템플릿 백업 ",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
- "severity": "높다",
- "text": "구독 프로비저닝의 일부로 할당량 증가 확인(예: 구독 내에서 사용 가능한 총 VM 코어)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "waf": "작업"
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
+ "severity": "보통",
+ "text": "다른 지역에서 자체 호스팅 통합 런타임 VM을 복제해야 합니다. ",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
+ "severity": "보통",
+ "text": "자매 지역에서 네트워크를 복제하거나 복제해야 합니다. 다른 지역에서 Vnet의 복사본을 만들어야 합니다",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "description": "ADF 파이프라인에서 Key Vault를 사용하는 경우 Key Vault를 복제하기 위해 아무 작업도 수행할 필요가 없습니다. Key Vault는 관리되는 서비스이며 Microsoft에서 처리합니다",
+ "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Azure Data Factory",
"severity": "낮다",
- "text": "할당량 API는 Azure 서비스에 대한 할당량을 보고 관리하는 데 사용할 수 있는 REST API입니다. 필요한 경우 사용을 고려하십시오.",
- "waf": "작업"
+ "text": "Keyvault 통합을 사용하는 경우 Keyvault의 SLA를 사용하여 가용성을 파악합니다",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
- "severity": "높다",
- "text": "가용성 영역에 배포하는 경우 할당량이 승인되면 VM의 영역 배포를 사용할 수 있는지 확인합니다. 필요한 구독, VM 시리즈, CPU 수 및 가용성 영역을 사용하여 지원 요청을 제출합니다.",
- "waf": "작업"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "AKS Windows 워크로드에 필요한 경우 HostProcess 컨테이너를 사용할 수 있습니다.",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
- "severity": "높다",
- "text": "예를 들어 선택한 배포 지역 내에서 필요한 서비스 및 기능을 사용할 수 있는지 확인합니다. ANF, 지역 등.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
- "waf": "작업"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "이벤트 기반 워크로드를 실행하는 경우 KEDA 사용Use KEDA if running event-driven workloads",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
- "severity": "보통",
- "text": "비용 분류 및 리소스 그룹화를 위해 Azure 리소스 태그 활용(BillTo, 부서(또는 사업부), 환경(프로덕션, 스테이지, 개발), 계층(웹 계층, 애플리케이션 계층), 애플리케이션 소유자, 프로젝트 이름)",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "Dapr을 사용하여 마이크로 서비스 개발 용이",
"waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
"severity": "높다",
- "text": "Azure Backup 서비스를 사용하여 HANA 데이터베이스를 보호할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "text": "SLA 지원 AKS 제품 사용",
"waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
- "severity": "보통",
- "text": "HANA, Oracle 또는 DB2 데이터베이스용 Azure NetApp Files를 배포하는 경우 Azure 애플리케이션 일치 스냅샷 도구(AzAcSnap)를 사용하여 애플리케이션 일치 스냅샷을 만듭니다. AzAcSnap은 Oracle 데이터베이스도 지원합니다. 개별 VM이 아닌 중앙 VM에서 AzAcSnap을 사용하는 것이 좋습니다.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "Pod 및 배포 정의에서 중단 예산 사용Use Disruption Budgets in your pod and deployment definitions",
"waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
"severity": "높다",
- "text": "운영 체제와 SAP 시스템 간의 표준 시간대 일치를 확인합니다.",
- "waf": "작업"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
- "severity": "보통",
- "text": "동일한 클러스터에서 서로 다른 애플리케이션 서비스를 그룹화하지 마세요. 예를 들어 DRBD와 중앙 서비스 클러스터를 동일한 클러스터에 결합하지 마세요. 그러나 동일한 Pacemaker 클러스터를 사용하여 약 5개의 서로 다른 중앙 서비스(다중 SID 클러스터)를 관리할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "text": "개인 레지스트리를 사용하는 경우 여러 지역에 이미지를 저장하도록 지역 복제를 구성합니다",
"waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
"severity": "낮다",
- "text": "Azure 실행 비용을 절감하고 최적화하기 위해 다시 알림 모델에서 개발/테스트 시스템을 실행하는 것이 좋습니다.",
+ "text": "kubecost와 같은 외부 애플리케이션을 사용하여 다른 사용자에게 비용 할당",
"waf": "비용"
},
{
- "checklist": "SAP Checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
- "severity": "보통",
- "text": "SAP 자산을 관리하여 고객과 파트너 관계를 맺는 경우 Azure Lighthouse를 사용하는 것이 좋습니다. Azure Lighthouse를 사용하면 관리 서비스 공급자가 Azure 네이티브 ID 서비스를 사용하여 고객 환경에 인증할 수 있습니다. 고객은 언제든지 액세스 권한을 취소하고 서비스 제공업체의 조치를 감사할 수 있으므로 고객의 손에 제어 권한을 부여합니다.",
- "waf": "작업"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "축소 모드를 사용하여 노드 삭제/할당 취소",
+ "waf": "비용"
},
{
- "checklist": "SAP Checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure Update Manager를 사용하여 단일 VM 또는 여러 VM에 대해 사용 가능한 업데이트의 상태를 확인하고 정기적인 패치를 예약하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
- "waf": "작업"
+ "text": "필요한 경우 AKS 클러스터에서 다중 인스턴스 분할 GPU 사용",
+ "waf": "비용"
},
{
- "checklist": "SAP Checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
"severity": "낮다",
- "text": "SAP Landscape Management(LaMa)를 사용하여 SAP Basis 운영을 최적화하고 관리합니다. Azure용 SAP LaMa 커넥터를 사용하여 SAP 시스템을 재배치, 복사, 복제 및 새로 고칩니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
- "waf": "작업"
+ "text": "개발/테스트 클러스터를 실행하는 경우 NodePool 시작/중지를 사용합니다.",
+ "waf": "비용"
},
{
- "checklist": "SAP Checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
"severity": "보통",
- "text": "SAP용 Azure Monitor 솔루션을 사용하여 Azure에서 SAP 워크로드(SAP HANA, 고가용성 SUSE 클러스터 및 SQL 시스템)를 모니터링합니다. SAP Solution Manager를 사용하여 SAP용 Azure Monitor 솔루션을 보완하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "작업"
+ "text": "Kubernetes용 Azure Policy를 사용하여 클러스터 규정 준수 보장",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
- "severity": "높다",
- "text": "SAP용 VM 확장 검사를 실행합니다. SAP용 VM 확장은 VM(가상 머신)의 할당된 관리 ID를 사용하여 VM 모니터링 및 구성 데이터에 액세스합니다. 이 검사는 SAP 애플리케이션의 모든 성능 메트릭이 기본 SAP용 Azure 확장에서 제공되는지 확인합니다.",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
- "waf": "작업"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
+ "severity": "보통",
+ "text": "사용자/시스템 노드 풀이 있는 컨트롤 플레인에서 응용 프로그램 분리",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
- "severity": "보통",
- "text": "액세스 제어 및 규정 준수 보고에 Azure Policy를 사용합니다. Azure Policy는 일관된 정책 준수와 빠른 위반 감지를 보장하기 위해 조직 전체 설정을 적용하는 기능을 제공합니다. ",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "작업"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "시스템 nodepool에 taint를 추가하여 전용으로 만듭니다.",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure Network Watcher의 연결 모니터를 사용하여 SAP 데이터베이스 및 애플리케이션 서버에 대한 대기 시간 메트릭을 모니터링합니다. 또는 Azure Monitor를 사용하여 네트워크 대기 시간 측정값을 수집하고 표시합니다.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
- "waf": "작업"
+ "text": "이미지에 개인 레지스트리(예: ACR) 사용",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
"severity": "보통",
- "text": "프로비저닝된 Azure 인프라에서 SAP HANA에 대한 품질 검사를 수행하여 프로비저닝된 VM이 Azure의 SAP HANA 모범 사례를 준수하는지 확인합니다.",
- "waf": "작업"
+ "text": "이미지에서 취약성 검사",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
"severity": "높다",
- "text": "각 Azure 구독에 대해 영역 배포 전에 Azure 가용성 영역에서 대기 시간 테스트를 실행하여 Azure에서 SAP를 배포하기 위한 대기 시간이 짧은 영역을 선택합니다.",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "공연"
+ "text": "앱 분리 요구 사항 정의(네임스페이스/노드 풀/클러스터)",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
"severity": "보통",
- "text": "복원력 보고서를 실행하여 프로비저닝된 전체 Azure 인프라(컴퓨팅, 데이터베이스, 네트워킹, 스토리지, Site Recovery)의 구성이 Azure용 클라우드 적응 프레임워크에서 정의한 구성을 준수하는지 확인합니다.",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
- "waf": "신뢰도"
+ "text": "CSI 비밀 저장소 드라이버를 사용하여 Azure Key Vault에 비밀 저장",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
- "severity": "보통",
- "text": "SAP용 Microsoft Sentinel 솔루션을 사용하여 위협 방지를 구현합니다. 이 솔루션을 사용하여 SAP 시스템을 모니터링하고 비즈니스 로직 및 애플리케이션 계층 전체에서 정교한 위협을 탐지할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "클러스터에 서비스 주체를 사용하는 경우 주기적으로(예: 분기별) 자격 증명을 새로 고칩니다",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure 태그 지정을 활용하여 리소스를 논리적으로 그룹화 및 추적하고, 배포를 자동화하고, 가장 중요한 것은 발생한 비용에 대한 가시성을 제공할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
- "waf": "작업"
+ "text": "필요한 경우 키 관리 서비스 etcd 암호화를 추가합니다.",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
"severity": "낮다",
- "text": "대기 시간에 민감한 애플리케이션에 대해 VM 간 대기 시간 모니터링을 사용합니다.",
- "waf": "공연"
+ "text": "필요한 경우 AKS용 기밀 컴퓨팅을 사용하는 것이 좋습니다.",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "신뢰도"
+ "text": "컨테이너용 Defender 사용 고려",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
- "severity": "보통",
- "text": "모든 데이터베이스 파일 시스템 및 실행 프로그램을 바이러스 백신 검사에서 제외합니다. 이를 포함하면 성능 문제가 발생할 수 있습니다. 제외 목록에 대한 규범적 세부 정보는 데이터베이스 공급업체에 문의하십시오. 예를 들어 Oracle은 바이러스 백신 검사에서 /oracle//sapdata를 제외할 것을 권장합니다.",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "서비스 주체 대신 관리 ID 사용",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
- "severity": "낮다",
- "text": "마이그레이션 후 비 HANA 데이터베이스에 대한 전체 데이터베이스 통계를 수집하는 것이 좋습니다. 예를 들어 SAP Note 1020260 - Oracle 통계 제공을 구현합니다.",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
+ "severity": "보통",
+ "text": "AAD와 인증 통합(관리형 통합 사용)",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure에서 SAP를 사용하는 모든 Oracle 배포에 Oracle ASM(Automatic Storage Management)을 사용하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
- "waf": "공연"
+ "text": "관리자 kubeconfig에 대한 액세스 제한(get-credentials --admin)",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
"severity": "보통",
- "text": "Oracle을 실행하는 Azure의 SAP의 경우 SQL 스크립트 컬렉션은 성능 문제를 진단하는 데 도움이 될 수 있습니다. AWR(Automatic Workload Repository) 보고서에는 Oracle 시스템의 문제점을 진단하는 데 유용한 정보가 포함되어 있습니다. 여러 세션 동안 AWR 보고서를 실행하고 피크 시간을 선택하여 광범위한 분석 범위를 보장하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
- "waf": "공연"
+ "text": "AAD RBAC와 권한 부여 통합",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
"severity": "높다",
- "text": "Azure Site Recovery 모니터링을 사용하여 SAP 애플리케이션 서버에 대한 재해 복구 서비스의 상태를 유지 관리합니다.",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "waf": "작업"
+ "text": "쿠버네티스에서 RBAC 권한을 제한하기 위해 네임스페이스 사용",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
"severity": "보통",
- "text": "HTTP/S 앱을 안전하게 배달하려면 Application Gateway v2를 사용하고 WAF 보호 및 정책이 사용하도록 설정되어 있는지 확인합니다.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "text": "Pod ID 액세스 관리의 경우 Azure AD 워크로드 ID(미리 보기)를 사용합니다.",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure로 마이그레이션하는 동안 가상 머신의 DNS 또는 가상 이름이 변경되지 않은 경우 백그라운드 DNS 및 가상 이름은 SAP 환경의 많은 시스템 인터페이스를 연결하며, 고객은 시간이 지남에 따라 개발자가 정의하는 인터페이스를 인식하는 경우에만 인식할 수 있습니다. 마이그레이션 후 가상 또는 DNS 이름이 변경될 때 다양한 시스템 간에 연결 문제가 발생하며, 이러한 유형의 문제를 방지하기 위해 DNS 별칭을 유지하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "작업"
+ "text": "AKS 비대화형 로그인의 경우 kubelogin(미리 보기)을 사용합니다.",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
"severity": "보통",
- "text": "서로 다른 DNS 영역을 사용하여 각 환경(샌드박스, 개발, 사전 프로덕션 및 프로덕션)을 서로 구분합니다. 예외는 자체 VNet을 사용하는 SAP 배포의 경우입니다. 여기서는 프라이빗 DNS 영역이 필요하지 않을 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "작업"
+ "text": "AKS 로컬 계정 사용 안 함",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "필요한 경우 Just-in-time 클러스터 액세스 구성",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "AKS에 필요한 경우 AAD 조건부 액세스 구성",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "Windows AKS 워크로드에 필요한 경우 gMSA를 구성합니다. ",
+ "waf": "안전"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "service": "AKS",
+ "severity": "보통",
+ "text": "더 세밀하게 제어하려면 관리형 Kubelet ID를 사용하는 것이 좋습니다.",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "service": "AKS",
"severity": "보통",
- "text": "로컬 및 글로벌 VNet 피어링은 연결을 제공하며, 여러 Azure 지역에서 SAP 배포를 위한 랜딩 존 간의 연결을 보장하기 위해 선호되는 접근 방식입니다",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+ "text": "AGIC를 사용하는 경우 클러스터 간에 AppGW를 공유하지 마세요",
"waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
"severity": "높다",
- "text": "SAP 애플리케이션과 SAP 데이터베이스 서버 간에 NVA를 배포하는 것은 지원되지 않습니다",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "공연"
+ "text": "AKS HTTP 라우팅 추가 기능을 사용하지 말고, 애플리케이션 라우팅 추가 기능과 함께 관리되는 NGINX 수신을 대신 사용합니다.",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 신규, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "waf": "작업"
+ "text": "Windows 워크로드의 경우 가속화된 네트워킹을 사용합니다.",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
- "severity": "보통",
- "text": "파트너 NVA를 사용하는 경우에만 지역 간에 NVA(네트워크 가상 어플라이언스)를 배포하는 것이 좋습니다. 네이티브 NVA가 있는 경우 지역 또는 VNet 간의 NVA가 필요하지 않습니다. 파트너 네트워킹 기술 및 NVA를 배포하는 경우 공급업체의 지침에 따라 Azure 네트워킹과 충돌하는 구성을 확인합니다.",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
- "waf": "작업"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "표준 ALB 사용(기본 ALB와 반대)",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "service": "AKS",
"severity": "보통",
- "text": "Virtual WAN은 가상 WAN 기반 토폴로지에 대한 스포크 VNet 간의 연결을 관리하며(UDR[사용자 정의 라우팅] 또는 NVA를 설정할 필요 없음) 동일한 가상 허브의 VNet 간 트래픽에 대한 최대 네트워크 처리량은 초당 50기가비트입니다. 필요한 경우 SAP 랜딩 존은 VNet 피어링을 사용하여 다른 랜딩 존에 연결하고 이 대역폭 제한을 극복할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
- "waf": "작업"
+ "text": "Azure CNI를 사용하는 경우 NodePools에 다른 서브넷을 사용하는 것이 좋습니다.",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "높다",
- "text": "SAP 워크로드를 실행하는 VM에 대한 공용 IP 할당은 권장되지 않습니다.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "service": "AKS",
+ "severity": "보통",
+ "text": "프라이빗 엔드포인트(기본 설정) 또는 Virtual Network 서비스 엔드포인트를 사용하여 클러스터에서 PaaS 서비스에 액세스",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "높다",
- "text": "ASR을 구성할 때 DR 쪽에서 IP 주소를 예약하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "작업"
+ "text": "요구 사항에 가장 적합한 CNI 네트워크 플러그 인 선택(Azure CNI 권장)",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "높다",
- "text": "프로덕션 및 DR 사이트에 겹치는 IP 주소 범위를 사용하지 마십시오.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "작업"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
- "severity": "보통",
- "text": "Azure는 VNet에서 여러 위임된 서브넷을 만드는 데 도움이 되지만 Azure NetApp Files용 VNet에는 위임된 서브넷이 하나만 존재할 수 있습니다. Azure NetApp Files에 대해 둘 이상의 위임된 서브넷을 사용하는 경우 새 볼륨을 만들려는 시도가 실패합니다.",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
- "waf": "작업"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
- "severity": "보통",
- "text": "Azure Firewall을 사용하여 인터넷에 대한 Azure 아웃바운드 트래픽, 비 HTTP/S 인바운드 연결 및 East/West 트래픽 필터링(조직에 필요한 경우)을 제어합니다",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "text": "Azure CNI를 사용하는 경우 노드당 최대 Pod 수를 고려하여 서브넷 크기를 적절하게 조정합니다",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
- "severity": "보통",
- "text": "Application Gateway, SAP Web Dispatcher 및 기타 타사 서비스 간의 비교에서 볼 수 있듯이 Application Gateway가 SAP 웹앱에 대한 역방향 프록시 역할을 하는 경우 Application Gateway 및 Web Application Firewall에 제한 사항이 있습니다.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "Azure CNI를 사용하는 경우 최대 Pod/노드(기본값 30)를 확인합니다.",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
- "severity": "보통",
- "text": "Azure Front Door 및 WAF 정책을 사용하여 랜딩 존에 대한 인바운드 HTTP/S 연결을 위해 Azure 지역에서 전역 보호를 제공합니다.",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "내부 앱의 경우 조직은 방화벽에서 전체 AKS 서브넷을 여는 경우가 많습니다. 이렇게 하면 노드에 대한 네트워크 액세스도 열리고 잠재적으로 Pod에 대한 액세스도 열립니다(Azure CNI를 사용하는 경우). LoadBalancer IP가 다른 서브넷에 있는 경우 앱 클라이언트에서 이 IP만 사용할 수 있어야 합니다. 또 다른 이유는 AKS 서브넷의 IP 주소가 부족한 리소스인 경우 서비스에 해당 IP 주소를 사용하면 클러스터의 최대 확장성이 감소하기 때문입니다.",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "개인 IP LoadBalancer 서비스를 사용하는 경우 AKS 서브넷이 아닌 전용 서브넷을 사용합니다",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
- "severity": "보통",
- "text": "Azure Front Door 및 Application Gateway를 사용하여 HTTP/S 애플리케이션을 보호하는 경우 Azure Front Door의 Web Application Firewall 정책을 활용합니다. Azure Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "그에 따라 서비스 IP 주소 범위의 크기를 조정합니다(클러스터 확장성이 제한됨).",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
- "severity": "보통",
- "text": "웹 애플리케이션 방화벽을 사용하여 트래픽이 인터넷에 노출될 때 트래픽을 검사합니다. 또 다른 옵션은 부하 분산 장치 또는 Application Gateway 또는 타사 솔루션과 같은 기본 제공 방화벽 기능이 있는 리소스와 함께 사용하는 것입니다.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "필요한 경우 자체 CNI 플러그인을 추가합니다.",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
- "severity": "보통",
- "text": "Azure 지역 및 온-프레미스 위치 간에 글로벌 전송 연결이 필요한 신규, 대규모 또는 글로벌 네트워크에서 Azure 배포에 Virtual WAN을 사용합니다. 이 방법을 사용하면 Azure 네트워킹에 대한 전이적 라우팅을 수동으로 설정할 필요가 없으며 Azure의 SAP 배포에 대한 표준을 따를 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "필요한 경우 AKS에서 노드당 공용 IP 구성",
"waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "service": "AKS",
"severity": "보통",
- "text": "데이터 유출을 방지하려면 Azure Private Link를 사용하여 Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory 등과 같은 PaaS(Platform as a Service) 리소스에 안전하게 액세스합니다. Azure 프라이빗 엔드포인트는 VNet과 Azure Storage, Azure Backup 등과 같은 서비스 간의 트래픽을 보호하는 데도 도움이 될 수 있습니다. VNet과 프라이빗 엔드포인트 사용 서비스 간의 트래픽은 Microsoft 글로벌 네트워크를 통해 이동하므로 공용 인터넷에 노출되지 않습니다.",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
- "waf": "안전"
+ "text": "수신 컨트롤러를 사용하여 LoadBalancer 유형 서비스를 사용하여 노출하는 대신 웹 기반 앱을 노출합니다",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
- "severity": "높다",
- "text": "SAP 애플리케이션 및 DBMS 계층에 사용되는 VM에서 Azure 가속 네트워킹이 사용하도록 설정되어 있는지 확인합니다.",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "송신 트래픽 크기 조정을 위해 Azure NAT Gateway를 outboundType으로 사용",
+ "waf": "신뢰도"
},
{
- "checklist": "SAP Checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure Load Balancer에 대한 내부 배포가 DSR(Direct Server Return)을 사용하도록 설정되어 있는지 확인합니다. 이 설정(유동 IP 사용)은 DBMS 계층의 고가용성 구성에 내부 부하 분산 장치 구성을 사용할 때 대기 시간을 줄입니다.",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "text": "Azure CNI IP 소모를 방지하기 위해 IP의 동적 할당 사용",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "보안 요구 사항에 필요한 경우 AzFW/NVA를 사용하여 송신 트래픽 필터링",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "service": "AKS",
"severity": "보통",
- "text": "ASG(애플리케이션 보안 그룹) 및 NSG 규칙을 사용하여 SAP 애플리케이션과 DBMS 계층 간에 네트워크 보안 액세스 제어 목록을 정의할 수 있습니다. ASG는 보안을 관리하는 데 도움이 되도록 가상 머신을 그룹화합니다.",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "text": "퍼블릭 API 엔드포인트를 사용하는 경우 액세스할 수 있는 IP 주소를 제한합니다",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "service": "AKS",
"severity": "높다",
- "text": "피어링되지 않은 다른 Azure VNet에 SAP 애플리케이션 계층 및 SAP DBMS를 배치하는 것은 지원되지 않습니다.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "공연"
+ "text": "요구 사항에 따라 개인 클러스터를 사용합니다",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "보통",
- "text": "SAP 애플리케이션에서 네트워크 대기 시간을 최적화하려면 Azure 근접 배치 그룹을 사용하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
- "waf": "공연"
+ "text": "Windows 2019 및 2022 AKS 노드의 경우 Calico 네트워크 정책을 사용할 수 있습니다. ",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "높다",
- "text": "온-프레미스와 Azure 간에 분할된 SAP 애플리케이션 서버 계층 및 DBMS 계층을 실행하는 것은 전혀 지원되지 않습니다. 두 계층 모두 온-프레미스 또는 Azure에 완전히 상주해야 합니다.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "공연"
+ "text": "Kubernetes 네트워크 정책 옵션 사용(Calico/Azure)",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "높다",
- "text": "계층 간의 과도한 네트워크 트래픽으로 인해 발생할 수 있는 상당한 비용 때문에 다른 VNet에서 SAP 시스템의 DBMS(데이터베이스 관리 시스템) 및 애플리케이션 계층을 호스트하고 VNet 피어링과 연결하는 것은 권장되지 않습니다. Azure 가상 네트워크 내에서 서브넷을 사용하여 SAP 애플리케이션 계층과 DBMS 계층을 분리하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "비용"
+ "text": "쿠버네티스 네트워크 정책을 사용하여 클러스터 내 보안 강화",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "높다",
- "text": "Linux 게스트 운영 체제에서 Load Balancer를 사용하는 경우 Linux 네트워크 매개 변수 net.ipv4.tcp_timestamps가 0으로 설정되어 있는지 확인합니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "공연"
+ "text": "웹 워크로드(UI 또는 API)에 WAF 사용Use a WAF for web workloads (UIs or APIs)",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "service": "AKS",
"severity": "보통",
- "text": "SAP RISE/ECS 배포의 경우 가상 피어링은 고객의 기존 Azure 환경과의 연결을 설정하는 기본 방법입니다. SAP vnet과 고객 vnet은 모두 NSG(네트워크 보안 그룹)로 보호되므로 vnet 피어링을 통해 SAP 및 데이터베이스 포트에서 통신할 수 있습니다",
+ "text": "AKS Virtual Network에서 DDoS 표준 사용Use DDoS Standard in the AKS Virtual Network",
"waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
- "severity": "높다",
- "text": "Azure VM에 대한 SAP HANA 데이터베이스 백업을 검토합니다.",
- "waf": "비용"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "필요한 경우 회사 HTTP 프록시를 추가합니다.",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "service": "AKS",
"severity": "보통",
- "text": "SAP에 사용되는 Site Recovery 기본 제공 모니터링을 검토합니다.",
- "waf": "비용"
+ "text": "고급 마이크로서비스 통신 관리를 위해 서비스 메시를 사용하는 것이 좋습니다",
+ "waf": "안전"
},
{
- "checklist": "SAP Checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "service": "AKS",
"severity": "높다",
- "text": "SAP HANA 시스템 환경 모니터링 지침을 검토합니다.",
+ "text": "가장 중요한 메트릭에 대한 경고 구성(권장 사항은 Container Insights 참조)",
"waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
- "severity": "보통",
- "text": "Azure Linux VM 백업 전략에서 Oracle Database를 검토합니다.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "Azure Advisor에서 클러스터에 대한 권장 사항을 정기적으로 확인합니다.",
"waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
- "severity": "보통",
- "text": "SQL Server 2016에서 Azure Blob Storage 사용을 검토합니다.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "AKS 자동 인증서 회전 사용",
"waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
- "severity": "보통",
- "text": "Azure VM에 대한 자동화된 Backup v2 사용을 검토합니다.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "kubernetes 버전을 주기적으로(예: 분기별) 업그레이드하거나 AKS 자동 업그레이드 기능을 사용하는 정기적인 프로세스가 있습니다.",
"waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "service": "AKS",
"severity": "높다",
- "text": "프리미엄 디스크(V1)를 사용할 때 M 시리즈에 쓰기 가속기 사용Enabling Write accelerator for M series when using premium disks(V1)",
+ "text": "node-image upgrade를 사용하지 않는 경우 Linux 노드 업그레이드에 kured를 사용합니다.",
"waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
- "severity": "보통",
- "text": "가용성 영역 대기 시간을 테스트합니다.",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "클러스터 노드 이미지를 주기적으로(예: 매주) 업그레이드하는 정기적인 프로세스가 있습니다.",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
- "service": "SAP",
- "severity": "보통",
- "text": "모든 SAP 구성 요소에 대해 SAP EarlyWatch Alert를 활성화합니다.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "gitops를 고려하여 애플리케이션 또는 클러스터 구성을 여러 클러스터에 배포합니다.",
+ "waf": "작업"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "프라이빗 클러스터에서 AKS 명령 호출을 사용하는 것이 좋습니다.",
+ "waf": "작업"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "계획된 이벤트의 경우 노드 자동 드레인 사용을 고려하십시오.",
+ "waf": "작업"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "노드 RG(일명 '인프라 RG')의 운영자가 변경을 수행하지 않도록 자체 거버넌스 관행을 개발합니다.",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
- "service": "SAP",
- "severity": "보통",
- "text": "SAP ABAPMeter 보고서 /SSA/CAT를 사용하여 SAP 애플리케이션 서버-데이터베이스 서버 대기 시간을 검토합니다.",
- "training": "https://me.sap.com/notes/0002879613",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "사용자 정의 노드 RG (일명 '인프라 RG') 이름 사용",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
+ "service": "AKS",
"severity": "보통",
- "text": "CCMS를 사용하여 SQL Server 성능 모니터링을 검토합니다.",
- "waf": "공연"
+ "text": "YAML 매니페스트에서 더 이상 사용되지 않는 Kubernetes API를 사용하지 마십시오.",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
- "service": "SAP",
- "severity": "보통",
- "text": "SAP 애플리케이션 계층 VM과 DBMS VM(NIPING) 간의 네트워크 대기 시간을 테스트합니다.",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "테인트 Windows 노드",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
- "service": "SAP",
- "severity": "보통",
- "text": "SAP HANA Studio 경고를 검토합니다.",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "Windows 컨테이너 패치 수준을 호스트 패치 수준과 동기화된 상태로 유지",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
- "service": "SAP",
- "severity": "보통",
- "text": "HANA_Configuration_Minichecks를 사용하여 SAP HANA 상태 검사를 수행합니다.",
- "waf": "공연"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "클러스터 수준의 진단 설정을 통해Via Diagnostic Settings at the cluster level",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "마스터 로그(즉, API 로그)를 Azure Monitor 또는 기본 로그 관리 솔루션으로 보냅니다",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
- "severity": "보통",
- "text": "Azure, 온-프레미스 또는 기타 클라우드 환경에서 Windows 및 Linux VM을 실행하는 경우 Azure Automation의 업데이트 관리 센터를 사용하여 보안 패치를 포함한 운영 체제 업데이트를 관리할 수 있습니다.",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "필요한 경우 nodePool 스냅샷을 사용합니다.",
+ "waf": "비용"
},
{
- "checklist": "SAP Checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
- "severity": "보통",
- "text": "SAP는 SAP 시스템을 보호하기 위해 즉각적인 조치가 필요한 매우 중요한 보안 패치 또는 핫픽스를 릴리스하므로 SAP 보안 OSS 노트를 정기적으로 검토합니다.",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "시간에 민감하지 않은 워크로드에 대한 스폿 노드 풀 고려",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
"severity": "낮다",
- "text": "SQL Server SAP의 경우 SQL Server SAP 시스템에서 계정을 사용하지 않으므로 SQL Server 시스템 관리자 계정을 사용하지 않도록 설정할 수 있습니다. 원래 시스템 관리자 계정을 비활성화하기 전에 시스템 관리자 권한이 있는 다른 사용자가 서버에 액세스할 수 있는지 확인합니다.",
- "waf": "안전"
+ "text": "빠른 버스팅을 위해 AKS 가상 노드 고려",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
"severity": "높다",
- "text": "xp_cmdshell 비활성화합니다. SQL Server 기능 xp_cmdshell SQL Server 내부 운영 체제 명령 셸을 사용할 수 있습니다. 이는 보안 감사에서 발생할 수 있는 잠재적 위험입니다.",
- "training": "https://me.sap.com/notes/3019299/E",
- "waf": "안전"
+ "text": "Container Insights(또는 Prometheus와 같은 다른 도구)를 사용하여 클러스터 지표 모니터링",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
"severity": "높다",
- "text": "Azure에서 SAP HANA 데이터베이스 서버를 암호화하는 데는 SAP HANA 네이티브 암호화 기술이 사용됩니다. 또한 Azure에서 SQL Server를 사용하는 경우 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "waf": "안전"
+ "text": "Container Insights(또는 Telegraf/ElasticSearch와 같은 다른 도구)를 사용하여 클러스터 로그를 저장하고 분석합니다.",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+ "service": "AKS",
"severity": "보통",
- "text": "Azure Storage 암호화는 모든 Azure Resource Manager 및 클래식 스토리지 계정에 대해 사용하도록 설정되며 사용하지 않도록 설정할 수 없습니다. 데이터는 기본적으로 암호화되므로 Azure Storage 암호화를 사용하기 위해 코드 또는 애플리케이션을 수정할 필요가 없습니다.",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
- "waf": "안전"
+ "text": "노드의 CPU 및 메모리 사용률 모니터링",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "SAP",
- "severity": "높다",
- "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "보통",
+ "text": "Azure CNI를 사용하는 경우 노드당 사용되는 Pod IP의 %를 모니터링합니다.",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "OS 디스크의 I/O는 중요한 리소스입니다. 노드의 OS가 I/O에서 제한되면 예측할 수 없는 동작이 발생할 수 있으며, 일반적으로 노드가 NotReady로 선언됩니다",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+ "service": "AKS",
"severity": "보통",
- "text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다. 사용자 지정된 Azure 정책(Custome 역할)을 사용하여 구독별로 LOCK 제약 조건 및 규칙을 적용할 수도 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
- "waf": "안전"
+ "text": "노드에서 OS 디스크 큐 크기 모니터링Monitor OS disk queue depth in nodes",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
"severity": "보통",
- "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "안전"
+ "text": "AzFW/NVA에서 송신 필터링을 사용하지 않는 경우 표준 ALB 할당 SNAT 포트를 모니터링합니다",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+ "service": "AKS",
+ "severity": "보통",
+ "text": "AKS 클러스터에 대한 Resource Health 알림 구독Subscribe to resource health notifications for your AKS cluster",
+ "waf": "작업"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"severity": "높다",
- "text": "기존 요구 사항에 따라 규정 및 규정 준수 제어(내부/외부) - 필요한 Azure 정책 및 Azure RBAC 역할 결정",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
- "waf": "안전"
+ "text": "Pod 규격에서 요청 및 제한 구성",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "보통",
+ "text": "네임스페이스에 대한 리소스 할당량 적용Enforce resource quotas for namespaces",
+ "waf": "작업"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "AKS",
"severity": "높다",
- "text": "SAP 환경에서 엔드포인트용 Microsoft Defender 사용하도록 설정하는 경우 모든 서버를 대상으로 하는 대신 DBMS 서버에서 데이터 및 로그 파일을 제외하는 것이 좋습니다. 대상 파일을 제외할 때 DBMS 공급업체의 권장 사항을 따릅니다.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
- "waf": "안전"
+ "text": "구독에 노드 풀을 확장할 수 있는 충분한 할당량이 있는지 확인합니다.",
+ "waf": "작업"
},
{
- "checklist": "SAP Checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
- "service": "SAP",
- "severity": "높다",
- "text": "클라우드용 Microsoft Defender의 Just-In-Time 액세스 권한이 있는 SAP 관리자 사용자 지정 역할을 위임합니다.",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "보통",
+ "text": "Cluster Autoscaler 사용",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+ "service": "AKS",
"severity": "낮다",
- "text": "타사 보안 제품을 DIAG(SAP GUI)용 SNC(Secure Network Communications), RFC 및 HTTPS용 SPNEGO와 통합하여 전송 중인 데이터를 암호화합니다.",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
- "waf": "안전"
+ "text": "AKS 노드 풀에 대한 노드 구성 사용자 지정",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
"severity": "보통",
- "text": "보안 주체 암호화 기능을 위해 기본적으로 Microsoft 관리형 키를 사용하고 필요한 경우 고객 관리형 키를 사용합니다.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "안전"
+ "text": "필요한 경우 Horizontal Pod Autoscaler 사용",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "노드가 클수록 임시 디스크 및 가속화된 네트워킹과 같은 더 높은 성능과 기능을 제공하지만 폭발 반경이 증가하고 크기 조정 세분성이 감소합니다",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+ "service": "AKS",
"severity": "높다",
- "text": "애플리케이션, 환경, 지역당 Azure Key Vault를 사용합니다.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "안전"
+ "text": "너무 크거나 너무 작지 않은 적절한 노드 크기를 고려합니다",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
- "service": "SAP",
- "severity": "높다",
- "text": "비 HANA Windows 및 비 Windows 운영 체제에 대한 디스크 암호화 키 및 비밀을 제어하고 관리하려면 Azure Key Vault를 사용합니다. SAP HANA는 Azure Key Vault에서 지원되지 않으므로 SAP ABAP 또는 SSH 키와 같은 대체 방법을 사용해야 합니다.",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "확장성을 위해 5,000개 이상의 노드가 필요한 경우 추가 AKS 클러스터를 사용하는 것이 좋습니다",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
- "service": "SAP",
- "severity": "높다",
- "text": "실수로 인한 네트워크 관련 변경을 방지하기 위해 Azure의 SAP 스포크 구독에 대한 RBAC(역할 기반 액세스 제어) 역할 사용자 지정",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "AKS 자동화를 위해 EventGrid 이벤트를 구독하는 것이 좋습니다.",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
- "service": "SAP",
- "severity": "높다",
- "text": "나머지 SAP 자산에서 DMZ 및 NVA를 격리하고, Azure Private Link를 구성하고, Azure의 SAP 리소스를 안전하게 관리 및 제어합니다",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+ "service": "AKS",
+ "severity": "낮다",
+ "text": "AKS 클러스터에서 장기 실행 작업의 경우 이벤트 종료를 고려합니다.",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+ "service": "AKS",
"severity": "낮다",
- "text": "Azure에서 Microsoft 맬웨어 방지 소프트웨어를 사용하여 악성 파일, 애드웨어 및 기타 위협으로부터 가상 머신을 보호하는 것이 좋습니다.",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
- "waf": "안전"
+ "text": "필요한 경우 AKS 노드에 Azure Dedicated Host를 사용하는 것이 좋습니다",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
- "service": "SAP",
- "severity": "낮다",
- "text": "더욱 강력한 보호를 위해 엔드포인트용 Microsoft Defender 사용하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
- "waf": "안전"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
+ "severity": "높다",
+ "text": "임시 OS 디스크 사용",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "AKS",
"severity": "높다",
- "text": "가상 네트워크 피어링을 통해 스포크 네트워크에 연결된 허브 가상 네트워크를 통해 모든 트래픽을 전달하여 SAP 애플리케이션 및 데이터베이스 서버를 인터넷 또는 온-프레미스 네트워크에서 격리합니다. 피어링된 가상 네트워크는 Azure의 SAP 솔루션이 공용 인터넷에서 격리되도록 보장합니다.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
- "waf": "안전"
+ "text": "임시 디스크가 아닌 디스크의 경우 여러 Pod를 실행하는 데 고성능이 필요하고 기본 AKS 로그 회전 임계값을 사용하여 대규모 로그를 생성하므로 많은 Pod/노드를 실행할 때 노드에 높은 IOPS 및 더 큰 OS 디스크를 사용합니다",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+ "service": "AKS",
"severity": "낮다",
- "text": "SAP Fiori와 같은 인터넷 연결 애플리케이션의 경우 보안 수준을 유지하면서 애플리케이션 요구 사항에 따라 부하를 분산해야 합니다. 계층 7 보안의 경우 Azure Marketplace에서 사용할 수 있는 타사 WAF(Web Application Firewall)를 사용할 수 있습니다.",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
- "waf": "안전"
+ "text": "고성능 스토리지 옵션의 경우 AKS에서 Ultra Disks를 사용합니다.",
+ "waf": "공연"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+ "service": "AKS",
"severity": "보통",
- "text": "SAP용 Azure Monitor 솔루션에서 보안 통신을 사용하도록 설정하려면 루트 인증서 또는 서버 인증서를 사용하도록 선택할 수 있습니다. 루트 인증서를 사용하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "안전"
+ "text": "클러스터에서 상태를 유지하지 않고 외부(AzStorage, AzSQL, Cosmos 등)에 데이터를 저장합니다.",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "스토리지와 관련된 Microsoft 클라우드 보안 벤치마크의 지침 적용",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Azure Storage",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+ "service": "AKS",
"severity": "보통",
- "text": "'스토리지에 대한 Azure 보안 기준' 고려",
- "waf": "안전"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Azure Storage는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 액세스가 필요한 Azure Compute 리소스에만 Azure Storage를 안전하게 노출할 수 있으므로 공용 인터넷에 노출되지 않습니다",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "Azure Storage에 프라이빗 엔드포인트를 사용하는 것이 좋습니다.",
- "waf": "안전"
+ "text": "AzFiles 표준을 사용하는 경우 성능상의 이유로 AzFiles 프리미엄 및/또는 ANF를 고려합니다",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "새로 만든 저장소 계정은 ARM 배포 모델을 사용하여 만들어지므로 RBAC, 감사 등을 모두 사용할 수 있습니다. 구독에 클래식 배포 모델이 있는 이전 저장소 계정이 없는지 확인합니다.",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Azure Storage",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+ "service": "AKS",
"severity": "보통",
- "text": "이전 스토리지 계정이 '클래식 배포 모델'을 사용하지 않는지 확인",
- "waf": "안전"
+ "text": "Azure 디스크 및 AZ를 사용하는 경우 올바른 영역에 스토리지를 프로비전하기 위해 VolumeBindingMode::WaitForFirstConsumer를 사용하여 LRS 디스크의 영역 내에 노드 풀을 사용하거나 여러 영역에 걸쳐 있는 노드 풀에 ZRS 디스크를 사용하는 것이 좋습니다",
+ "waf": "공연"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Microsoft Defender를 활용하여 의심스러운 활동 및 잘못된 구성에 대해 알아봅니다.",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "모든 스토리지 계정에 대해 Microsoft Defender 사용",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub는 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키는 고객 관리형 키를 사용하여 암호화됩니다. ",
+ "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+ "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+ "service": "Event Hubs",
+ "severity": "낮다",
+ "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용Use customer-managed key option in data at rest encryption when required",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "일시 삭제 메커니즘을 사용하면 실수로 삭제된 Blob을 복구할 수 있습니다.",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Azure Storage",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hubs 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 더 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Event Hubs 네임스페이스를 구성할 수 있습니다. Event Hubs 네임스페이스에 최소 버전의 TLS가 필요한 경우 이전 버전으로 수행된 모든 요청이 실패합니다. ",
+ "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+ "service": "Event Hubs",
"severity": "보통",
- "text": "Blob에 대해 '일시 삭제' 사용Enable 'soft delete' for blobs",
+ "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Event Hubs 네임스페이스를 만들 때 네임스페이스에 대해 RootManageSharedAccessKey라는 정책 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙을 관리 루트 계정처럼 취급하고 응용 프로그램에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ",
+ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+ "service": "Event Hubs",
"severity": "보통",
- "text": "Blob에 대해 '일시 삭제' 사용 안 함",
- "waf": "안전"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "컨테이너에 대한 일시 삭제를 사용하면 컨테이너가 삭제된 후 컨테이너를 복구할 수 있습니다(예: 실수로 인한 삭제 작업에서 복구).",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "컨테이너에 대해 '일시 삭제' 사용Enable 'soft delete' for containers",
+ "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "예를 들어 애플리케이션이 기밀성, 개인 정보 보호 또는 규정 준수를 위해 삭제된 정보가 즉시 삭제되도록 해야 하는 경우와 같이 특정 Blob 컨테이너에 대해 '일시 삭제'를 선택적으로 사용하지 않도록 설정하는 것이 좋습니다. ",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure 리소스에 대한 관리 ID는 Azure VM(Virtual Machines), 함수 앱, Virtual Machine Scale Sets 및 기타 서비스에서 실행되는 애플리케이션에서 Azure AD 자격 증명을 사용하여 Event Hubs 리소스에 대한 액세스 권한을 부여할 수 있습니다. Azure AD 인증과 함께 Azure 리소스에 대한 관리 ID를 사용하면 클라우드에서 실행되는 애플리케이션에 자격 증명을 저장하지 않아도 됩니다. ",
+ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+ "service": "Event Hubs",
"severity": "보통",
- "text": "컨테이너에 대해 '일시 삭제' 사용 안 함",
+ "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Event Hub에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "사용자가 삭제하기 전에 먼저 삭제 잠금을 제거하도록 강제하여 저장소 계정이 실수로 삭제되는 것을 방지합니다.",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "권한을 만들 때 Azure Event Hub에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Event Hub의 사용 권한은 개별 리소스 수준(예: 소비자 그룹, 이벤트 허브 엔터티, 이벤트 허브 네임스페이스 등)으로 범위를 지정할 수 있으며 범위가 지정되어야 합니다.",
+ "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+ "service": "Event Hubs",
"severity": "높다",
- "text": "스토리지 계정에 대한 리소스 잠금 사용Enable resource locks on storage accounts",
+ "text": "최소 권한 데이터 평면 RBAC 사용",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Blob에 대한 '법적 보존' 또는 '시간 기반 보존' 정책을 고려하면 Blob, 컨테이너 또는 스토리지 계정을 삭제할 수 없습니다. '불가능'은 실제로 '불가능'을 의미합니다. 스토리지 계정에 변경할 수 없는 Blob이 포함된 경우 해당 스토리지 계정을 '제거'하는 유일한 방법은 Azure 구독을 취소하는 것입니다.",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "변경할 수 없는 Blob 고려",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub 리소스 로그에는 작업 로그, 가상 네트워크 및 Kafka 로그가 포함됩니다. 런타임 감사 로그는 Event Hubs의 모든 데이터 평면 액세스 작업(예: 이벤트 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.",
+ "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+ "service": "Event Hubs",
+ "severity": "보통",
+ "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그, 런타임 감사 로그 및 Kafka 로그와 같은 메트릭 및 로그를 캡처합니다.",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "모든 데이터 전송이 암호화되고, 무결성이 보호되고, 서버가 인증되도록 스토리지 계정에 대한 보호되지 않는 HTTP/80 액세스를 사용하지 않도록 설정하는 것이 좋습니다. ",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "HTTPS 필요, 즉 스토리지 계정에서 포트 80 사용 안 함Require HTTPS, i.e. disable port 80 on the storage account",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure Event Hub는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Event Hub 간의 트래픽이 Microsoft 백본 네트워크를 통해 트래버스할 수 있습니다. 또한 퍼블릭 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ",
+ "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+ "service": "Event Hubs",
+ "severity": "보통",
+ "text": "프라이빗 엔드포인트를 사용하여 Azure Event Hub에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "스토리지 계정에서 사용자 지정 도메인(호스트 이름)을 구성할 때 TLS/HTTPS가 필요한지 여부를 확인합니다. 이 경우 저장소 계정 앞에 Azure CDN을 배치해야 할 수 있습니다.",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "HTTPS를 적용할 때(HTTP 사용 안 함) 스토리지 계정에 사용자 지정 도메인(CNAME)을 사용하지 않는지 확인합니다.",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 또는 IPv4 주소 범위 집합으로만 추가로 제한할 수 있습니다. ",
+ "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+ "service": "Event Hubs",
+ "severity": "보통",
+ "text": "특정 IP 주소 또는 범위에서 Azure Event Hub 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "클라이언트가 SAS 토큰을 사용하여 Blob 데이터에 액세스할 때 HTTPS를 요구하면 자격 증명 손실 위험을 최소화하는 데 도움이 됩니다.",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Azure Storage",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+ "service": "Event Hubs",
"severity": "보통",
- "text": "SAS(공유 액세스 서명) 토큰을 HTTPS 연결로만 제한",
- "waf": "안전"
+ "text": "FTA 탄력성 핸드북 활용",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "AAD 토큰은 가능한 경우 공유 액세스 서명보다 우선해야 합니다",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Azure Storage",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": " 영역 사용 지역의 프리미엄, 전용 또는 표준 SKU를 사용하여 포털에서 만든 새 EH 네임스페이스에 대해 자동으로 설정됩니다. EH 메타데이터와 이벤트 데이터 자체는 모두 영역 간에 복제됩니다",
+ "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+ "service": "Event Hubs",
"severity": "높다",
- "text": "Blob 액세스에 Azure AD(Azure Active Directory) 토큰 사용Use Azure Active Directory (Azure AD) tokens for blob access",
- "waf": "안전"
+ "text": "지역적으로 적용 가능한 경우 가용성 영역 활용Leverage Availability Zones if regionally applicable",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "사용자, 그룹 또는 응용 프로그램에 역할을 할당할 때 해당 보안 주체가 작업을 수행하는 데 필요한 권한만 부여합니다. 리소스에 대한 액세스를 제한하면 의도하지 않은 데이터 오용과 악의적인 데이터 오용을 모두 방지할 수 있습니다.",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Azure Storage",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+ "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+ "service": "Event Hubs",
"severity": "보통",
- "text": "IaM 권한의 최소 권한",
- "waf": "안전"
+ "text": "예측 가능한 성능을 위해 프리미엄 또는 전용 SKU 사용",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "사용자 위임 SAS는 Azure AD(Azure Active Directory) 자격 증명과 SAS에 지정된 권한으로 보호됩니다. 사용자 위임 SAS는 범위와 기능 측면에서 서비스 SAS와 유사하지만 서비스 SAS에 비해 보안상의 이점을 제공합니다. ",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Azure Storage",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "기본 제공 지역 재해 복구 기능을 사용하도록 설정하면 네임스페이스(Event Hubs, 소비자 그룹 및 설정)의 전체 구성이 기본 네임스페이스에서 보조 네임스페이스로 지속적으로 복제되며, 언제든지 한 번만 장애 조치(failover)를 주 네임스페이스에서 보조 네임스페이스로 이동할 수 있습니다. 활성/수동 기능은 애플리케이션 구성을 변경할 필요 없이 실패한 Azure 지역에서 더 쉽게 복구하고 중단할 수 있도록 설계되었습니다",
+ "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+ "service": "Event Hubs",
"severity": "높다",
- "text": "SAS를 사용하는 경우 스토리지 계정 키 기반 SAS보다 '사용자 위임 SAS'를 선호합니다.",
- "waf": "안전"
+ "text": "Active Passive 구성을 사용하여 지역 재해 복구 계획Plan for Geo Disaster Recovery using Active Passive configuration",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "스토리지 계정 키('공유 키')에는 감사 기능이 거의 없습니다. 누가/언제 키 사본을 가져왔는지 모니터링할 수 있지만, 키가 여러 사람의 손에 들어가면 특정 사용자의 사용을 귀속시키는 것은 불가능합니다. AAD 인증에만 의존하면 스토리지 액세스를 사용자에게 더 쉽게 연결할 수 있습니다. ",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "AAD 액세스(및 사용자 위임 SAS)만 지원되도록 스토리지 계정 키를 사용하지 않도록 설정하는 것이 좋습니다.",
- "waf": "안전"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "다운된 지역에서 이벤트 데이터의 중단 또는 손실을 허용할 수 없는 DR 구성에 사용해야 합니다. 이러한 경우 복제 지침을 따르고 기본 제공 지역 재해 복구 기능(활성/수동)을 사용하지 마세요. 액티브/액티브를 사용하여 서로 다른 지역 및 네임스페이스에서 여러 Event Hubs를 유지 관리하면 허브 간에 이벤트가 복제됩니다",
+ "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+ "service": "Event Hubs",
+ "severity": "보통",
+ "text": "Business Critical Applications의 경우 Active Active 구성을 사용합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "활동 로그 데이터를 사용하여 스토리지 계정의 보안을 보거나 변경하는 '시기', '누가', '무엇을' 및 '방법'(예: 스토리지 계정 키, 액세스 정책 등)을 식별합니다.",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "Azure Monitor를 사용하여 스토리지 계정에 대한 컨트롤 플레인 작업을 감사하는 것이 좋습니다.",
- "waf": "안전"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+ "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+ "service": "Event Hubs",
+ "severity": "보통",
+ "text": "복원력 있는 Event Hubs 설계",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "키 만료 정책을 사용하면 계정 액세스 키 교체에 대한 미리 알림을 설정할 수 있습니다. 지정된 간격이 경과하고 키가 아직 회전되지 않은 경우 알림이 표시됩니다.",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
- "service": "Azure Storage",
- "severity": "보통",
- "text": "스토리지 계정 키를 사용하는 경우 '키 만료 정책'을 사용하도록 설정하는 것이 좋습니다",
- "waf": "안전"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Services",
+ "severity": "낮다",
+ "text": "모범 사례는 기준 고가용성 영역 중복 웹 애플리케이션 아키텍처를 참조하세요.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS 만료 정책은 SAS가 유효한 권장 간격을 지정합니다. SAS 만료 정책은 서비스 SAS 또는 계정 SAS에 적용됩니다. 사용자가 권장 간격보다 큰 유효 간격을 사용하여 서비스 SAS 또는 계정 SAS를 생성하면 경고가 표시됩니다.",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "보통",
- "text": "SAS 만료 정책 구성 고려",
- "waf": "안전"
+ "text": "프리미엄 및 표준 계층을 사용합니다. 이러한 계층은 스테이징 슬롯 및 자동 백업을 지원합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "저장된 액세스 정책은 스토리지 계정 키를 다시 생성할 필요 없이 서비스 SAS에 대한 권한을 취소하는 옵션을 제공합니다. ",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
- "service": "Azure Storage",
- "severity": "보통",
- "text": "SAS를 저장된 액세스 정책에 연결하는 것이 좋습니다.",
- "waf": "안전"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "지역적으로 적용 가능한 경우 가용성 영역 활용(프리미엄 v2 또는 v3 계층 필요)",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"severity": "보통",
- "text": "체크 인된 연결 문자열 및 저장소 계정 키를 검색하도록 응용 프로그램의 소스 코드 리포지토리를 구성하는 것이 좋습니다.",
- "waf": "안전"
+ "text": "상태 확인 구현",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "이상적으로 애플리케이션은 관리 ID를 사용하여 Azure Storage에 인증해야 합니다. 이렇게 할 수 없는 경우 Azure KeyVault 또는 동등한 서비스에 스토리지 자격 증명(연결 문자열, 스토리지 계정 키, SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다.",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+ "service": "App Services",
"severity": "높다",
- "text": "Azure KeyVault에 연결 문자열을 저장하는 것이 좋습니다(관리 ID를 사용할 수 없는 시나리오에서).",
- "waf": "안전"
+ "text": "Azure App Service에 대한 백업 및 복원 모범 사례를 참조하세요.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "임시 SAS 서비스 SAS 또는 계정 SAS에서 단기 만료 시간을 사용합니다. 이러한 방식으로 SAS가 손상되더라도 짧은 시간 동안만 유효합니다. 이 방법은 저장된 액세스 정책을 참조할 수 없는 경우에 특히 중요합니다. 또한 단기 만료 시간은 업로드에 사용할 수 있는 시간을 제한하여 Blob에 쓸 수 있는 데이터의 양을 제한합니다.",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+ "service": "App Services",
"severity": "높다",
- "text": "임시 SAS의 유효 기간을 단축하기 위해 노력",
- "waf": "안전"
+ "text": "Azure App Service 안정성 모범 사례 구현",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS를 만들 때는 가능한 한 구체적이고 제한적이어야 합니다. 훨씬 더 광범위한 액세스를 제공하는 SAS보다 단일 리소스 및 작업에 대해 SAS를 선호합니다.",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+ "service": "App Services",
+ "severity": "낮다",
+ "text": "App Service 앱을 다른 지역으로 이동하는 방법을 숙지합니다. 재해가 발생하는 동안",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "Azure App Service의 안정성 지원 숙지",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "App Services",
"severity": "보통",
- "text": "SAS에 좁은 범위 적용",
- "waf": "안전"
+ "text": "App Service 계획에서 실행되는 Function Apps에 대해 \"Always On\"이 사용하도록 설정되어 있는지 확인합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS에는 SAS를 사용하여 리소스를 요청할 수 있는 권한이 있는 클라이언트 IP 주소 또는 주소 범위에 대한 매개 변수가 포함될 수 있습니다. ",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"severity": "보통",
- "text": "가능한 경우 SAS의 범위를 특정 클라이언트 IP 주소로 지정하는 것이 좋습니다",
- "waf": "안전"
+ "text": "상태 검사를 사용하여 App Service 인스턴스 모니터링Monitor App Service instances using Health checks",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS는 클라이언트가 업로드하는 데이터의 양을 제한할 수 없습니다. 시간 경과에 따른 스토리지 양의 가격 책정 모델을 고려할 때 클라이언트가 악의적으로 큰 콘텐츠를 업로드했는지 여부를 확인하는 것이 합리적일 수 있습니다.",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+ "service": "App Services",
+ "severity": "보통",
+ "text": "Application Insights 가용성 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+ "service": "App Services",
"severity": "낮다",
- "text": "클라이언트가 SAS를 사용하여 파일을 업로드한 후 업로드된 데이터를 확인하는 것이 좋습니다. ",
- "waf": "안전"
+ "text": "Application Insights 표준 테스트를 사용하여 웹앱 또는 웹 사이트의 가용성 및 응답성 모니터링",
+ "waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "'로컬 사용자 계정'을 사용하여 SFTP를 통해 Blob Storage에 액세스하는 경우 '일반적인' RBAC 컨트롤이 적용되지 않습니다. NFS 또는 REST를 통한 Blob 액세스는 SFTP 액세스보다 더 제한적일 수 있습니다. 안타깝게도 2023년 초부터 로컬 사용자는 현재 SFTP 엔드포인트에 대해 지원되는 유일한 ID 관리 형태입니다",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure Key Vault를 사용하여 애플리케이션에 필요한 모든 비밀을 저장합니다. Key Vault는 비밀을 저장하기 위한 안전하고 감사된 환경을 제공하며 Key Vault SDK 또는 App Service Key Vault 참조를 통해 App Service와 잘 통합됩니다.",
+ "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"severity": "높다",
- "text": "SFTP: SFTP 액세스에 대한 '로컬 사용자'의 수를 제한하고 시간이 지남에 따라 액세스가 필요한지 여부를 감사합니다.",
+ "text": "Key Vault를 사용하여 비밀 저장",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
- "service": "Azure Storage",
- "severity": "보통",
- "text": "SFTP: SFTP 엔드포인트는 POSIX와 유사한 ACL을 지원하지 않습니다.",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "관리 ID를 사용하여 Key Vault SDK를 사용하거나 App Service Key Vault 참조를 통해 Key Vault에 연결합니다.",
+ "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "관리 ID를 사용하여 Key Vault에 연결",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "스토리지는 CORS(Cross-Origin Resource Sharing), 즉 다른 도메인의 웹앱이 동일 출처 정책을 완화할 수 있도록 하는 HTTP 기능을 지원합니다. CORS를 사용하도록 설정할 때 CorsRules를 최소 권한으로 유지합니다.",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service TLS 인증서를 Key Vault에 저장합니다.",
+ "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+ "service": "App Services",
"severity": "높다",
- "text": "지나치게 광범위한 CORS 정책 방지",
+ "text": "Key Vault를 사용하여 TLS 인증서를 저장합니다.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "미사용 데이터는 항상 서버 쪽에서 암호화되며 클라이언트 쪽에서도 암호화될 수 있습니다. 서버 쪽 암호화는 플랫폼 관리형 키(기본값) 또는 고객 관리형 키를 사용하여 발생할 수 있습니다. 클라이언트 쪽 암호화는 클라이언트가 Azure Storage에 Blob별로 암호화/암호 해독 키를 제공하거나 클라이언트 쪽에서 암호화를 완전히 처리하여 발생할 수 있습니다. 따라서 기밀성 보장을 위해 Azure Storage에 전혀 의존하지 않습니다.",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "Azure Storage",
- "severity": "높다",
- "text": "미사용 데이터를 암호화하는 방법을 결정합니다. 데이터에 대한 스레드 모델을 이해합니다.",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "중요한 정보를 처리하는 시스템은 격리해야 합니다. 이렇게 하려면 별도의 App Service 계획 또는 App Service Environment를 사용하고 다른 구독 또는 관리 그룹을 사용하는 것이 좋습니다.",
+ "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
+ "severity": "보통",
+ "text": "민감한 정보를 처리하는 시스템 격리",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service의 로컬 디스크는 암호화되지 않으며 중요한 데이터를 저장해서는 안 됩니다. (예: D:\\\\Local and %TMP%).",
+ "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+ "service": "App Services",
"severity": "보통",
- "text": "사용해야 하는 플랫폼 암호화를 결정합니다.",
+ "text": "로컬 디스크에 중요한 데이터를 저장하지 마십시오.",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "인증된 웹 애플리케이션의 경우 Azure AD 또는 Azure AD B2C와 같이 잘 설정된 ID 공급자를 사용합니다. 선택한 애플리케이션 프레임워크를 활용하여 이 공급자와 통합하거나 App Service 인증/권한 부여 기능을 사용합니다.",
+ "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+ "service": "App Services",
"severity": "보통",
- "text": "사용해야 하는 클라이언트 쪽 암호화를 결정합니다.",
+ "text": "인증에 설정된 ID 공급자 사용",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Resource Graph Explorer(resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)를 활용하여 익명 Blob 액세스를 허용하는 스토리지 계정을 찾습니다.",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
- "service": "Azure Storage",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "잘 관리되고 안전한 DevOps 배포 파이프라인과 같이 제어되고 신뢰할 수 있는 환경에서 App Service에 코드를 배포합니다. 이렇게 하면 버전이 제어되지 않고 악성 호스트에서 배포되는 것으로 확인되지 않은 코드를 방지할 수 있습니다.",
+ "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+ "service": "App Services",
"severity": "높다",
- "text": "공용 Blob 액세스가 필요한지 또는 특정 스토리지 계정에 대해 사용하지 않도록 설정할 수 있는지 여부를 고려합니다. ",
+ "text": "신뢰할 수 있는 환경에서 배포",
"waf": "안전"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
- "severity": "보통",
- "text": "Azure Spring Apps는 모든 앱에 대해 두 개의 배포를 허용하며, 그 중 하나만 프로덕션 트래픽을 수신합니다. 블루-그린 배포 전략을 통해 가동 중지 시간 제로를 달성할 수 있습니다. 파란색 녹색 배포는 표준 및 엔터프라이즈 계층에서만 사용할 수 있습니다. ADO/GitHub 작업과 함께 CI/CD를 사용하여 배포를 자동화할 수 있습니다.",
- "waf": "신뢰도"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
- "severity": "보통",
- "text": "Azure Spring Apps 인스턴스는 애플리케이션에 대해 여러 지역에서 만들 수 있으며 Traffic Manager/Front Door에서 트래픽을 라우팅할 수 있습니다.",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "FTP/FTPS 및 WebDeploy/SCM 모두에 대한 기본 인증을 사용 안함으로 설정합니다. 이렇게 하면 이러한 서비스에 대한 액세스가 비활성화되고 배포에 Azure AD 보안 엔드포인트가 사용됩니다. SCM 사이트는 Azure AD 자격 증명을 사용하여 열 수도 있습니다.",
+ "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "기본 인증 사용 안 함",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
- "severity": "보통",
- "text": "지원되는 지역에서 Azure Spring Apps는 영역 중복으로 배포할 수 있으며, 이는 인스턴스가 가용성 영역에 자동으로 분산됨을 의미합니다. 이 기능은 Standard 및 Enterprise 계층에서만 사용할 수 있습니다.",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "가능한 경우 관리 ID를 사용하여 Azure AD 보안 리소스에 연결합니다. 이렇게 할 수 없는 경우 Key Vault에 비밀을 저장하고 대신 관리 ID를 사용하여 Key Vault에 연결합니다.",
+ "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "관리 ID를 사용하여 리소스에 연결",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
- "severity": "보통",
- "text": "앱에 1개 이상의 앱 인스턴스 사용",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 관리 ID를 사용하여 끌어옵니다.",
+ "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "관리 ID를 사용하여 컨테이너 끌어오기",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service의 진단 설정을 구성하면 모든 원격 분석을 로깅 및 모니터링의 중앙 대상으로 Log Analytics에 보낼 수 있습니다. 이를 통해 HTTP 로그, 애플리케이션 로그, 플랫폼 로그 등과 같은 App Service의 런타임 활동을 모니터링할 수 있습니다.",
+ "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+ "service": "App Services",
"severity": "보통",
- "text": "로그, 메트릭 및 추적을 사용하여 Azure Spring Apps를 모니터링합니다. ASA를 Application Insights와 통합하고, 오류를 추적하고, 통합 문서를 만듭니다.",
- "waf": "신뢰도"
+ "text": "Log Analytics에 App Service 런타임 로그 보내기Send App Service runtime logs to Log Analytics",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "활동 로그를 Log Analytics에 로깅 및 모니터링의 중앙 대상으로 보내도록 진단 설정을 지정합니다. 이렇게 하면 App Service 리소스 자체에서 컨트롤 플레인 작업을 모니터링할 수 있습니다.",
+ "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "service": "App Services",
"severity": "보통",
- "text": "Spring Cloud Gateway에서 자동 크기 조정 설정",
- "waf": "신뢰도"
+ "text": "Log Analytics에 App Service 활동 로그 보내기Send App Service activity logs to Log Analytics",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
- "severity": "낮다",
- "text": "표준 소비 및 전용 플랜이 있는 앱에 대해 자동 크기 조정을 사용하도록 설정합니다.",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "지역 VNet 통합, 네트워크 보안 그룹 및 UDR의 조합을 사용하여 아웃바운드 네트워크 액세스를 제어합니다. 트래픽은 Azure Firewall과 같은 NVA로 라우팅되어야 합니다. 방화벽의 로그를 모니터링해야 합니다.",
+ "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+ "service": "App Services",
+ "severity": "보통",
+ "text": "아웃바운드 네트워크 액세스를 제어해야 함",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
- "severity": "보통",
- "text": "중요 업무용 앱에 대한 Spring Boot의 상업적 지원을 위해 Enterprise 플랜을 사용합니다. 다른 계층에서는 OSS 지원을 받을 수 있습니다.",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "VNet 통합을 사용하고 VNet NAT Gateway 또는 NVA와 같은 Azure Firewall을 사용하여 안정적인 아웃바운드 IP를 제공할 수 있습니다. 이렇게 하면 필요한 경우 수신 당사자가 IP를 기반으로 허용 목록을 만들 수 있습니다. Azure 서비스에 대한 통신의 경우 IP 주소에 의존할 필요가 없는 경우가 많으며 서비스 엔드포인트와 같은 메커니즘을 대신 사용해야 합니다. (또한 수신 끝에서 프라이빗 엔드포인트를 사용하면 SNAT가 발생하지 않고 안정적인 아웃바운드 IP 범위를 제공합니다.)",
+ "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+ "service": "App Services",
+ "severity": "낮다",
+ "text": "인터넷 주소에 대한 아웃바운드 통신을 위한 안정적인 IP 보장",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
- "service": "Azure Data Factory",
- "severity": "보통",
- "text": "Azure Data Factory에 대한 FTA 복원력 플레이북 활용",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service 액세스 제한, 서비스 엔드포인트 또는 프라이빗 엔드포인트의 조합을 사용하여 인바운드 네트워크 액세스를 제어합니다. 웹앱 자체 및 SCM 사이트에 대해 서로 다른 액세스 제한이 필요하고 구성될 수 있습니다.",
+ "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "인바운드 네트워크 액세스를 제어해야 합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Application Gateway 또는 Azure Front Door와 같은 Web Application Firewall을 사용하여 악의적인 인바운드 트래픽으로부터 보호합니다. WAF의 로그를 모니터링해야 합니다.",
+ "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+ "service": "App Services",
"severity": "높다",
- "text": "가용성 영역을 지원하는 지역에서 영역 중복 파이프라인 사용Use zone redundant pipelines in regions that support Availability Zones",
- "waf": "신뢰도"
+ "text": "App Service 앞에서 WAF 사용Use a WAF in front of App Service",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
- "link": "https://learn.microsoft.com/azure/data-factory/source-control",
- "service": "Azure Data Factory",
- "severity": "보통",
- "text": "DevOps를 사용하여 Github/Azure DevOps 통합으로 ARM 템플릿 백업 ",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "WAF에 대한 액세스만 잠궈 WAF를 우회할 수 없는지 확인합니다. 액세스 제한, 서비스 엔드포인트 및 프라이빗 엔드포인트의 조합을 사용합니다.",
+ "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "WAF가 우회되지 않도록 방지",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service 구성에서 최소 TLS 정책을 1.2로 설정합니다.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+ "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+ "service": "App Services",
"severity": "보통",
- "text": "다른 지역에서 자체 호스팅 통합 런타임 VM을 복제해야 합니다. ",
- "waf": "신뢰도"
+ "text": "최소 TLS 정책을 1.2로 설정합니다.",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "severity": "보통",
- "text": "자매 지역에서 네트워크를 복제하거나 복제해야 합니다. 다른 지역에서 Vnet의 복사본을 만들어야 합니다",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "HTTPS만 사용하도록 App Service를 구성합니다. 이로 인해 App Service가 HTTP에서 HTTPS로 리디렉션됩니다. 코드 또는 WAF에서 HSTS(HTTP Strict Transport Security)를 사용하여 HTTPS를 통해서만 사이트에 액세스해야 함을 브라우저에 알리는 것이 좋습니다.",
+ "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+ "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "HTTPS만 사용",
+ "waf": "안전"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "description": "ADF 파이프라인에서 Key Vault를 사용하는 경우 Key Vault를 복제하기 위해 아무 작업도 수행할 필요가 없습니다. Key Vault는 관리되는 서비스이며 Microsoft에서 처리합니다",
- "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Azure Data Factory",
- "severity": "낮다",
- "text": "Keyvault 통합을 사용하는 경우 Keyvault의 SLA를 사용하여 가용성을 파악합니다",
- "waf": "신뢰도"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "CORS 구성에서 와일드카드를 사용하면 모든 원본이 서비스에 액세스할 수 있으므로 CORS의 목적에 어긋나므로 사용하지 마세요. 특히 서비스에 액세스할 수 있을 것으로 예상되는 원본만 허용합니다.",
+ "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "와일드카드는 CORS에 사용할 수 없습니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Front Door",
- "severity": "보통",
- "text": "Azure Front Door에서 고객 관리형 TLS 인증서를 사용하는 경우 '최신' 인증서 버전을 사용합니다. 수동 인증서 갱신으로 인한 중단 위험 감소",
- "waf": "작업"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "원격 디버깅은 서비스에서 추가 포트를 열어 공격 노출 영역을 증가시키므로 프로덕션에서 켜면 안 됩니다. 서비스는 48시간 후에 자동으로 원격 디버깅을 설정합니다.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+ "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "원격 디버깅 끄기",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
- "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "App Service용 Defender를 사용하도록 설정합니다. 이는 다른 위협 중에서도 알려진 악성 IP 주소에 대한 통신을 탐지합니다. 작업의 일부로 App Service용 Defender의 권장 사항을 검토합니다.",
+ "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+ "service": "App Services",
"severity": "보통",
- "text": "Application Gateway v2 SKU를 사용하고 있는지 확인합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "클라우드용 Defender 사용 - App Service용 Defender",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
- "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Load Balancer",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure는 네트워크에서 DDoS 기본 보호를 제공하며, 정상적인 트래픽 패턴을 학습하고 비정상적인 동작을 감지할 수 있는 지능형 DDoS 표준 기능으로 개선할 수 있습니다. DDoS 표준은 Virtual Network에 적용되므로 Application Gateway 또는 NVA와 같은 앱 앞의 네트워크 리소스에 대해 구성해야 합니다.",
+ "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "App Services",
"severity": "보통",
- "text": "Azure Load Balancer에 표준 SKU를 사용하고 있는지 확인합니다.",
+ "text": "WAF VNet에서 DDOS 보호 표준 사용Enable DDOS Protection Standard on the WAF VNet",
"waf": "안전"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
- "service": "Load Balancer",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure Container Registry에 저장된 이미지를 사용하는 경우 프라이빗 엔드포인트 및 앱 설정 'WEBSITE_PULL_IMAGE_OVER_VNET'를 사용하여 Azure Container Registry에서 가상 네트워크를 통해 끌어옵니다.",
+ "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+ "service": "App Services",
"severity": "보통",
- "text": "Load Balancer 프런트 엔드 IP 주소가 영역 중복인지 확인합니다(영역 프런트 엔드가 필요하지 않은 경우).",
+ "text": "Virtual Network를 통해 컨테이너 끌어오기",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
- "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "참여의 침투 테스트 규칙에 따라 웹 응용 프로그램에 대한 침투 테스트를 수행합니다.",
+ "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "service": "App Services",
"severity": "보통",
- "text": "Application Gateway v2는 IP 접두사가 /24보다 크거나 같은 서브넷에 배포해야 합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "침투 테스트 수행",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "description": "일반적으로 역방향 프록시 및 특히 WAF의 관리는 네트워킹보다 애플리케이션에 더 가깝기 때문에 앱과 동일한 구독에 속합니다. 연결 구독에서 Application Gateway 및 WAF를 중앙 집중화하는 것은 단일 팀에서 관리하는 경우 괜찮을 수 있습니다.",
- "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "DevSecOps 사례에 따라 취약성을 검증하고 검사한 신뢰할 수 있는 코드를 배포합니다.",
+ "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+ "service": "App Services",
"severity": "보통",
- "text": "랜딩 영역 가상 네트워크 내에서 그리고 보안 중인 앱을 사용하여 인바운드 HTTP(S) 연결을 프록시하는 데 사용되는 Azure Application Gateway v2 또는 파트너 NVA를 배포합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "유효성이 검사된 코드 배포",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
- "severity": "보통",
- "text": "애플리케이션 랜딩 존의 모든 공용 IP 주소에 대해 DDoS 네트워크 또는 IP 보호 계획을 사용합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "지원되는 플랫폼, 프로그래밍 언어, 프로토콜 및 프레임워크의 최신 버전을 사용합니다.",
+ "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+ "service": "App Services",
+ "severity": "높다",
+ "text": "최신 플랫폼, 언어, 프로토콜 및 프레임워크 사용",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
- "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
- "service": "App Gateway",
- "severity": "보통",
- "text": "최소 인스턴스 수를 2개로 자동 크기 조정을 구성합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "공명형 AI를 위한 Metaprompting 가드레일 따르기",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
- "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
- "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
- "service": "App Gateway",
- "severity": "보통",
- "text": "가용성 영역에 Application Gateway 배포",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+ "link": "https://github.com/Azure-Samples/AI-Gateway",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "더 나은 속도 제한, 부하 분산, 인증 및 로깅을 위해 APIM 또는 AI Central과 같은 솔루션을 사용하여 게이트웨이 패턴을 고려합니다.",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Front Door",
- "severity": "보통",
- "text": "WAF 정책과 함께 Azure Front Door를 사용하여 여러 Azure 지역에 걸쳐 있는 글로벌 HTTP/S 앱을 제공하고 보호할 수 있습니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "AOAI 인스턴스에 대한 모니터링 활성화",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "Front Door",
- "severity": "보통",
- "text": "Front Door 및 Application Gateway를 사용하여 HTTP/S 앱을 보호하는 경우 Front Door에서 WAF 정책을 사용합니다. Front Door에서만 트래픽을 수신하도록 Application Gateway를 잠급니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "안전"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "리소스에 대해 수행된 작업(예: 구독 키 다시 생성) 또는 메트릭 임계값(예: 한 시간에 10을 초과하는 오류 수)에 의해 생성된 활동 로그의 항목과 같은 이벤트를 팀에 알리는 경고를 만듭니다",
+ "waf": "운영 우수성"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/trafficManagerProfiles",
- "checklist": "Azure Application Delivery Networking",
- "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Traffic Manager",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Traffic Manager를 사용하여 HTTP/S 이외의 프로토콜에 걸쳐 있는 글로벌 앱을 제공합니다.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "신뢰도"
+ "text": "용량으로 인한 서비스 중단을 방지하기 위해 토큰 사용량을 모니터링합니다.",
+ "waf": "운영 우수성"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "처리된 추론 토큰, 생성된 완료 토큰, 속도 제한 모니터링과 같은 메트릭 관찰",
+ "waf": "운영 우수성"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+ "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
+ "service": "Azure OpenAI",
"severity": "낮다",
- "text": "사용자가 내부 애플리케이션에만 액세스해야 하는 경우 Microsoft Entra ID 애플리케이션 프록시가 AVD(Azure Virtual Desktop)의 대안으로 고려되었나요?",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
- "waf": "안전"
+ "text": "진단이 충분하지 않은 경우 Azure OpenAI 앞에 있는 Azure API Managements와 같은 게이트웨이를 사용하여 허용되는 경우 들어오는 프롬프트와 나가는 응답을 모두 기록하는 것이 좋습니다",
+ "waf": "운영 우수성"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
- "severity": "보통",
- "text": "네트워크에서 들어오는 연결에 대해 열려 있는 방화벽 포트 수를 줄이려면 Microsoft Entra ID 애플리케이션 프록시를 사용하여 원격 사용자에게 내부 애플리케이션에 대한 안전하고 인증된 액세스를 제공하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "안전"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+ "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "Infrastructure as code를 사용하여 Azure OpenAI Service, 모델 배포 및 모든 관련 리소스를 배포합니다",
+ "waf": "운영 우수성"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "'방지' 모드에서 Front Door에 대한 WAF 정책을 배포합니다.",
+ "text": "API 키 대신 관리 ID로 Microsoft Entra 인증 사용",
"waf": "안전"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Azure Traffic Manager와 Azure Front Door를 결합하지 마세요.",
- "waf": "안전"
+ "text": "입력과 정답이 있는 알려진 골든 데이터 세트를 사용하여 시스템의 성능/정확도를 평가합니다. 평가를 위해 PromptFlow의 기능을 활용합니다.",
+ "waf": "운영 우수성"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "68889535-e327-4897-b31b-67d67be5962a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Azure Front Door 및 원본에서 동일한 도메인 이름을 사용합니다. 호스트 이름이 일치하지 않으면 미묘한 버그가 발생할 수 있습니다.",
- "waf": "안전"
+ "text": "프로비저닝된 처리량 모델의 사용 평가 ",
+ "waf": "공연"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "Azure AI 콘텐츠 안전성 검토 및 구현",
+ "waf": "운영 우수성"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "분당 토큰 및 응답을 기반으로 시스템의 처리량을 정의 및 평가하고 요구 사항에 맞춥니다.",
+ "waf": "공연"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "토큰 크기, 스트리밍 옵션을 제한하여 시스템의 대기 시간을 개선합니다.",
+ "waf": "공연"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "탄력성 요구를 예측하여 우선 순위에 따라 동기 및 일괄 처리 요청 분리를 결정합니다. 우선 순위가 높은 경우 동기 접근 방식을 사용하고 낮은 우선 순위의 경우 큐를 사용한 비동기 일괄 처리가 선호됩니다",
+ "waf": "공연"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "소비자의 예상 수요를 기반으로 토큰 사용 요구 사항을 벤치마킹합니다. 프로비저닝된 처리량 단위 배포를 사용하는 경우 처리량의 유효성을 검사하는 데 도움이 되도록 Azure OpenAI 벤치마킹 도구를 사용하는 것이 좋습니다",
+ "waf": "공연"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "PTU(프로비저닝된 처리량 단위)를 사용하는 경우 오버플로 요청에 대한 TPM(분당 토큰) 배포를 배포하는 것이 좋습니다. 게이트웨이를 사용하여 PTU 제한에 도달할 때 TPM 배포로 요청을 라우팅합니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
- "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "Front Door",
- "severity": "낮다",
- "text": "Azure Front Door 원본 그룹에 원본이 하나만 있는 경우 상태 프로브를 사용하지 않도록 설정합니다.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "올바른 작업에 적합한 모델을 선택하십시오. 속도, 응답 품질 및 출력 복잡성 간에 적절한 절충점이 있는 모델 선택",
"waf": "공연"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Front Door에 대한 양호한 상태 프로브 엔드포인트를 선택합니다. 애플리케이션의 모든 종속성을 확인하는 상태 엔드포인트를 빌드하는 것이 좋습니다.",
- "waf": "신뢰도"
+ "text": "미세 조정으로 모델 성능이 향상되었는지 여부를 파악하기 위해 미세 조정 없이 성능에 대한 기준이 있습니다.",
+ "waf": "공연"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
- "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
"severity": "낮다",
- "text": "Azure Front Door와 함께 HEAD 상태 프로브를 사용하여 Front Door가 애플리케이션으로 보내는 트래픽을 줄입니다.",
- "waf": "공연"
+ "text": "여러 지역에 여러 OAI 인스턴스 배포",
+ "waf": "신뢰도"
},
{
- "ammp": true,
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
- "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "Load Balancer",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "SNAT 확장성 향상을 위해 Load Balancer 아웃바운드 규칙 대신 Azure NAT Gateway 사용",
+ "text": "APIM과 같은 게이트웨이 패턴을 사용하여 재시도 및 상태 확인 구현Implement retry & healthchecks with gateway pattern like APIM",
"waf": "신뢰도"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
- "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "Front Door",
- "severity": "높다",
- "text": "Azure Front Door에서 관리형 TLS 인증서를 사용합니다. 운영 비용을 줄이고 인증서 갱신으로 인한 중단 위험을 줄입니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "워크로드에 대한 TPM 및 RPM의 적절한 할당량이 있는지 확인합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+ "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Front Door WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.",
- "waf": "작업"
+ "text": "HAI 도구 키트 지침의 고려 사항을 검토하고 slution에 대한 이러한 상호 작용 방법을 적용합니다",
+ "waf": "운영 우수성"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
- "service": "Front Door",
- "severity": "높다",
- "text": "Azure Front Door에서 엔드투엔드 TLS를 사용합니다. 클라이언트에서 Front Door로, Front Door에서 원본으로 연결하는 데 TLS를 사용합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "미세 조정이 사용되는 경우 지역 간에 별도의 미세 조정된 모델을 배포합니다.",
+ "waf": "신뢰도"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+ "link": "https://learn.microsoft.com/azure/backup/backup-overview",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Front Door에서 HTTP에서 HTTPS로 리디렉션을 사용합니다. 이전 클라이언트를 HTTPS 요청으로 자동 리디렉션하여 지원합니다.",
- "waf": "안전"
+ "text": "중요한 데이터를 정기적으로 백업 및 복제하여 데이터 손실 또는 시스템 장애 발생 시 데이터 가용성과 복구 가능성을 보장합니다. Azure의 백업 및 재해 복구 서비스를 활용하여 데이터를 보호하세요.",
+ "waf": "신뢰도"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Azure Front Door WAF를 사용하도록 설정합니다. 다양한 공격으로부터 애플리케이션을 보호합니다.",
- "waf": "안전"
+ "text": "SLA를 갖도록 Azure AI 검색 서비스 계층을 선택해야 합니다. ",
+ "waf": "신뢰도"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
- "service": "Front Door",
- "severity": "높다",
- "text": "워크로드에 맞게 Azure Front Door WAF를 튜닝합니다. 가양성 탐지를 줄입니다.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+ "link": "https://learn.microsoft.com/purview/purview",
+ "service": "Azure OpenAI",
+ "severity": "낮다",
+ "text": "임베딩을 생성하기 전에 데이터 및 민감도를 분류하고 Microsoft Purview를 사용하여 레이블을 지정하고 생성된 임베딩을 동일한 민감도 및 분류로 처리해야 합니다",
"waf": "안전"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Azure Front Door WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.",
+ "text": "BYOK(옵션)를 사용한 SSE/디스크 암호화로 RAG에 사용되는 데이터 암호화",
"waf": "안전"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+ "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Azure Front Door WAF 기본 규칙 집합을 사용하도록 설정합니다. 기본 규칙 집합은 일반적인 공격을 탐지하고 차단합니다.",
+ "text": "데이터 소스 간 전송 중인 데이터, RAG(Retrieval-Augmented Generation) 및 LLM 통신에 사용되는 AI 검색에 TLS가 적용되는지 확인합니다.",
"waf": "안전"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Azure Front Door WAF 봇 보호 규칙 집합을 사용하도록 설정합니다. 봇 규칙은 좋은 봇과 나쁜 봇을 감지합니다.",
- "waf": "안전"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
- "service": "Front Door",
- "severity": "보통",
- "text": "최신 Azure Front Door WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.",
- "waf": "안전"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
- "service": "Front Door",
- "severity": "보통",
- "text": "Azure Front Door WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 짧은 시간에 많은 양의 트래픽을 보내는 것을 차단합니다.",
+ "text": "RBAC를 사용하여 Azure OpenAI 서비스에 대한 액세스를 관리합니다. 사용자에게 적절한 권한을 할당하고 사용자의 역할과 책임에 따라 액세스를 제한합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Front Door WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호 기능을 제공합니다. ",
+ "text": "데이터 암호화, 마스킹 또는 수정 기술을 구현하여 비프로덕션 환경에서 또는 테스트 또는 문제 해결을 위해 데이터를 공유할 때 민감한 데이터를 숨기거나 난독화된 값으로 대체합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
- "service": "Front Door",
- "severity": "낮다",
- "text": "모든 지역에서 트래픽이 발생하지 않을 것으로 예상되는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "Azure Defender를 활용하여 보안 위협을 탐지 및 대응하고 의심스러운 활동 또는 위반을 식별하기 위한 모니터링 및 경고 메커니즘을 설정합니다. 고급 위협 탐지 및 대응을 위해 Azure Sentinel 활용",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
- "service": "Front Door",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+ "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Front Door WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 않도록 합니다.",
+ "text": "규정 준수 규정을 준수하기 위해 데이터 보존 및 폐기 정책을 수립합니다. 더 이상 필요하지 않은 데이터에 대한 안전한 삭제 방법을 구현하고 데이터 보존 및 폐기 활동에 대한 감사 추적을 유지 관리합니다.",
"waf": "안전"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
- "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Azure Application Gateway WAF 봇 보호 규칙 집합 사용Enable the Azure Application Gateway WAF bot protection rule set 봇 규칙은 좋은 봇과 나쁜 봇을 검색합니다.",
- "waf": "안전"
+ "text": "Content Safety를 사용하여 Prompt shields 및 groundedness detection 구현 ",
+ "waf": "운영 우수성"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+ "link": "https://learn.microsoft.com/azure/compliance/",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Azure Application Gateway WAF 정책에서 요청 본문 검사 기능을 사용하도록 설정합니다.",
+ "text": "개인 정보 보호 제어를 구현하고 데이터 처리 활동에 필요한 동의 또는 권한을 얻어 GDPR 또는 HIPAA와 같은 관련 데이터 보호 규정을 준수하도록 합니다.",
"waf": "안전"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
- "service": "App Gateway",
- "severity": "높다",
- "text": "워크로드에 대한 Azure Application Gateway WAF를 조정합니다. 가양성 탐지를 줄입니다.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "데이터 보안 모범 사례, 데이터 안전한 처리의 중요성, 데이터 침해와 관련된 잠재적 위험에 대해 직원을 교육합니다. 데이터 보안 프로토콜을 성실히 따르도록 권장합니다.",
"waf": "안전"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "'방지' 모드에서 Application Gateway에 대한 WAF 정책을 배포합니다.",
+ "text": "생산 데이터를 개발 및 테스트 데이터와 분리합니다. 프로덕션에서는 실제 민감한 데이터만 사용하고 개발 및 테스트 환경에서는 익명 또는 합성 데이터를 활용합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Application Gateway WAF에 속도 제한을 추가합니다. 속도 제한은 클라이언트가 실수로 또는 의도적으로 짧은 시간에 많은 양의 트래픽을 보내는 것을 차단합니다.",
+ "text": "데이터 민감도 수준이 다양하다면 각 수준에 대해 별도의 인덱스를 만드는 것이 좋습니다. 예를 들어, 일반 데이터에 대한 인덱스와 민감한 데이터에 대한 인덱스가 있을 수 있으며, 각각 다른 액세스 프로토콜에 의해 제어됩니다",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Application Gateway WAF 속도 제한에 높은 임계값을 사용합니다. 높은 속도 제한 임계값은 합법적인 트래픽 차단을 방지하는 동시에 인프라를 압도할 수 있는 매우 많은 수의 요청에 대한 보호 기능을 제공합니다. ",
+ "text": "한 단계 더 나아가 중요한 데이터 세트를 서비스의 다른 인스턴스에 배치합니다. 각 인스턴스는 고유한 특정 RBAC 정책 집합으로 제어할 수 있습니다",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
- "service": "App Gateway",
- "severity": "낮다",
- "text": "모든 지역에서 트래픽이 발생하지 않을 것으로 예상되는 경우 지역 필터를 사용하여 예상하지 못한 국가의 트래픽을 차단합니다.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "민감한 정보에서 생성된 임베딩과 벡터는 그 자체로 민감하다는 점을 인식해야 합니다. 이 데이터에는 원본 자료와 동일한 보호 조치가 제공되어야 합니다",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
- "service": "App Gateway",
- "severity": "보통",
- "text": "Azure Application Gateway WAF를 사용하여 트래픽을 지리적으로 필터링할 때 알 수 없는(ZZ) 위치를 지정합니다. IP 주소를 지리적으로 일치시킬 수 없는 경우 합법적인 요청을 실수로 차단하지 않도록 합니다.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "임베딩 및 벡터가 있는 데이터 저장소에 RBAC를 적용하고 역할의 액세스 요구 사항에 따라 액세스 범위를 지정합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
- "service": "App Gateway",
- "severity": "보통",
- "text": "최신 Azure Application Gateway WAF 규칙 집합 버전을 사용합니다. 규칙 집합 업데이트는 현재 위협 환경을 고려하기 위해 정기적으로 업데이트됩니다.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "AI 서비스에 대한 프라이빗 엔드포인트를 구성하여 네트워크 내 서비스 액세스를 제한합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "App Gateway",
- "severity": "보통",
- "text": "진단 설정을 추가하여 Azure Application Gateway WAF 로그를 저장합니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "Azure Firewall 및 UDR을 사용하여 엄격한 인바운드 및 아웃바운드 트래픽 제어를 적용하고 외부 통합 지점을 제한합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "Front Door",
- "severity": "보통",
- "text": "진단 설정을 추가하여 Azure Front Door WAF 로그를 저장합니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "네트워크 세분화 및 액세스 제어를 구현하여 LLM 애플리케이션에 대한 액세스를 인증된 사용자 및 시스템으로만 제한하고 측면 이동을 방지합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+ "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Application Gateway WAF 로그를 Microsoft Sentinel로 보냅니다.",
- "waf": "작업"
+ "text": "LLMLingua 또는 gprtrim과 같은 프롬프트 압축 도구 사용",
+ "waf": "비용 최적화"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "Front Door",
- "severity": "보통",
- "text": "Azure Front Door WAF 로그를 Microsoft Sentinel로 보냅니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "LLM 애플리케이션에서 사용하는 API 및 엔드포인트가 관리 ID, API 키 또는 OAuth와 같은 인증 및 권한 부여 메커니즘으로 적절하게 보호되어 무단 액세스를 방지해야 합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Azure Application Gateway WAF 구성을 코드로 정의합니다. 코드를 사용하면 새 규칙 집합 버전을 보다 쉽게 채택하고 추가 보호를 얻을 수 있습니다.",
- "waf": "작업"
+ "text": "다단계 인증(multi-factor authentication)과 같은 강력한 최종 사용자 인증 메커니즘을 적용하여 LLM 애플리케이션 및 관련 네트워크 리소스에 대한 무단 액세스를 방지합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "레거시 WAF 구성 대신 WAF 정책을 사용합니다.",
- "waf": "작업"
+ "text": "네트워크 모니터링 도구를 구현하여 의심스럽거나 악의적인 활동에 대한 네트워크 트래픽을 탐지하고 분석합니다. 로깅을 활성화하여 네트워크 이벤트를 캡처하고 보안 사고 발생 시 포렌식 분석을 용이하게 합니다.",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "Application Gateway 서브넷의 연결(예: NSG 사용)만 허용하도록 백 엔드에서 인바운드 트래픽을 필터링합니다.",
+ "text": "보안 감사 및 침투 테스트를 수행하여 LLM 애플리케이션의 네트워크 인프라에서 네트워크 보안 약점 또는 취약성을 식별하고 해결합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
- "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
- "service": "Front Door",
- "severity": "보통",
- "text": "원본이 Azure Front Door 인스턴스의 트래픽만 가져와야 합니다.",
- "waf": "안전"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "service": "Azure OpenAI",
+ "severity": "낮다",
+ "text": "Azure AI 서비스는 더 나은 관리를 위해 적절하게 태그가 지정됩니다.",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
- "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "service": "Azure OpenAI",
+ "severity": "낮다",
+ "text": "Azure AI Service 계정은 조직의 명명 규칙을 따릅니다.",
+ "waf": "운영 우수성"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "Azure AI Services 리소스의 진단 로그를 사용하도록 설정해야 함",
+ "waf": "운영 우수성"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "백 엔드 서버에 대한 트래픽을 암호화해야 합니다.",
+ "text": "키 액세스(로컬 인증)는 보안을 위해 사용하지 않도록 설정하는 것이 좋습니다. 키 기반 액세스를 사용하지 않도록 설정하면 Microsoft Entra ID가 유일한 액세스 방법이 되어 최소 권한 원칙과 세분화된 제어를 유지할 수 있습니다. ",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "웹 응용 프로그램 방화벽을 사용해야 합니다.",
+ "text": "Azure Key Vault를 사용하여 키를 안전하게 저장하고 관리하세요. LLM 애플리케이션의 코드 내에 중요한 키를 하드 코딩하거나 포함하지 않도록 하고 관리 ID를 사용하여 Azure Key Vault에서 안전하게 검색합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
- "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
- "service": "App Gateway",
- "severity": "보통",
- "text": "HTTP를 HTTPS로 리디렉션",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "Azure Key Vault에 저장된 키를 정기적으로 회전하고 만료하여 무단 액세스의 위험을 최소화합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
- "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
- "service": "App Gateway",
- "severity": "보통",
- "text": "게이트웨이 관리 쿠키를 사용하여 처리를 위해 사용자 세션에서 동일한 서버로 트래픽을 전달합니다.",
- "waf": "작업"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+ "link": "https://github.com/openai/tiktoken",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "tiktoken을 사용하여 대화 모드에서 토큰 최적화를 위한 토큰 크기 이해",
+ "waf": "비용 최적화"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+ "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "계획된 서비스 업데이트 중에 연결 드레이닝을 사용하도록 설정하여 백 엔드 풀의 기존 멤버에 대한 연결 손실을 방지합니다.",
+ "text": "보안 코딩 관행에 따라 주입 공격, XSS(교차 사이트 스크립팅) 또는 보안 구성 오류와 같은 일반적인 취약성을 방지합니다",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
- "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
- "service": "App Gateway",
- "severity": "낮다",
- "text": "사용자 지정 오류 페이지를 만들어 개인화된 사용자 환경 표시",
- "waf": "작업"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
- "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
- "service": "App Gateway",
- "severity": "보통",
- "text": "HTTP 요청 및 응답 헤더를 편집하여 클라이언트와 서버 간의 라우팅 및 정보 교환을 보다 쉽게 할 수 있습니다.",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+ "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "LLM 라이브러리와 다른 시스템 컴포넌트를 정기적으로 업데이트하고 패치하는 프로세스를 설정합니다.",
"waf": "안전"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "App Gateway",
- "severity": "보통",
- "text": "빠른 글로벌 장애 조치(failover)를 통해 글로벌 웹 트래픽 라우팅 및 최상위 계층 최종 사용자 성능 및 안정성을 최적화하도록 Front Door 구성",
- "waf": "공연"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+ "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "Azure OpenAI 또는 기타 LLM 사용 약관, 정책 및 지침, 허용되는 사용 사례 준수",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "전송 계층 부하 분산 사용Use transport layer load balancing",
- "waf": "공연"
+ "text": "기본 모델과 미세 조정된 모델 및 토큰 단계 크기의 비용 차이를 이해합니다.",
+ "waf": "비용 최적화"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
- "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
- "service": "App Gateway",
- "severity": "보통",
- "text": "단일 게이트웨이에서 여러 웹 응용 프로그램에 대한 호스트 또는 도메인 이름을 기반으로 라우팅 구성Configure routing based on host or domain name for multiple web applications on a single gateway",
- "waf": "안전"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
+ "severity": "높다",
+ "text": "가능한 경우 호출당 오버헤드를 최소화하여 전체 비용을 줄일 수 있는 일괄 처리 요청. 배치 크기를 최적화해야 합니다.",
+ "waf": "비용 최적화"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
- "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
- "service": "App Gateway",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "SSL 인증서 관리를 중앙 집중화하여 백엔드 서버 팜의 암호화 및 암호 해독 오버헤드를 줄입니다.",
- "waf": "안전"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
- "service": "App Gateway",
- "severity": "낮다",
- "text": "WebSocket 및 HTTP/2 프로토콜에 대한 기본 지원을 위해 Application Gateway 사용",
- "waf": "안전"
+ "text": "모델 사용을 모니터링하는 비용 추적 시스템을 설정하고 해당 정보를 사용하여 모델 선택 및 프롬프트 크기를 알립니다",
+ "waf": "비용 최적화"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub는 미사용 데이터의 암호화를 제공합니다. 사용자 고유의 키를 사용하는 경우 데이터는 여전히 Microsoft 관리형 키를 사용하여 암호화되지만 Microsoft 관리형 키는 고객 관리형 키를 사용하여 암호화됩니다. ",
- "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
- "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
- "service": "Event Hubs",
- "severity": "낮다",
- "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용Use customer-managed key option in data at rest encryption when required",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "안전"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "166cd072-af9b-4141-a898-a535e737897e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "모델 응답당 토큰 수에 대한 최대 제한을 설정합니다. 유효한 응답에 사용할 수 있을 만큼 충분히 큰지 확인하기 위해 크기를 최적화합니다",
+ "waf": "비용 최적화"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hubs 네임스페이스를 사용하면 클라이언트가 TLS 1.0 이상을 사용하여 데이터를 보내고 받을 수 있습니다. 더 엄격한 보안 조치를 적용하기 위해 클라이언트가 최신 버전의 TLS를 사용하여 데이터를 보내고 받도록 Event Hubs 네임스페이스를 구성할 수 있습니다. Event Hubs 네임스페이스에 최소 버전의 TLS가 필요한 경우 이전 버전으로 수행된 모든 요청이 실패합니다. ",
- "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
- "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "요청에 필요한 최소 버전의 TLS(전송 계층 보안) 적용 ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
- "waf": "안전"
+ "text": "안정성을 위한 AI 검색 설정에 대해 제공된 지침을 검토합니다.",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Event Hubs 네임스페이스를 만들 때 네임스페이스에 대해 RootManageSharedAccessKey라는 정책 규칙이 자동으로 만들어집니다. 이 정책에는 전체 네임스페이스에 대한 관리 권한이 있습니다. 이 규칙을 관리 루트 계정처럼 취급하고 응용 프로그램에서 사용하지 않는 것이 좋습니다. RBAC에서 AAD를 인증 공급자로 사용하는 것이 좋습니다. ",
- "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+ "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
- "waf": "안전"
+ "text": "AI Search Vector 스토리지 계획 및 관리",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure 리소스에 대한 관리 ID는 Azure VM(Virtual Machines), 함수 앱, Virtual Machine Scale Sets 및 기타 서비스에서 실행되는 애플리케이션에서 Azure AD 자격 증명을 사용하여 Event Hubs 리소스에 대한 액세스 권한을 부여할 수 있습니다. Azure AD 인증과 함께 Azure 리소스에 대한 관리 ID를 사용하면 클라우드에서 실행되는 애플리케이션에 자격 증명을 저장하지 않아도 됩니다. ",
- "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
- "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "가능한 경우 애플리케이션은 관리 ID를 사용하여 Azure Event Hub에 인증해야 합니다. 그렇지 않은 경우 Azure Key Vault 또는 동등한 서비스에 스토리지 자격 증명(SAS, 서비스 주체 자격 증명)을 사용하는 것이 좋습니다",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "안전"
+ "text": "LLMOps 사례를 적용하여 GenAI 애플리케이션의 라이프사이클 관리를 자동화합니다.",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "권한을 만들 때 Azure Event Hub에 대한 클라이언트의 액세스를 세밀하게 제어할 수 있습니다. Azure Event Hub의 사용 권한은 개별 리소스 수준(예: 소비자 그룹, 이벤트 허브 엔터티, 이벤트 허브 네임스페이스 등)으로 범위를 지정할 수 있으며 범위가 지정되어야 합니다.",
- "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "최소 권한 데이터 평면 RBAC 사용",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "안전"
+ "text": "청구 모델 사용 평가 - PAYG 대 PTU",
+ "waf": "비용 최적화"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub 리소스 로그에는 작업 로그, 가상 네트워크 및 Kafka 로그가 포함됩니다. 런타임 감사 로그는 Event Hubs의 모든 데이터 평면 액세스 작업(예: 이벤트 보내기 또는 받기)에 대해 집계된 진단 정보를 캡처합니다.",
- "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
- "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+ "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "보안 조사를 위해 로깅을 사용하도록 설정합니다. Azure Monitor를 사용하여 리소스 로그, 런타임 감사 로그 및 Kafka 로그와 같은 메트릭 및 로그를 캡처합니다.",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "안전"
+ "text": "모델 버전 간에 전환할 때 프롬프트와 응용 프로그램의 품질을 평가합니다.",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure Event Hub는 기본적으로 공용 IP 주소를 가지며 인터넷에 연결할 수 있습니다. 프라이빗 엔드포인트를 사용하면 가상 네트워크와 Azure Event Hub 간의 트래픽이 Microsoft 백본 네트워크를 통해 트래버스할 수 있습니다. 또한 퍼블릭 엔드포인트를 사용하지 않는 경우 사용하지 않도록 설정해야 합니다. ",
- "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
- "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "프라이빗 엔드포인트를 사용하여 Azure Event Hub에 액세스하고 해당하는 경우 공용 네트워크 액세스를 사용하지 않도록 설정하는 것이 좋습니다.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "안전"
+ "text": "GenAI 앱을 평가, 모니터링 및 개선하여 근거, 관련성, 정확성, 일관성, 유창성 등의 기능을 제공합니다.",
+ "waf": "운영 우수성"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "다양한 검색 매개 변수를 기반으로 Azure AI Search 결과를 평가합니다",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "IP 방화벽을 사용하면 퍼블릭 엔드포인트를 CIDR(Classless Inter-Domain Routing) 표기법의 IPv4 주소 또는 IPv4 주소 범위 집합으로만 추가로 제한할 수 있습니다. ",
- "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "특정 IP 주소 또는 범위에서 Azure Event Hub 네임스페이스에 대한 액세스만 허용하는 것이 좋습니다",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "안전"
+ "text": "데이터를 사용하여 프롬프트 엔지니어링 및 RAG와 같은 다른 기본 접근 방식을 시도한 경우에만 모델을 미세 조정하여 정확도를 높이는 방법으로 살펴보십시오",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "FTA 탄력성 핸드북 활용",
- "waf": "신뢰도"
+ "text": "프롬프트 엔지니어링 기법을 사용하여 LLM 응답의 정확도 향상",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": " 영역 사용 지역의 프리미엄, 전용 또는 표준 SKU를 사용하여 포털에서 만든 새 EH 네임스페이스에 대해 자동으로 설정됩니다. EH 메타데이터와 이벤트 데이터 자체는 모두 영역 간에 복제됩니다",
- "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
- "service": "Event Hubs",
- "severity": "높다",
- "text": "지역적으로 적용 가능한 경우 가용성 영역 활용Leverage Availability Zones if regionally applicable",
- "waf": "신뢰도"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "service": "Azure OpenAI",
+ "severity": "보통",
+ "text": "GenAI 애플리케이션을 위한 레드 팀",
+ "waf": "안전"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
- "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+ "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "예측 가능한 성능을 위해 프리미엄 또는 전용 SKU 사용",
- "waf": "신뢰도"
+ "text": "최종 사용자에게 LLM 응답에 대한 점수 매기기 옵션을 제공하고 이러한 점수를 추적합니다. ",
+ "waf": "운영 우수성"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "기본 제공 지역 재해 복구 기능을 사용하도록 설정하면 네임스페이스(Event Hubs, 소비자 그룹 및 설정)의 전체 구성이 기본 네임스페이스에서 보조 네임스페이스로 지속적으로 복제되며, 언제든지 한 번만 장애 조치(failover)를 주 네임스페이스에서 보조 네임스페이스로 이동할 수 있습니다. 활성/수동 기능은 애플리케이션 구성을 변경할 필요 없이 실패한 Azure 지역에서 더 쉽게 복구하고 중단할 수 있도록 설계되었습니다",
- "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"severity": "높다",
- "text": "Active Passive 구성을 사용하여 지역 재해 복구 계획Plan for Geo Disaster Recovery using Active Passive configuration",
- "waf": "신뢰도"
- },
- {
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "다운된 지역에서 이벤트 데이터의 중단 또는 손실을 허용할 수 없는 DR 구성에 사용해야 합니다. 이러한 경우 복제 지침을 따르고 기본 제공 지역 재해 복구 기능(활성/수동)을 사용하지 마세요. 액티브/액티브를 사용하여 서로 다른 지역 및 네임스페이스에서 여러 Event Hubs를 유지 관리하면 허브 간에 이벤트가 복제됩니다",
- "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
- "service": "Event Hubs",
- "severity": "보통",
- "text": "Business Critical Applications의 경우 Active Active 구성을 사용합니다.",
- "waf": "신뢰도"
+ "text": "할당량 관리 방법 고려",
+ "waf": "비용 최적화"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
- "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+ "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "service": "Azure OpenAI",
"severity": "보통",
- "text": "복원력 있는 Event Hubs 설계",
- "waf": "신뢰도"
+ "text": "APIM 기반 게이트웨이와 같은 Load Balancer 솔루션을 사용하여 서비스 및 지역 간에 부하와 용량을 분산합니다",
+ "waf": "운영 우수성"
},
{
"arm-service": "Microsoft.Devices/IotHubs",
@@ -8938,59 +8838,159 @@
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
"severity": "높다",
- "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 Logic App 호스팅 계획 선택Select the right Logic App hosting plan based on your business & SLO requirements",
+ "text": "비즈니스 및 SLO 요구 사항에 따라 올바른 기능 호스팅 계획을 선택하십시오.",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
"severity": "높다",
- "text": "영역 중복 및 가용성 영역을 사용하여 지역 오류로부터 논리 앱 보호Protect logic apps from region failures with zone redundancy and availability zones",
+ "text": "지역적으로 적용 가능한 가용성 영역 활용(소비 계층에는 사용할 수 없음)",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
- "severity": "높다",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Azure Functions",
+ "severity": "보통",
"text": "중요한 워크로드에 대한 지역 간 DR 전략 고려",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
"link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
+ "service": "Azure Functions",
"severity": "높다",
"text": "격리된 환경에 배포하는 경우 ASE(App Service Environment) v3을 사용하거나 마이그레이션합니다",
"waf": "신뢰도"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Azure Functions",
+ "severity": "높다",
+ "text": "App Service 계획에서 실행되는 모든 함수 앱에 대해 'Always On'이 사용하도록 설정되어 있는지 확인합니다.",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Azure Functions",
+ "severity": "보통",
+ "text": "함수 앱을 자체 스토리지 계정에 페어링합니다. 긴밀하게 결합되지 않는 한 함수 앱에 대한 스토리지 계정을 다시 사용하지 마세요",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
"link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
+ "service": "Azure Functions",
"severity": "보통",
- "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 논리 앱 코드를 보호합니다.",
+ "text": "Azure DevOps 또는 GitHub를 활용하여 CI/CD를 간소화하고 함수 앱 코드를 보호합니다.",
"waf": "작업"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
+ "severity": "보통",
+ "text": "Azure Spring Apps는 모든 앱에 대해 두 개의 배포를 허용하며, 그 중 하나만 프로덕션 트래픽을 수신합니다. 블루-그린 배포 전략을 통해 가동 중지 시간 제로를 달성할 수 있습니다. 파란색 녹색 배포는 표준 및 엔터프라이즈 계층에서만 사용할 수 있습니다. ADO/GitHub 작업과 함께 CI/CD를 사용하여 배포를 자동화할 수 있습니다.",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
+ "severity": "보통",
+ "text": "Azure Spring Apps 인스턴스는 애플리케이션에 대해 여러 지역에서 만들 수 있으며 Traffic Manager/Front Door에서 트래픽을 라우팅할 수 있습니다.",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
+ "severity": "보통",
+ "text": "지원되는 지역에서 Azure Spring Apps는 영역 중복으로 배포할 수 있으며, 이는 인스턴스가 가용성 영역에 자동으로 분산됨을 의미합니다. 이 기능은 Standard 및 Enterprise 계층에서만 사용할 수 있습니다.",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
+ "severity": "보통",
+ "text": "앱에 1개 이상의 앱 인스턴스 사용",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
+ "severity": "보통",
+ "text": "로그, 메트릭 및 추적을 사용하여 Azure Spring Apps를 모니터링합니다. ASA를 Application Insights와 통합하고, 오류를 추적하고, 통합 문서를 만듭니다.",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
+ "severity": "보통",
+ "text": "Spring Cloud Gateway에서 자동 크기 조정 설정",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
+ "severity": "낮다",
+ "text": "표준 소비 및 전용 플랜이 있는 앱에 대해 자동 크기 조정을 사용하도록 설정합니다.",
+ "waf": "신뢰도"
+ },
+ {
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
+ "severity": "보통",
+ "text": "중요 업무용 앱에 대한 Spring Boot의 상업적 지원을 위해 Enterprise 플랜을 사용합니다. 다른 계층에서는 OSS 지원을 받을 수 있습니다.",
+ "waf": "신뢰도"
}
],
"metadata": {
"name": "WAF checklist",
- "timestamp": "August 05, 2024"
+ "timestamp": "August 08, 2024"
},
"severities": [
{
diff --git a/checklists/waf_checklist.pt.json b/checklists/waf_checklist.pt.json
index 66b8b93d5..1e41cb251 100644
--- a/checklists/waf_checklist.pt.json
+++ b/checklists/waf_checklist.pt.json
@@ -1,8996 +1,8996 @@
{
"items": [
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Aplicar as orientações do benchmark de segurança na nuvem da Microsoft relacionadas ao armazenamento",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
"severity": "Média",
- "text": "Considere a 'linha de base de segurança do Azure para armazenamento'",
- "waf": "Segurança"
+ "text": "Siga as recomendações de suporte de confiabilidade no Serviço de Bot do Azure",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "O Armazenamento do Azure, por padrão, tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem expor com segurança o Armazenamento do Azure apenas aos recursos de Computação do Azure que precisam de acesso, eliminando assim a exposição à Internet pública",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Considere o uso de pontos de extremidade privados para o Armazenamento do Azure",
- "waf": "Segurança"
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
+ "severity": "Média",
+ "text": "Implantando bots com residência de dados local e conformidade regional",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "As contas de armazenamento recém-criadas são criadas usando o modelo de implantação ARM, para que o RBAC, a auditoria, etc., estejam todos habilitados. Verifique se não há contas de armazenamento antigas com modelo de implantação clássico em uma assinatura",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
"severity": "Média",
- "text": "Verifique se as contas de armazenamento mais antigas não estão usando o 'modelo de implantação clássico'",
- "waf": "Segurança"
+ "text": "O Serviço de Bot do Azure é executado no modo ativo-ativo para serviços globais e regionais. Quando ocorre uma paralisação, você não precisa detectar erros ou gerenciar o serviço. O Serviço de Bot do Azure executa automaticamente o failover automático e a recuperação automática em uma arquitetura geográfica de várias regiões. Para o serviço regional de bot da UE, o Serviço de Bot do Azure fornece duas regiões completas dentro da Europa com replicação ativa/ativa para garantir redundância. Para o serviço de bot global, todas as regiões/geografias disponíveis podem ser servidas como a presença global.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Aproveite o Microsoft Defender para saber mais sobre atividades suspeitas e configurações incorretas.",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Habilitar o Microsoft Defender para todas as suas contas de armazenamento",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
+ "severity": "Média",
+ "text": "Os Aplicativos Spring do Azure permitem duas implantações para cada aplicativo, apenas um dos quais recebe tráfego de produção. Você pode obter tempo de inatividade zero com estratégias de implantação em verde azul. A implantação verde azul só está disponível nas camadas Standard e Enterprise. Você pode automatizar a implantação usando CI/CD com ações do ADO/GitHub",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "O mecanismo soft-delete permite recuperar blobs excluídos acidentalmente.",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
"severity": "Média",
- "text": "Ativar 'exclusão suave' para blobs",
- "waf": "Segurança"
+ "text": "As instâncias do Azure Spring Apps podem ser criadas em várias regiões para seus aplicativos e o tráfego pode ser roteado pelo Gerenciador de Tráfego/Front Door.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
"severity": "Média",
- "text": "Desativar 'exclusão suave' para blobs",
- "waf": "Segurança"
+ "text": "Na região com suporte, os Aplicativos Spring do Azure podem ser implantados como zona redundante, o que significa que as instâncias são distribuídas automaticamente entre zonas de disponibilidade. Esse recurso só está disponível nas camadas Standard e Enterprise.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "A exclusão suave para contêineres permite que você recupere um contêiner depois que ele tenha sido excluído, por exemplo, recuperar de uma operação de exclusão acidental.",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Ativar 'exclusão suave' para contêineres",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
+ "severity": "Média",
+ "text": "Usar mais de 1 instância de aplicativo para seus aplicativos",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
"severity": "Média",
- "text": "Desativar 'exclusão suave' para contêineres",
- "waf": "Segurança"
+ "text": "Monitore os Aplicativos Spring do Azure com logs, métricas e rastreamento. Integre o ASA com insights de aplicativos e rastreie falhas e crie pastas de trabalho.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Evita a exclusão acidental de uma conta de armazenamento, forçando o usuário a remover primeiro o bloqueio de exclusão, antes da exclusão",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Habilitar bloqueios de recursos em contas de armazenamento",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
+ "severity": "Média",
+ "text": "Configurar o dimensionamento automático no Spring Cloud Gateway",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Considere políticas de \"retenção legal\" ou \"retenção baseada em tempo\" para blobs, de modo que seja impossível excluir o blob, o contêiner ou a conta de armazenamento. Por favor, note que \"impossível\" significa na verdade \"impossível\"; uma vez que uma conta de armazenamento contém um blob imutável, a única maneira de 'se livrar' dessa conta de armazenamento é cancelando a assinatura do Azure.",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Considere blobs imutáveis",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
+ "severity": "Baixo",
+ "text": "Habilite o dimensionamento automático para os aplicativos com o plano de consumo padrão e dedicado.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Considere desabilitar o acesso HTTP/80 desprotegido à conta de armazenamento, para que todas as transferências de dados sejam criptografadas, protegidas por integridade e o servidor seja autenticado. ",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Azure Storage",
- "severity": "Alto",
- "text": "Exigir HTTPS, ou seja, desativar a porta 80 na conta de armazenamento",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
+ "severity": "Média",
+ "text": "Use o plano Enterprise para suporte comercial de inicialização spring para aplicativos de missão crítica. Com outras camadas, você obtém suporte a OSS.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Ao configurar um domínio personalizado (nome do host) em uma conta de armazenamento, verifique se você precisa de TLS/HTTPS; em caso afirmativo, talvez seja necessário colocar a CDN do Azure na frente da sua conta de armazenamento.",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+ "service": "IoT",
"severity": "Alto",
- "text": "Ao impor HTTPS (desabilitando HTTP), verifique se você não usa domínios personalizados (CNAME) para a conta de armazenamento.",
- "waf": "Segurança"
+ "text": "Aproveitar zonas de disponibilidade, se aplicável regionalmente (isso é habilitado automaticamente)",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Exigir HTTPS quando um cliente usa um token SAS para acessar dados de blob ajuda a minimizar o risco de perda de credenciais.",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
"severity": "Média",
- "text": "Limitar tokens de assinatura de acesso compartilhado (SAS) somente a conexões HTTPS",
- "waf": "Segurança"
+ "text": "Esteja ciente dos failovers iniciados pela Microsoft. Eles são exercidos pela Microsoft em raras situações para fazer failover de todos os hubs IoT de uma região afetada para a região geo-emparelhada correspondente.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Os tokens AAD devem ser favorecidos em relação às assinaturas de acesso compartilhado, sempre que possível",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+ "service": "IoT",
"severity": "Alto",
- "text": "Usar tokens do Azure Active Directory (Azure AD) para acesso de blob",
- "waf": "Segurança"
+ "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Ao atribuir uma função a um usuário, grupo ou aplicativo, conceda a essa entidade de segurança apenas as permissões necessárias para que eles executem suas tarefas. Limitar o acesso aos recursos ajuda a evitar o uso indevido não intencional e mal-intencionado de seus dados.",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Azure Storage",
- "severity": "Média",
- "text": "Privilégio mínimo nas permissões do IaM",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
+ "severity": "Alto",
+ "text": "Saiba como acionar um failover manual.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "Uma SAS de delegação de usuário é protegida com credenciais do Azure Active Directory (Azure AD) e também pelas permissões especificadas para a SAS. Uma SAS de delegação de usuário é análoga a uma SAS de serviço em termos de escopo e função, mas oferece benefícios de segurança em relação à SAS de serviço. ",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+ "service": "IoT",
"severity": "Alto",
- "text": "Ao usar o SAS, prefira o SAS de delegação de usuário ao SAS baseado em chave de conta de armazenamento.",
- "waf": "Segurança"
+ "text": "Saiba como fazer failback após um failover.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "As chaves de conta de armazenamento ('chaves compartilhadas') têm pouquíssimos recursos de auditoria. Embora possa ser monitorado em quem/quando foi obtida uma cópia das chaves, uma vez que as chaves estão nas mãos de várias pessoas, é impossível atribuir o uso a um usuário específico. Depender exclusivamente da autenticação do AAD facilita a vinculação do acesso ao armazenamento a um usuário. ",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
"severity": "Alto",
- "text": "Considere desabilitar as chaves de conta de armazenamento, para que somente o acesso ao AAD (e a delegação de usuários SAS) seja suportado.",
- "waf": "Segurança"
+ "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
+ "severity": "Alto",
+ "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
+ "severity": "Alto",
+ "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
+ "severity": "Alto",
+ "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
+ "severity": "Média",
+ "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+ "service": "Azure Data Factory",
+ "severity": "Média",
+ "text": "Aproveite o Manual de Resiliência de FTA para o Azure Data Factory",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
+ "severity": "Alto",
+ "text": "Usar pipelines redundantes de zona em regiões que oferecem suporte a zonas de disponibilidade",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+ "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+ "service": "Azure Data Factory",
+ "severity": "Média",
+ "text": "Usar DevOps para fazer backup dos modelos ARM com a integração Github/Azure DevOps ",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
+ "severity": "Média",
+ "text": "Certifique-se de replicar as VMs do Self-Hosted Integration Runtime em outra região ",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
+ "severity": "Média",
+ "text": "Certifique-se de replicar ou duplicar sua rede na região irmã. Você tem que fazer uma cópia do seu Vnet em outra região",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "description": "Se seus pipelines do ADF usarem o Cofre de Chaves, você não precisará fazer nada para replicar o Cofre de Chaves. O Cofre de Chaves é um serviço gerenciado e a Microsoft cuida dele para você",
+ "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Azure Data Factory",
+ "severity": "Baixo",
+ "text": "Se estiver usando a integração do Keyvault, use o SLA do Keyvault para entender sua disponibilidade",
+ "waf": "Fiabilidade"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Use os dados do Registro de atividades para identificar \"quando\", \"quem\", \"o que\" e \"como\" a segurança da sua conta de armazenamento está sendo visualizada ou alterada (ou seja, chaves de conta de armazenamento, políticas de acesso, etc.).",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "description": "Aplicar as orientações do benchmark de segurança na nuvem da Microsoft relacionadas ao armazenamento",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
"service": "Azure Storage",
- "severity": "Alto",
- "text": "Considere usar o Azure Monitor para auditar as operações do plano de controle na conta de armazenamento",
+ "severity": "Média",
+ "text": "Considere a 'linha de base de segurança do Azure para armazenamento'",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Uma política de expiração de chave permite que você defina um lembrete para a rotação das chaves de acesso da conta. O lembrete será exibido se o intervalo especificado tiver decorrido e as teclas ainda não tiverem sido giradas.",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "description": "O Armazenamento do Azure, por padrão, tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem expor com segurança o Armazenamento do Azure apenas aos recursos de Computação do Azure que precisam de acesso, eliminando assim a exposição à Internet pública",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
"service": "Azure Storage",
- "severity": "Média",
- "text": "Ao usar chaves de conta de armazenamento, considere habilitar uma 'política de expiração de chave'",
+ "severity": "Alto",
+ "text": "Considere o uso de pontos de extremidade privados para o Armazenamento do Azure",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Uma diretiva de expiração SAS especifica um intervalo recomendado sobre o qual a SAS é válida. As políticas de expiração do SAS se aplicam a um SAS de serviço ou a um SAS de conta. Quando um usuário gera SAS de serviço ou SAS de conta com um intervalo de validade maior do que o intervalo recomendado, ele verá um aviso.",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "description": "As contas de armazenamento recém-criadas são criadas usando o modelo de implantação ARM, para que o RBAC, a auditoria, etc., estejam todos habilitados. Verifique se não há contas de armazenamento antigas com modelo de implantação clássico em uma assinatura",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
"service": "Azure Storage",
"severity": "Média",
- "text": "Considere configurar uma política de expiração SAS",
+ "text": "Verifique se as contas de armazenamento mais antigas não estão usando o 'modelo de implantação clássico'",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "As políticas de acesso armazenado oferecem a opção de revogar permissões para uma SAS de serviço sem precisar gerar novamente as chaves da conta de armazenamento. ",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "description": "Aproveite o Microsoft Defender para saber mais sobre atividades suspeitas e configurações incorretas.",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
"service": "Azure Storage",
- "severity": "Média",
- "text": "Considere vincular o SAS a uma política de acesso armazenado",
+ "severity": "Alto",
+ "text": "Habilitar o Microsoft Defender para todas as suas contas de armazenamento",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "description": "O mecanismo soft-delete permite recuperar blobs excluídos acidentalmente.",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
"service": "Azure Storage",
"severity": "Média",
- "text": "Considere configurar o repositório de código-fonte do aplicativo para detectar cadeias de conexão com check-in e chaves de conta de armazenamento.",
+ "text": "Ativar 'exclusão suave' para blobs",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Idealmente, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Armazenamento do Azure. Se isso não for possível, considere ter a credencial de armazenamento (cadeia de conexão, chave de conta de armazenamento, SAS, credencial da entidade de serviço) no Azure KeyVault ou em um serviço equivalente.",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
"service": "Azure Storage",
- "severity": "Alto",
- "text": "Considere armazenar cadeias de conexão no Cofre de Chaves do Azure (em cenários em que identidades gerenciadas não são possíveis)",
+ "severity": "Média",
+ "text": "Desativar 'exclusão suave' para blobs",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Use tempos de expiração de curto prazo em um SAS de serviço SAS ad hoc ou SAS de conta. Dessa forma, mesmo que um SAS seja comprometido, ele é válido apenas por um curto período de tempo. Essa prática é especialmente importante se você não puder fazer referência a uma política de acesso armazenado. Os tempos de expiração de curto prazo também limitam a quantidade de dados que podem ser gravados em um blob, limitando o tempo disponível para carregar nele.",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "description": "A exclusão suave para contêineres permite que você recupere um contêiner depois que ele tenha sido excluído, por exemplo, recuperar de uma operação de exclusão acidental.",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
"service": "Azure Storage",
"severity": "Alto",
- "text": "Esforce-se por curtos períodos de validade para SAS ad-hoc",
+ "text": "Ativar 'exclusão suave' para contêineres",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Ao criar um SAS, seja o mais específico e restritivo possível. Prefira um SAS para um único recurso e operação em vez de um SAS que dá acesso muito mais amplo.",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "description": "Considere desativar seletivamente a \"exclusão suave\" para determinados contêineres de blob, por exemplo, se o aplicativo tiver que garantir que as informações excluídas sejam imediatamente excluídas, por exemplo, por motivos de confidencialidade, privacidade ou conformidade. ",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
"service": "Azure Storage",
"severity": "Média",
- "text": "Aplicar um escopo restrito a uma SAS",
+ "text": "Desativar 'exclusão suave' para contêineres",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Uma SAS pode incluir parâmetros nos quais endereços IP de cliente ou intervalos de endereços estão autorizados a solicitar um recurso usando a SAS. ",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "description": "Evita a exclusão acidental de uma conta de armazenamento, forçando o usuário a remover primeiro o bloqueio de exclusão, antes da exclusão",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
"service": "Azure Storage",
- "severity": "Média",
- "text": "Considere a definição do escopo do SAS para um endereço IP de cliente específico, sempre que possível",
+ "severity": "Alto",
+ "text": "Habilitar bloqueios de recursos em contas de armazenamento",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Um SAS não pode restringir a quantidade de dados que um cliente carrega; Dado o modelo de precificação da quantidade de armazenamento ao longo do tempo, pode fazer sentido validar se os clientes carregaram conteúdo maliciosamente grande.",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "description": "Considere políticas de \"retenção legal\" ou \"retenção baseada em tempo\" para blobs, de modo que seja impossível excluir o blob, o contêiner ou a conta de armazenamento. Por favor, note que \"impossível\" significa na verdade \"impossível\"; uma vez que uma conta de armazenamento contém um blob imutável, a única maneira de 'se livrar' dessa conta de armazenamento é cancelando a assinatura do Azure.",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
"service": "Azure Storage",
- "severity": "Baixo",
- "text": "Considere verificar os dados carregados, depois que os clientes usaram um SAS para carregar um arquivo. ",
+ "severity": "Alto",
+ "text": "Considere blobs imutáveis",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Ao acessar o armazenamento de blob via SFTP usando uma 'conta de usuário local', os controles RBAC 'normais' não se aplicam. O acesso a blobs via NFS ou REST pode ser mais restritivo do que o acesso a SFTP. Infelizmente, no início de 2023, os usuários locais são a única forma de gerenciamento de identidade que atualmente é suportada para o ponto de extremidade SFTP",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "description": "Considere desabilitar o acesso HTTP/80 desprotegido à conta de armazenamento, para que todas as transferências de dados sejam criptografadas, protegidas por integridade e o servidor seja autenticado. ",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
"service": "Azure Storage",
"severity": "Alto",
- "text": "SFTP: Limite a quantidade de 'usuários locais' para acesso SFTP e audite se o acesso é necessário ao longo do tempo.",
+ "text": "Exigir HTTPS, ou seja, desativar a porta 80 na conta de armazenamento",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "description": "Ao configurar um domínio personalizado (nome do host) em uma conta de armazenamento, verifique se você precisa de TLS/HTTPS; em caso afirmativo, talvez seja necessário colocar a CDN do Azure na frente da sua conta de armazenamento.",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
"service": "Azure Storage",
- "severity": "Média",
- "text": "SFTP: O ponto de extremidade SFTP não oferece suporte a ACLs do tipo POSIX.",
+ "severity": "Alto",
+ "text": "Ao impor HTTPS (desabilitando HTTP), verifique se você não usa domínios personalizados (CNAME) para a conta de armazenamento.",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "O armazenamento oferece suporte a CORS (Cross-Origin Resource Sharing), ou seja, um recurso HTTP que permite que aplicativos Web de um domínio diferente afrouxem a política de mesma origem. Ao habilitar o CORS, mantenha o CorsRules com o menor privilégio.",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "description": "Exigir HTTPS quando um cliente usa um token SAS para acessar dados de blob ajuda a minimizar o risco de perda de credenciais.",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
"service": "Azure Storage",
- "severity": "Alto",
- "text": "Evite políticas CORS excessivamente amplas",
+ "severity": "Média",
+ "text": "Limitar tokens de assinatura de acesso compartilhado (SAS) somente a conexões HTTPS",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Os dados em repouso são sempre criptografados no lado do servidor e, além disso, também podem ser criptografados no lado do cliente. A criptografia do lado do servidor pode acontecer usando uma chave gerenciada por plataforma (padrão) ou uma chave gerenciada pelo cliente. A criptografia do lado do cliente pode acontecer fazendo com que o cliente forneça uma chave de criptografia/descriptografia por blob para o armazenamento do Azure ou manipulando completamente a criptografia no lado do cliente. portanto, não depende do Armazenamento do Azure para garantias de confidencialidade.",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "description": "Os tokens AAD devem ser favorecidos em relação às assinaturas de acesso compartilhado, sempre que possível",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
"service": "Azure Storage",
"severity": "Alto",
- "text": "Determine como os dados em repouso devem ser criptografados. Entenda o modelo de thread para dados.",
+ "text": "Usar tokens do Azure Active Directory (Azure AD) para acesso de blob",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "description": "Ao atribuir uma função a um usuário, grupo ou aplicativo, conceda a essa entidade de segurança apenas as permissões necessárias para que eles executem suas tarefas. Limitar o acesso aos recursos ajuda a evitar o uso indevido não intencional e mal-intencionado de seus dados.",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
"service": "Azure Storage",
"severity": "Média",
- "text": "Determine qual/se a criptografia de plataforma deve ser usada.",
+ "text": "Privilégio mínimo nas permissões do IaM",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "description": "Uma SAS de delegação de usuário é protegida com credenciais do Azure Active Directory (Azure AD) e também pelas permissões especificadas para a SAS. Uma SAS de delegação de usuário é análoga a uma SAS de serviço em termos de escopo e função, mas oferece benefícios de segurança em relação à SAS de serviço. ",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
"service": "Azure Storage",
- "severity": "Média",
- "text": "Determine qual/se a criptografia do lado do cliente deve ser usada.",
+ "severity": "Alto",
+ "text": "Ao usar o SAS, prefira o SAS de delegação de usuário ao SAS baseado em chave de conta de armazenamento.",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
"checklist": "Azure Blob Storage Review",
- "description": "Aproveite o Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para localizar contas de armazenamento que permitem acesso anônimo a blobs.",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "description": "As chaves de conta de armazenamento ('chaves compartilhadas') têm pouquíssimos recursos de auditoria. Embora possa ser monitorado em quem/quando foi obtida uma cópia das chaves, uma vez que as chaves estão nas mãos de várias pessoas, é impossível atribuir o uso a um usuário específico. Depender exclusivamente da autenticação do AAD facilita a vinculação do acesso ao armazenamento a um usuário. ",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
"service": "Azure Storage",
"severity": "Alto",
- "text": "Considere se o acesso de blob público é necessário ou se pode ser desabilitado para determinadas contas de armazenamento. ",
+ "text": "Considere desabilitar as chaves de conta de armazenamento, para que somente o acesso ao AAD (e a delegação de usuários SAS) seja suportado.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se necessário para cargas de trabalho do AKS Windows, os contêineres HostProcess podem ser usados",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Use os dados do Registro de atividades para identificar \"quando\", \"quem\", \"o que\" e \"como\" a segurança da sua conta de armazenamento está sendo visualizada ou alterada (ou seja, chaves de conta de armazenamento, políticas de acesso, etc.).",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Considere usar o Azure Monitor para auditar as operações do plano de controle na conta de armazenamento",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Usar o KEDA se estiver executando cargas de trabalho orientadas a eventos",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Uma política de expiração de chave permite que você defina um lembrete para a rotação das chaves de acesso da conta. O lembrete será exibido se o intervalo especificado tiver decorrido e as teclas ainda não tiverem sido giradas.",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Azure Storage",
+ "severity": "Média",
+ "text": "Ao usar chaves de conta de armazenamento, considere habilitar uma 'política de expiração de chave'",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Use o Dapr para facilitar o desenvolvimento de microsserviços",
- "waf": "Operações"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Uma diretiva de expiração SAS especifica um intervalo recomendado sobre o qual a SAS é válida. As políticas de expiração do SAS se aplicam a um SAS de serviço ou a um SAS de conta. Quando um usuário gera SAS de serviço ou SAS de conta com um intervalo de validade maior do que o intervalo recomendado, ele verá um aviso.",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Azure Storage",
+ "severity": "Média",
+ "text": "Considere configurar uma política de expiração SAS",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
- "service": "AKS",
- "severity": "Alto",
- "text": "Use a oferta AKS apoiada por SLA",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "As políticas de acesso armazenado oferecem a opção de revogar permissões para uma SAS de serviço sem precisar gerar novamente as chaves da conta de armazenamento. ",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Azure Storage",
+ "severity": "Média",
+ "text": "Considere vincular o SAS a uma política de acesso armazenado",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Usar orçamentos de interrupção em seu pod e definições de implantação",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Azure Storage",
+ "severity": "Média",
+ "text": "Considere configurar o repositório de código-fonte do aplicativo para detectar cadeias de conexão com check-in e chaves de conta de armazenamento.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Idealmente, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Armazenamento do Azure. Se isso não for possível, considere ter a credencial de armazenamento (cadeia de conexão, chave de conta de armazenamento, SAS, credencial da entidade de serviço) no Azure KeyVault ou em um serviço equivalente.",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Azure Storage",
"severity": "Alto",
- "text": "Se estiver usando um registro privado, configure a replicação de região para armazenar imagens em várias regiões",
- "waf": "Fiabilidade"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Use um aplicativo externo, como kubecost, para alocar custos para diferentes usuários",
- "waf": "Custar"
+ "text": "Considere armazenar cadeias de conexão no Cofre de Chaves do Azure (em cenários em que identidades gerenciadas não são possíveis)",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Usar o modo de redução para excluir/desalocar nós",
- "waf": "Custar"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Use tempos de expiração de curto prazo em um SAS de serviço SAS ad hoc ou SAS de conta. Dessa forma, mesmo que um SAS seja comprometido, ele é válido apenas por um curto período de tempo. Essa prática é especialmente importante se você não puder fazer referência a uma política de acesso armazenado. Os tempos de expiração de curto prazo também limitam a quantidade de dados que podem ser gravados em um blob, limitando o tempo disponível para carregar nele.",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Esforce-se por curtos períodos de validade para SAS ad-hoc",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Ao criar um SAS, seja o mais específico e restritivo possível. Prefira um SAS para um único recurso e operação em vez de um SAS que dá acesso muito mais amplo.",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"severity": "Média",
- "text": "Quando necessário, use a GPU de partioning de várias instâncias em clusters AKS",
- "waf": "Custar"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se estiver executando um cluster de desenvolvimento/teste, use NodePool Start/Stop",
- "waf": "Custar"
+ "text": "Aplicar um escopo restrito a uma SAS",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Uma SAS pode incluir parâmetros nos quais endereços IP de cliente ou intervalos de endereços estão autorizados a solicitar um recurso usando a SAS. ",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Azure Storage",
"severity": "Média",
- "text": "Usar a Política do Azure para Kubernetes para garantir a conformidade do cluster",
+ "text": "Considere a definição do escopo do SAS para um endereço IP de cliente específico, sempre que possível",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
- "severity": "Média",
- "text": "Separe os aplicativos do plano de controle com pools de nós de usuário/sistema",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Um SAS não pode restringir a quantidade de dados que um cliente carrega; Dado o modelo de precificação da quantidade de armazenamento ao longo do tempo, pode fazer sentido validar se os clientes carregaram conteúdo maliciosamente grande.",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Azure Storage",
+ "severity": "Baixo",
+ "text": "Considere verificar os dados carregados, depois que os clientes usaram um SAS para carregar um arquivo. ",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Adicione mancha ao seu nodepool do sistema para torná-lo dedicado",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Ao acessar o armazenamento de blob via SFTP usando uma 'conta de usuário local', os controles RBAC 'normais' não se aplicam. O acesso a blobs via NFS ou REST pode ser mais restritivo do que o acesso a SFTP. Infelizmente, no início de 2023, os usuários locais são a única forma de gerenciamento de identidade que atualmente é suportada para o ponto de extremidade SFTP",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "SFTP: Limite a quantidade de 'usuários locais' para acesso SFTP e audite se o acesso é necessário ao longo do tempo.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Azure Storage",
"severity": "Média",
- "text": "Usar um registro privado para suas imagens, como o ACR",
+ "text": "SFTP: O ponto de extremidade SFTP não oferece suporte a ACLs do tipo POSIX.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
- "severity": "Média",
- "text": "Analise suas imagens em busca de vulnerabilidades",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "O armazenamento oferece suporte a CORS (Cross-Origin Resource Sharing), ou seja, um recurso HTTP que permite que aplicativos Web de um domínio diferente afrouxem a política de mesma origem. Ao habilitar o CORS, mantenha o CorsRules com o menor privilégio.",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Azure Storage",
+ "severity": "Alto",
+ "text": "Evite políticas CORS excessivamente amplas",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Os dados em repouso são sempre criptografados no lado do servidor e, além disso, também podem ser criptografados no lado do cliente. A criptografia do lado do servidor pode acontecer usando uma chave gerenciada por plataforma (padrão) ou uma chave gerenciada pelo cliente. A criptografia do lado do cliente pode acontecer fazendo com que o cliente forneça uma chave de criptografia/descriptografia por blob para o armazenamento do Azure ou manipulando completamente a criptografia no lado do cliente. portanto, não depende do Armazenamento do Azure para garantias de confidencialidade.",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Azure Storage",
"severity": "Alto",
- "text": "Definir requisitos de separação de aplicativos (namespace/nodepool/cluster)",
+ "text": "Determine como os dados em repouso devem ser criptografados. Entenda o modelo de thread para dados.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Azure Storage",
"severity": "Média",
- "text": "Armazene seus segredos no Cofre de Chaves do Azure com o driver do CSI Secrets Store",
+ "text": "Determine qual/se a criptografia de plataforma deve ser usada.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
- "service": "AKS",
- "severity": "Alto",
- "text": "Se estiver usando entidades de serviço para o cluster, atualize as credenciais periodicamente (como trimestralmente)",
- "waf": "Segurança"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
- "service": "AKS",
- "severity": "Média",
- "text": "Se necessário, adicione criptografia etcd do Serviço de Gerenciamento de Chaves",
- "waf": "Segurança"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se necessário, considere o uso de computação confidencial para AKS",
- "waf": "Segurança"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Azure Storage",
"severity": "Média",
- "text": "Considere o uso do Defender for Containers",
+ "text": "Determine qual/se a criptografia do lado do cliente deve ser usada.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
- "service": "AKS",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "Aproveite o Resource Graph Explorer (resources | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true) para localizar contas de armazenamento que permitem acesso anônimo a blobs.",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Azure Storage",
"severity": "Alto",
- "text": "Usar identidades gerenciadas em vez de entidades de serviço",
+ "text": "Considere se o acesso de blob público é necessário ou se pode ser desabilitado para determinadas contas de armazenamento. ",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "service": "SAP",
"severity": "Média",
- "text": "Integrar autenticação com AAD (usando a integração gerenciada)",
- "waf": "Segurança"
+ "text": "O Azure Center for SAP solutions (ACSS) é uma oferta do Azure que torna o SAP uma carga de trabalho de nível superior no Azure. O ACSS é uma solução de ponta a ponta que permite criar e executar sistemas SAP como uma carga de trabalho unificada no Azure e fornece uma base mais perfeita para a inovação. Você pode aproveitar os recursos de gerenciamento para sistemas SAP novos e existentes baseados no Azure.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "service": "SAP",
"severity": "Média",
- "text": "Limitar o acesso ao admin kubeconfig (get-credentials --admin)",
- "waf": "Segurança"
+ "text": "O Azure dá suporte à automação de implantações SAP no Linux e no Windows. O SAP Deployment Automation Framework é uma ferramenta de orquestração de código aberto que pode implantar, instalar e manter ambientes SAP.",
+ "training": "https://github.com/Azure/sap-automation",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "service": "SAP",
"severity": "Média",
- "text": "Integrar autorização com AAD RBAC",
- "waf": "Segurança"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
- "service": "AKS",
- "severity": "Alto",
- "text": "Usar namespaces para restringir o privilégio RBAC no Kubernetes",
- "waf": "Segurança"
+ "text": "Executar uma recuperação point-in-time para seus bancos de dados de produção em qualquer ponto e em um período de tempo que atenda ao seu RTO; A recuperação point-in-time normalmente inclui erros do operador excluindo dados na camada DBMS ou por meio do SAP, incidentalmente",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "service": "SAP",
"severity": "Média",
- "text": "Para o Gerenciamento de Acesso à Identidade de Pod, use a Identidade de Carga de Trabalho do Azure AD (visualização)",
- "waf": "Segurança"
+ "text": "Teste os tempos de backup e recuperação para verificar se eles atendem aos requisitos de RTO para restaurar todos os sistemas simultaneamente após um desastre.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
- "service": "AKS",
- "severity": "Média",
- "text": "Para logins não interativos do AKS, use kubelogin (visualização)",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Você pode replicar o armazenamento padrão entre regiões emparelhadas, mas não pode usar o armazenamento padrão para armazenar seus bancos de dados ou discos rígidos virtuais. Você pode replicar backups somente entre regiões emparelhadas que você usa. Para todos os outros dados, execute sua replicação usando recursos nativos de DBMS, como SQL Server Always On ou SAP HANA System Replication. Use uma combinação de Site Recovery, rsync ou robocopy e outros softwares de terceiros para a camada de aplicativos SAP.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"severity": "Média",
- "text": "Desativar contas locais do AKS",
- "waf": "Segurança"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Configurar, se necessário, o acesso ao cluster just-in-time",
- "waf": "Segurança"
+ "text": "Ao usar as Zonas de Disponibilidade do Azure para obter alta disponibilidade, você deve considerar a latência entre servidores de aplicativos SAP e servidores de banco de dados. Para zonas com altas latências, os procedimentos operacionais precisam estar em vigor para garantir que os servidores de aplicativos SAP e os servidores de banco de dados estejam sendo executados na mesma zona o tempo todo.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Configurar, se necessário, o acesso condicional do AAD para AKS",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Configure conexões de Rota Expressa do local para as regiões primária e secundária de recuperação de desastres do Azure. Além disso, como alternativa ao uso da Rota Expressa, considere configurar conexões VPN locais para as regiões primária e secundária de recuperação de desastres do Azure.",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "SAP",
"severity": "Baixo",
- "text": "Se necessário para cargas de trabalho do Windows AKS, configure o gMSA ",
- "waf": "Segurança"
+ "text": "Replique o conteúdo do cofre de chaves, como certificados, segredos ou chaves entre regiões, para que você possa descriptografar dados na região de recuperação de desastres.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "service": "SAP",
"severity": "Média",
- "text": "Para um controle mais fino, considere usar uma Identidade Kubelet gerenciada",
- "waf": "Segurança"
+ "text": "Emparelhar as redes virtuais primária e de recuperação de desastres. Por exemplo, para a replicação do sistema HANA, uma rede virtual SAP HANA DB precisa ser emparelhada para a rede virtual SAP HANA DB do site de recuperação de desastres.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
- "service": "AKS",
- "severity": "Média",
- "text": "Se estiver usando AGIC, não compartilhe um AppGW entre clusters",
+ "checklist": "SAP Checklist",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "service": "SAP",
+ "severity": "Baixo",
+ "text": "Se você usar o armazenamento do Azure NetApp Files para suas implantações SAP, no mínimo, crie duas contas do Azure NetApp Files na camada Premium, em duas regiões.",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"severity": "Alto",
- "text": "Não use AKS HTTP Routing Add-On, use em vez disso a entrada NGINX gerenciada com o complemento de roteamento de aplicativo.",
+ "text": "A tecnologia de replicação de banco de dados nativo deve ser usada para sincronizar o banco de dados em um par de HA.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
- "service": "AKS",
- "severity": "Média",
- "text": "Para cargas de trabalho do Windows, use a Rede Acelerada",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "O CIDR da rede virtual primária (VNet) não deve entrar em conflito ou se sobrepor ao CIDR da VNet do site de recuperação de desastres",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "service": "SAP",
"severity": "Alto",
- "text": "Use o ALB padrão (em oposição ao básico)",
+ "text": "Use a Recuperação de Site para replicar um servidor de aplicativos para um site de recuperação de desastres. A Recuperação de Site também pode ajudar na replicação de VMs de cluster de serviços centrais para o site de recuperação de desastres. Ao invocar o DR, você precisará reconfigurar o cluster do Linux Pacemaker no site de DR (por exemplo, substitua o VIP ou o SBD, execute o corosync.conf e muito mais).",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
- "service": "AKS",
- "severity": "Média",
- "text": "Se estiver usando o CNI do Azure, considere usar sub-redes diferentes para NodePools",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Considere a disponibilidade do software SAP em relação a pontos únicos de falha. Isso inclui pontos únicos de falha em aplicativos como SGBDs utilizados nas arquiteturas SAP NetWeaver e SAP S/4HANA, SAP ABAP e ASCS + SCS. Além disso, outras ferramentas, como o SAP Web Dispatcher.",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
- "service": "AKS",
- "severity": "Média",
- "text": "Usar Pontos de Extremidade Privados (preferencial) ou Pontos de Extremidade de Serviço de Rede Virtual para acessar serviços de PaaS do cluster",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Para bancos de dados SAP e SAP, considere a implementação de clusters de failover automático. No Windows, o Clustering de Failover do Windows Server oferece suporte a failover. No Linux, Linux Pacemaker ou ferramentas de terceiros como SIOS Protection Suite e Veritas InfoScale suportam failover.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"severity": "Alto",
- "text": "Escolha o melhor plug-in de rede CNI para seus requisitos (Azure CNI recomendado)",
+ "text": "O Azure não oferece suporte a arquiteturas nas quais as VMs primária e secundária compartilham armazenamento para dados DBMS. Para a camada DBMS, o padrão de arquitetura comum é replicar bancos de dados ao mesmo tempo e com pilhas de armazenamento diferentes daquelas que as VMs primária e secundária usam.",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "service": "SAP",
"severity": "Alto",
- "text": "Se estiver usando o Azure CNI, dimensione sua sub-rede de acordo considerando o número máximo de pods por nó",
- "waf": "Desempenho"
+ "text": "Os dados do DBMS e os arquivos de log de transação/refazer são armazenados no armazenamento em bloco com suporte do Azure ou nos Arquivos do Azure NetApp. Os Arquivos do Azure ou os Arquivos Premium do Azure não têm suporte como armazenamento para dados DBMS e/ou arquivos de log de refazer com a carga de trabalho SAP.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "service": "SAP",
"severity": "Alto",
- "text": "Se estiver usando o Azure CNI, verifique o máximo de pods/nó (padrão 30)",
- "waf": "Desempenho"
+ "text": "Você pode usar discos compartilhados do Azure no Windows para componentes ASCS + SCS e cenários específicos de alta disponibilidade. Configure seus clusters de failover separadamente para componentes da camada de aplicativo SAP e a camada DBMS. No momento, o Azure não oferece suporte a arquiteturas de alta disponibilidade que combinam componentes da camada de aplicativo SAP e a camada DBMS em um cluster de failover.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "Para aplicativos internos, as organizações geralmente abrem toda a sub-rede AKS em seus firewalls. Isso abre o acesso de rede para os nós também e, potencialmente, para os pods também (se estiver usando o Azure CNI). Se os IPs do LoadBalancer estiverem em uma sub-rede diferente, somente este precisará estar disponível para os clientes do aplicativo. Outra razão é que, se os endereços IP na sub-rede AKS são um recurso escasso, consumir seus endereços IP para serviços reduzirá a escalabilidade máxima do cluster.",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se estiver usando serviços LoadBalancer de IP privado, use uma sub-rede dedicada (não a sub-rede AKS)",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "A maioria dos clusters de failover para ASCS (Application Layer Components, componentes da camada de aplicativo) SAP e a camada DBMS exigem um endereço IP virtual para um cluster de failover. O Balanceador de Carga do Azure deve manipular o endereço IP virtual para todos os outros casos. Um princípio de design é usar um balanceador de carga por configuração de cluster. Recomendamos que você use a versão padrão do balanceador de carga (SKU do Standard Load Balancer).",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "service": "SAP",
"severity": "Alto",
- "text": "Dimensione o intervalo de endereços IP do serviço de acordo (isso limitará a escalabilidade do cluster)",
+ "text": "Verifique se o IP flutuante está habilitado no balanceador de carga",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se necessário, adicione seu próprio plugin CNI",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Antes de implantar sua infraestrutura de alta disponibilidade, e dependendo da região escolhida, determine se deseja implantar com um conjunto de disponibilidade do Azure ou uma zona de disponibilidade.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se necessário, configure o IP público por nó no AKS",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Se desejar atender aos SLAs de infraestrutura de seus aplicativos para componentes SAP (serviços centrais, servidores de aplicativos e bancos de dados), você deverá escolher as mesmas opções de alta disponibilidade (VMs, conjuntos de disponibilidade, zonas de disponibilidade) para todos os componentes.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
- "service": "AKS",
- "severity": "Média",
- "text": "Usar um controlador de entrada para expor aplicativos baseados na Web em vez de expô-los com serviços do tipo LoadBalancer",
+ "checklist": "SAP Checklist",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Não misture servidores de funções diferentes no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados, VMs de aplicativos em seus próprios conjuntos de disponibilidade",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Usar o Gateway NAT do Azure como outboundType para dimensionar o tráfego de saída",
+ "checklist": "SAP Checklist",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Você não pode implantar conjuntos de disponibilidade do Azure em uma zona de disponibilidade do Azure, a menos que use grupos de posicionamento de proximidade.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
- "service": "AKS",
- "severity": "Média",
- "text": "Usar alocações dinâmicas de IPs para evitar o esgotamento de IP do CNI do Azure",
+ "checklist": "SAP Checklist",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Ao criar conjuntos de disponibilidade, use o número máximo de domínios de falha e atualize domínios disponíveis. Por exemplo, se você implantar mais de duas VMs em um conjunto de disponibilidade, use o número máximo de domínios de falha (três) e domínios de atualização suficientes para limitar o efeito de possíveis falhas de hardware físico, interrupções de rede ou interrupções de energia, além da manutenção planejada do Azure. O número padrão de domínios de falha é dois e você não pode alterá-lo online mais tarde.",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "Alto",
- "text": "Filtre o tráfego de saída com AzFW/NVA se seus requisitos de segurança exigirem",
- "waf": "Segurança"
+ "text": "Quando você usa grupos de posicionamento de proximidade do Azure em uma implantação de conjunto de disponibilidade, todos os três componentes SAP (serviços centrais, servidor de aplicativos e banco de dados) devem estar no mesmo grupo de posicionamento de proximidade.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
- "service": "AKS",
- "severity": "Média",
- "text": "Se estiver usando um ponto de extremidade de API público, restrinja os endereços IP que podem acessá-lo",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Use um grupo de posicionamento de proximidade por SAP SID. Os grupos não se estendem por zonas de disponibilidade ou regiões do Azure",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "Alto",
- "text": "Use clusters privados se seus requisitos exigirem",
- "waf": "Segurança"
+ "text": "Use um dos seguintes serviços para executar clusters de serviços centrais SAP, dependendo do sistema operacional.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
"severity": "Média",
- "text": "Para os nós AKS do Windows 2019 e 2022, as Diretivas de Rede Calico podem ser usadas ",
- "waf": "Segurança"
+ "text": "No momento, o Azure não oferece suporte à combinação de ASCS e HA de banco de dados no mesmo cluster do Linux Pacemaker; Separe-os em agrupamentos individuais. No entanto, você pode combinar até cinco clusters de serviços centrais em um par de VMs.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
- "severity": "Alto",
- "text": "Habilitar uma opção de Política de Rede do Kubernetes (Calico/Azure)",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Implante ambas as VMs no par de alta disponibilidade em um conjunto de disponibilidade ou em zonas de disponibilidade. Essas VMs devem ter o mesmo tamanho e a mesma configuração de armazenamento.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "Alto",
- "text": "Usar diretivas de rede do Kubernetes para aumentar a segurança intra-cluster",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "O Azure oferece suporte à instalação e configuração de instâncias SAP HANA e ASCS/SCS e ERS no mesmo cluster de alta disponibilidade em execução no Red Hat Enterprise Linux (RHEL).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "Alto",
- "text": "Usar um WAF para cargas de trabalho da Web (UIs ou APIs)",
- "waf": "Segurança"
+ "text": "Execute todos os sistemas de produção em SSDs gerenciados Premium e use o Azure NetApp Files ou o Ultra Disk Storage. Pelo menos o disco do sistema operacional deve estar na camada Premium para que você possa obter melhor desempenho e o melhor SLA.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
- "service": "AKS",
- "severity": "Média",
- "text": "Usar DDoS Standard na Rede Virtual AKS",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Você deve executar o SAP HANA no Azure somente nos tipos de armazenamento certificados pela SAP. Observe que determinados volumes devem ser executados em determinadas configurações de disco, quando aplicável. Essas configurações incluem a habilitação do Acelerador de Gravação e o uso do armazenamento Premium. Você também precisa garantir que o sistema de arquivos executado no armazenamento seja compatível com o DBMS executado na máquina.",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se necessário, adicione o proxy HTTP da empresa",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Considere configurar a alta disponibilidade dependendo do tipo de armazenamento usado para suas cargas de trabalho SAP. Alguns serviços de armazenamento disponíveis no Azure não têm suporte no Azure Site Recovery, portanto, sua configuração de alta disponibilidade pode ser diferente.",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
- "service": "AKS",
- "severity": "Média",
- "text": "Considere o uso de uma malha de serviço para gerenciamento avançado de comunicação de microsserviços",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Diferentes serviços de armazenamento nativos do Azure (como Arquivos do Azure, Arquivos do Azure NetApp, Disco Compartilhado do Azure) podem não estar disponíveis em todas as regiões. Portanto, para ter uma configuração SAP semelhante na região de DR após o failover, certifique-se de que o respectivo serviço de armazenamento seja oferecido no local de DR.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
- "service": "AKS",
- "severity": "Alto",
- "text": "Configurar alertas nas métricas mais críticas (consulte Insights de contêiner para obter recomendações)",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Automatize o Start-Stop do sistema SAP para gerenciar custos.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
"severity": "Baixo",
- "text": "Verifique regularmente o Azure Advisor para obter recomendações sobre o seu cluster",
- "waf": "Operações"
+ "text": "No caso de usar o Armazenamento Premium do Azure com o SAP HANA, o armazenamento SSD padrão do Azure pode ser usado para selecionar uma solução de armazenamento econômica. No entanto, observe que escolher o armazenamento padrão SSD ou HDD padrão do Azure afetará o SLA das VMs individuais. Além disso, para sistemas com menor taxa de transferência de E/S e baixa latência, como ambientes que não são de produção, VMs de série mais baixa podem ser usadas.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
"severity": "Baixo",
- "text": "Habilitar a rotação automática do certificado AKS",
- "waf": "Operações"
+ "text": "Como uma configuração alternativa de baixo custo (multiuso), você pode escolher uma SKU de baixo desempenho para suas VMs de servidor de banco de dados HANA que não são de produção. No entanto, é importante observar que alguns tipos de VM, como a série E, não são certificados pelo HANA (SAP HANA Hardware Directory) ou não podem atingir latência de armazenamento inferior a 1ms.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
"severity": "Alto",
- "text": "Tenha um processo regular para atualizar sua versão do kubernetes periodicamente (trimestralmente, por exemplo), ou use o recurso de atualização automática do AKS",
- "waf": "Operações"
+ "text": "Impor um modelo RBAC para grupos de gerenciamento, assinaturas, grupos de recursos e recursos",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
- "service": "AKS",
- "severity": "Alto",
- "text": "Use kured para atualizações de nó do Linux caso você não esteja usando a atualização de imagem de nó",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Impor a propagação principal para encaminhar a identidade do aplicativo de nuvem SAP para o SAP local (incluindo IaaS) por meio do conector de nuvem",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
- "service": "AKS",
- "severity": "Alto",
- "text": "Tenha um processo regular para atualizar as imagens do nó do cluster periodicamente (semanalmente, por exemplo)",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Implemente SSO em aplicativos SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics e SAP C4C com o Azure AD usando SAML.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Considere gitops para implantar aplicativos ou configuração de cluster em vários clusters",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Implemente SSO em aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Considere o uso do comando AKS invoke em clusters privados",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Implemente SSO em aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Para eventos planejados, considere o uso do Dreno Automático de Nó",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Você pode implementar o SSO no SAP GUI usando o SAP NetWeaver SSO ou uma solução de parceiro.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
- "service": "AKS",
- "severity": "Alto",
- "text": "Desenvolver práticas próprias de governança para garantir que nenhuma alteração seja realizada pelos operadores no nó RG (também conhecido como 'infra RG')",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido a sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Use o nome personalizado do Node RG (também conhecido como 'Infra RG')",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido a sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
"severity": "Média",
- "text": "Não use APIs do Kubernetes preteridas em seus manifestos do YAML",
- "waf": "Operações"
+ "text": "Implemente o SSO usando o OAuth for SAP NetWeaver para permitir que aplicativos de terceiros ou personalizados acessem os serviços OData do SAP NetWeaver.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Manchar os nós do Windows",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Implementar SSO no SAP HANA",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Mantenha o nível de patch dos contêineres do Windows sincronizado com o nível do patch do host",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Considere o Azure AD um provedor de identidade para sistemas SAP hospedados no RISE. Para obter mais informações, consulte Integrando o serviço ao Azure AD.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "Por meio de Configurações de Diagnóstico no nível do cluster",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Envie logs mestre (também conhecidos como logs de API) para o Azure Monitor ou sua solução de gerenciamento de logs preferida",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Para aplicativos que acessam o SAP, convém usar a propagação principal para estabelecer o SSO.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se necessário, use instantâneos do nodePool",
- "waf": "Custar"
+ "checklist": "SAP Checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Se você estiver usando serviços SAP BTP ou soluções SaaS que exigem o SAP Identity Authentication Service (IAS), considere implementar SSO entre o SAP Cloud Identity Authentication Services e o Azure AD para acessar esses serviços SAP. Essa integração permite que o SAP IAS atue como um provedor de identidade de proxy e encaminhe solicitações de autenticação para o Azure AD como o repositório central do usuário e o provedor de identidade.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Considere pools de nós spot para cargas de trabalho não sensíveis ao tempo",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Implementar SSO no SAP BTP",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Considere o nó virtual AKS para intermitência rápida",
+ "checklist": "SAP Checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Se você estiver usando o SAP SuccessFactors, considere usar o provisionamento automatizado de usuários do Azure AD. Com essa integração, à medida que você adiciona novos funcionários ao SAP SuccessFactors, pode criar automaticamente suas contas de usuário no Azure AD. Opcionalmente, você pode criar contas de usuário no Microsoft 365 ou em outros aplicativos SaaS com suporte no Azure AD. Use write-back do endereço de e-mail para SAP SuccessFactors.",
+ "waf": "Segurança"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "impor políticas existentes do Grupo de Gerenciamento às assinaturas SAP",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "Alto",
- "text": "Monitore suas métricas de cluster com o Container Insights (ou outras ferramentas como o Prometheus)",
+ "text": "Integre aplicativos fortemente acoplados na mesma assinatura SAP para evitar complexidade adicional de roteamento e gerenciamento",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "Alto",
- "text": "Armazene e analise seus logs de cluster com o Container Insights (ou outras ferramentas como Telegraf/ElasticSearch)",
+ "text": "Aproveite a assinatura como unidade de escala e dimensione nossos recursos, considere implantar a assinatura por ambiente, por exemplo. Sandbox, não-prod, prod ",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
- "severity": "Média",
- "text": "Monitorar a utilização da CPU e da memória dos nós",
+ "checklist": "SAP Checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Garantir o aumento da cota como parte do provisionamento de assinatura (por exemplo, total de núcleos de VM disponíveis em uma assinatura)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "Média",
- "text": "Se estiver usando o Azure CNI, monitore a % de IPs de pod consumidos por nó",
+ "checklist": "SAP Checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
+ "severity": "Baixo",
+ "text": "A API de Cota é uma API REST que você pode usar para exibir e gerenciar cotas para serviços do Azure. Considere usá-lo, se necessário.",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "A E/S no disco do sistema operacional é um recurso crítico. Se o sistema operacional nos nós for limitado na E/S, isso pode levar a um comportamento imprevisível, geralmente terminando no nó sendo declarado NotReady",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
- "severity": "Média",
- "text": "Monitorar a profundidade da fila de disco do sistema operacional nos nós",
+ "checklist": "SAP Checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Se estiver implantando em uma zona de disponibilidade, verifique se a implantação da zona da VM estará disponível depois que a cota for aprovada. Envie uma solicitação de suporte com a assinatura, a série VM, o número de CPUs e a zona de disponibilidade necessárias.",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
- "severity": "Média",
- "text": "Se não estiver usando filtragem de saída com AzFW/NVA, monitore as portas SNAT ALB alocadas padrão",
+ "checklist": "SAP Checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Certifique-se de que os serviços e recursos necessários estejam disponíveis nas regiões de implantação escolhidas, por exemplo. ANF, Zona etc.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
"severity": "Média",
- "text": "Assine as notificações de integridade de recursos para seu cluster AKS",
+ "text": "Aproveite a marca de recurso do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Camada (Camada da Web, Camada de Aplicativo), Proprietário do Aplicativo, ProjectName)",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "Alto",
- "text": "Configurar solicitações e limites nas especificações do pod",
- "waf": "Operações"
+ "text": "Ajude a proteger seu banco de dados HANA usando o serviço de Backup do Azure.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
"severity": "Média",
- "text": "Impor cotas de recursos para namespaces",
- "waf": "Operações"
+ "text": "Se você implantar os Arquivos NetApp do Azure para seu banco de dados HANA, Oracle ou DB2, use a ferramenta Azure Application Consistent Snapshot (AzAcSnap) para tirar instantâneos consistentes com o aplicativo. O AzAcSnap também suporta bancos de dados Oracle. Considere usar o AzAcSnap em uma VM central em vez de em VMs individuais.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"severity": "Alto",
- "text": "Verifique se sua assinatura tem cota suficiente para expandir seus nodepools",
+ "text": "Garanta as correspondências de fuso horário entre o sistema operacional e o sistema SAP.",
"waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
"severity": "Média",
- "text": "Usar o Autoscaler de Cluster",
- "waf": "Desempenho"
+ "text": "Não agrupe serviços de aplicativos diferentes no mesmo cluster. Por exemplo, não combine clusters DRBD e de serviços centrais no mesmo cluster. No entanto, você pode usar o mesmo cluster do Pacemaker para gerenciar aproximadamente cinco serviços centrais diferentes (cluster multi-SID).",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
"severity": "Baixo",
- "text": "Personalizar a configuração do nó para pools de nós AKS",
- "waf": "Desempenho"
+ "text": "Considere executar sistemas de desenvolvimento/teste em um modelo de soneca para economizar e otimizar os custos de execução do Azure.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
"severity": "Média",
- "text": "Use o Autoscaler do Pod Horizontal quando necessário",
- "waf": "Desempenho"
+ "text": "Se você faz parceria com clientes gerenciando suas propriedades SAP, considere o Farol do Azure. O Azure Lighthouse permite que os provedores de serviços gerenciados usem os serviços de identidade nativos do Azure para se autenticar no ambiente dos clientes. Ele coloca o controle nas mãos dos clientes, porque eles podem revogar o acesso a qualquer momento e auditar as ações dos prestadores de serviços.",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "Nós maiores trarão maior desempenho e recursos, como discos efêmeros e rede acelerada, mas aumentarão o raio de explosão e diminuirão a granularidade de dimensionamento",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
- "severity": "Alto",
- "text": "Considere um tamanho de nó apropriado, não muito grande ou muito pequeno",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Use o Azure Update Manager para verificar o status das atualizações disponíveis para uma única VM ou várias VMs e considere agendar patches regulares.",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
"severity": "Baixo",
- "text": "Se mais de 5000 nós forem necessários para escalabilidade, considere o uso de um cluster AKS adicional",
- "waf": "Desempenho"
+ "text": "Otimize e gerencie as operações do SAP Basis usando o SAP Landscape Management (LaMa). Use o conector SAP LaMa para Azure para realocar, copiar, clonar e atualizar sistemas SAP.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Considere assinar o EventGrid Events para automação AKS",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Use as soluções do Azure Monitor for SAP para monitorar suas cargas de trabalho SAP (SAP HANA, clusters SUSE de alta disponibilidade e sistemas SQL) no Azure. Considere complementar o Azure Monitor para soluções SAP com o SAP Solution Manager.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Para operações de longa duração em um cluster AKS, considere o encerramento do evento",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Execute uma verificação de extensão de VM para SAP. A Extensão de VM para SAP usa a identidade gerenciada atribuída de uma máquina virtual (VM) para acessar dados de monitoramento e configuração de VM. A verificação garante que todas as métricas de desempenho em seu aplicativo SAP venham da Extensão do Azure para SAP subjacente.",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Se necessário, considere usar hosts dedicados do Azure para nós AKS",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Use a Política do Azure para controle de acesso e relatórios de conformidade. A Política do Azure fornece a capacidade de impor configurações em toda a organização para garantir a adesão consistente à política e a detecção rápida de violações. ",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
- "severity": "Alto",
- "text": "Usar discos efêmeros do sistema operacional",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Use o Monitor de Conexão no Inspetor de Rede do Azure para monitorar métricas de latência para bancos de dados SAP e servidores de aplicativos. Ou colete e exiba medições de latência de rede usando o Azure Monitor.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
- "severity": "Alto",
- "text": "Para discos não efêmeros, use IOPS altos e discos maiores do sistema operacional para os nós ao executar muitos pods/nó, pois requer alto desempenho para executar vários pods e gerará logs enormes com limites de rotação de log AKS padrão",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Execute uma verificação de qualidade para o SAP HANA na infraestrutura provisionada do Azure para verificar se as VMs provisionadas estão em conformidade com as práticas recomendadas do SAP HANA no Azure.",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
- "severity": "Baixo",
- "text": "Para a opção de armazenamento de hiperdesempenho, use Ultra Disks no AKS",
+ "checklist": "SAP Checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Para cada assinatura do Azure, execute um teste de latência nas zonas de disponibilidade do Azure antes da implantação zonal para escolher zonas de baixa latência para implantação do SAP no Azure.",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
"waf": "Desempenho"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
"severity": "Média",
- "text": "Evite manter o estado no cluster e armazene dados fora (AzStorage, AzSQL, Cosmos, etc)",
- "waf": "Desempenho"
+ "text": "Execute o Relatório de Resiliência para garantir que a configuração de toda a infraestrutura provisionada do Azure (Computação, Banco de Dados, Rede, Armazenamento, Recuperação de Site) esteja em conformidade com a configuração definida pelo Cloud Adaption Framework para Azure.",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
"severity": "Média",
- "text": "Se estiver usando o AzFiles Standard, considere o AzFiles Premium e/ou ANF por motivos de desempenho",
- "waf": "Desempenho"
+ "text": "Implemente a proteção contra ameaças usando a solução Microsoft Sentinel para SAP. Use esta solução para monitorar seus sistemas SAP e detectar ameaças sofisticadas em toda a lógica de negócios e camadas de aplicativos.",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
+ "checklist": "SAP Checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
"severity": "Média",
- "text": "Se estiver usando Discos e AZs do Azure, considere ter nodepools dentro de uma zona para disco LRS com VolumeBindingMode:WaitForFirstConsumer para provisionar armazenamento na zona direita ou use o disco ZRS para nodepools abrangendo várias zonas",
- "waf": "Desempenho"
+ "text": "A marcação do Azure pode ser aproveitada para agrupar e controlar recursos logicamente, automatizar suas implantações e, o mais importante, fornecer visibilidade sobre os custos incorridos.",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "O Hub de Eventos do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ",
- "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
- "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
"severity": "Baixo",
- "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "Segurança"
+ "text": "Use o monitoramento de latência entre VMs para aplicativos sensíveis à latência.",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Os namespaces dos Hubs de Eventos do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace dos Hubs de Eventos para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS. Se um namespace de Hubs de Eventos exigir uma versão mínima do TLS, todas as solicitações feitas com uma versão mais antiga falharão. ",
- "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
- "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "Média",
- "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
- "waf": "Segurança"
+ "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastres para servidores de aplicativos SAP.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Quando você cria um namespace de Hubs de Eventos, uma regra de política chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. Recomenda-se o uso do AAD como um provedor de autenticação com RBAC. ",
- "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"severity": "Média",
- "text": "Evite usar conta root quando não for necessário",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
- "waf": "Segurança"
+ "text": "Exclua todos os sistemas de arquivos de banco de dados e programas executáveis das verificações antivírus. Incluí-los pode levar a problemas de desempenho. Verifique com os fornecedores do banco de dados para obter detalhes prescritivos na lista de exclusão. Por exemplo, a Oracle recomenda excluir /oracle//sapdata das verificações antivírus.",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "As identidades gerenciadas para recursos do Azure podem autorizar o acesso a recursos dos Hubs de Eventos usando credenciais do Azure AD de aplicativos em execução em VMs (Máquinas Virtuais) do Azure, aplicativos de Função, Conjuntos de Dimensionamento de Máquina Virtual e outros serviços. Usando identidades gerenciadas para recursos do Azure junto com a autenticação do Azure AD, você pode evitar o armazenamento de credenciais com seus aplicativos executados na nuvem. ",
- "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
- "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
+ "severity": "Baixo",
+ "text": "Considere a coleta de estatísticas completas de banco de dados para bancos de dados não-HANA após a migração. Por exemplo, implemente a nota SAP 1020260 - Entrega de estatísticas Oracle.",
+ "waf": "Desempenho"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
"severity": "Média",
- "text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Hub de Eventos do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre de Chaves do Azure ou em um serviço equivalente",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Segurança"
+ "text": "Considere o uso do Oracle Automatic Storage Management (ASM) para todas as implantações Oracle que usam SAP no Azure.",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Hub de Eventos do Azure. As permissões no Hub de Eventos do Azure podem e devem ter o escopo definido para o nível de recurso individual, por exemplo, grupo de consumidores, entidade de hub de eventos, namespaces de hub de eventos, etc.",
- "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
- "service": "Event Hubs",
- "severity": "Alto",
- "text": "Usar RBAC do plano de dados de privilégios mínimos",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Segurança"
- },
- {
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Os logs de recursos do Hub de Eventos do Azure incluem logs operacionais, logs de rede virtual e logs de Kafka. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para todas as operações de acesso ao plano de dados (como eventos de envio ou recebimento) nos Hubs de Eventos.",
- "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
- "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
"severity": "Média",
- "text": "Habilite o registro em log para investigação de segurança. Use o Azure Monitor para capturar métricas e logs como logs de recursos, logs de auditoria de tempo de execução e logs Kafka",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
- "waf": "Segurança"
+ "text": "Para SAP no Azure executando Oracle, uma coleção de scripts SQL pode ajudá-lo a diagnosticar problemas de desempenho. Os relatórios do Automatic Workload Repository (AWR) contêm informações valiosas para diagnosticar problemas no sistema Oracle. Recomendamos que você execute um relatório AWR durante várias sessões e escolha horários de pico para ele, para garantir uma ampla cobertura para a análise.",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Por padrão, o Hub de Eventos do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Hub de Eventos do Azure percorra a rede de backbone da Microsoft. Além disso, você deve desabilitar os pontos de extremidade públicos se eles não forem usados. ",
- "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
- "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
- "service": "Event Hubs",
- "severity": "Média",
- "text": "Considere o uso de pontos de extremidade privados para acessar o Hub de Eventos do Azure e desabilitar o acesso à rede pública quando aplicável.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Segurança"
+ "checklist": "SAP Checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastres para servidores de aplicativos SAP.",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Com o firewall IP, você pode restringir ainda mais o ponto de extremidade público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Roteamento entre Domínios Sem Classe). ",
- "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
"severity": "Média",
- "text": "Considere permitir apenas o acesso ao namespace do Hub de Eventos do Azure a partir de endereços IP ou intervalos específicos",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "text": "Para a entrega segura de aplicativos HTTP/S, use o Application Gateway v2 e verifique se a proteção e as políticas do WAF estão habilitadas.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "Média",
- "text": "Aproveite o Manual de Resilência do FTA",
- "waf": "Fiabilidade"
+ "text": "Se o DNS ou o nome virtual da máquina virtual não for alterado durante a migração para o Azure, o DNS em segundo plano e os nomes virtuais conectam muitas interfaces do sistema no cenário SAP, e os clientes só às vezes estão cientes das interfaces que os desenvolvedores definem ao longo do tempo. Surgem desafios de conexão entre vários sistemas quando os nomes virtuais ou DNS mudam após as migrações, e é recomendável manter os aliases DNS para evitar esses tipos de dificuldades.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": " Isso será ativado automaticamente para um novo namespace de EH criado a partir do portal com SKUs Premium, Dedicado ou Standard em uma região habilitada para região. Os metadados do EH e os próprios dados do evento são replicados entre zonas",
- "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
- "service": "Event Hubs",
- "severity": "Alto",
- "text": "Aproveite as zonas de disponibilidade, se aplicável regionalmente",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Use zonas DNS diferentes para distinguir cada ambiente (sandbox, desenvolvimento, pré-produção e produção) um do outro. A exceção é para implantações SAP com sua própria VNet; aqui, zonas DNS privadas podem não ser necessárias.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
- "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
"severity": "Média",
- "text": "Use os SKUs Premium ou Dedicado para desempenho previsível",
+ "text": "Emparelhamento de rede virtual local e global fornecem conectividade e são as abordagens preferidas para garantir a conectividade entre zonas de aterrissagem para implantações SAP em várias regiões do Azure",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "O recurso interno de recuperação de desastres geográficos, quando habilitado, garante que toda a configuração de um namespace (Hubs de Eventos, Grupos de Consumidores e configurações) seja replicada continuamente de um namespace primário para um namespace secundário e permite uma movimentação de failover única do primário para o secundário a qualquer momento. O recurso Ativo/Passivo foi projetado para facilitar a recuperação e o abandono de uma região do Azure com falha sem precisar alterar as configurações do aplicativo",
- "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
"severity": "Alto",
- "text": "Planejar a recuperação de desastres geográficos usando a configuração passiva ativa",
- "waf": "Fiabilidade"
- },
- {
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Deve ser usado para configurações de DR em que uma interrupção ou perda de dados de eventos na região derrubada não pode ser tolerada. Para esses casos, siga as diretrizes de replicação e não use o recurso interno de recuperação de desastres geográficos (ativo/passivo). Com Ativo/Ativo, mantenha vários Hubs de Eventos em diferentes regiões e namespaces, e os eventos serão replicados entre os hubs",
- "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
- "service": "Event Hubs",
- "severity": "Média",
- "text": "Para aplicativos críticos para os negócios, use a configuração ativa",
- "waf": "Fiabilidade"
+ "text": "Não há suporte para implantar qualquer NVA entre o aplicativo SAP e o servidor de banco de dados SAP",
+ "training": "https://me.sap.com/notes/2731110",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
- "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
- "service": "Event Hubs",
+ "checklist": "SAP Checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
"severity": "Média",
- "text": "Projetar Hubs de Eventos Resilientes",
- "waf": "Fiabilidade"
+ "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais onde você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
+ "checklist": "SAP Checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
"severity": "Média",
- "text": "Siga as recomendações de suporte de confiabilidade no Serviço de Bot do Azure",
- "waf": "Fiabilidade"
+ "text": "Considere a implantação de dispositivos virtuais de rede (NVAs) entre regiões somente se NVAs de parceiros forem usados. NVAs entre regiões ou VNets não são necessários se NVAs nativos estiverem presentes. Ao implantar tecnologias de rede de parceiros e NVAs, siga as orientações do fornecedor para verificar configurações conflitantes com a rede do Azure.",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
+ "checklist": "SAP Checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
"severity": "Média",
- "text": "Implantando bots com residência de dados local e conformidade regional",
- "waf": "Fiabilidade"
+ "text": "A WAN virtual gerencia a conectividade entre VNets spoke para topologias baseadas em WAN virtual (não há necessidade de configurar o roteamento definido pelo usuário [UDR] ou NVAs), e a taxa de transferência máxima de rede para o tráfego de VNet-to-VNet no mesmo hub virtual é de 50 gigabits por segundo. Se necessário, as zonas de aterrissagem SAP podem usar o emparelhamento de VNet para se conectar a outras zonas de aterrissagem e superar essa limitação de largura de banda.",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
- "severity": "Média",
- "text": "O Serviço de Bot do Azure é executado no modo ativo-ativo para serviços globais e regionais. Quando ocorre uma paralisação, você não precisa detectar erros ou gerenciar o serviço. O Serviço de Bot do Azure executa automaticamente o failover automático e a recuperação automática em uma arquitetura geográfica de várias regiões. Para o serviço regional de bot da UE, o Serviço de Bot do Azure fornece duas regiões completas dentro da Europa com replicação ativa/ativa para garantir redundância. Para o serviço de bot global, todas as regiões/geografias disponíveis podem ser servidas como a presença global.",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "A atribuição de IP público à VM que executa o SAP Workload não é recomendada.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
"severity": "Alto",
- "text": "Selecione o plano de hospedagem de função certo com base em seus requisitos de negócios e SLO",
- "waf": "Fiabilidade"
+ "text": "Considere reservar o endereço IP no lado do DR ao configurar o ASR",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"severity": "Alto",
- "text": "Aproveitar zonas de disponibilidade quando aplicável regionalmente (não disponível para a camada de consumo)",
- "waf": "Fiabilidade"
+ "text": "Evite usar intervalos de endereços IP sobrepostos para sites de produção e DR.",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
"severity": "Média",
- "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
- "waf": "Fiabilidade"
+ "text": "Embora o Azure ajude você a criar várias sub-redes delegadas em uma rede virtual, apenas uma sub-rede delegada pode existir em uma rede virtual para arquivos do Azure NetApp. As tentativas de criar um novo volume falharão se você usar mais de uma sub-rede delegada para Arquivos do Azure NetApp.",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Azure Functions",
- "severity": "Alto",
- "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Usar o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir)",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Azure Functions",
- "severity": "Alto",
- "text": "Verifique se 'Sempre Ativado' está habilitado para todos os Aplicativos de Função em execução no Plano do Serviço de Aplicativo",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "O Application Gateway e o Web Application Firewall têm limitações quando o Application Gateway serve como um proxy reverso para aplicativos Web SAP, conforme mostrado na comparação entre o Application Gateway, o SAP Web Dispatcher e outros serviços de terceiros.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
"severity": "Média",
- "text": "Emparelhe um aplicativo de função com sua própria conta de armazenamento. Tente não reutilizar contas de armazenamento para aplicativos de função, a menos que eles estejam firmemente acoplados",
- "waf": "Fiabilidade"
+ "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre as regiões do Azure para conexões HTTP/S de entrada para uma zona de aterrissagem.",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Azure Functions",
+ "checklist": "SAP Checklist",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "SAP",
"severity": "Média",
- "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código do Aplicativo de Função",
- "waf": "Operações"
+ "text": "Aproveite as políticas do Web Application Firewall no Azure Front Door quando estiver usando o Azure Front Door e o Application Gateway para proteger aplicativos HTTP/S. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Azure Front Door.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
- "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
- "service": "Logic Apps",
- "severity": "Alto",
- "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Use um firewall de aplicativo Web para verificar seu tráfego quando ele estiver exposto à Internet. Outra opção é usá-lo com seu balanceador de carga ou com recursos que tenham recursos internos de firewall, como o Application Gateway ou soluções de terceiros.",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
- "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "Logic Apps",
- "severity": "Alto",
- "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais onde você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
- "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Logic Apps",
- "severity": "Alto",
- "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Para evitar o vazamento de dados, use o Link Privado do Azure para acessar com segurança recursos de plataforma como serviço, como Armazenamento de Blobs do Azure, Arquivos do Azure, Azure Data Lake Storage Gen2, Azure Data Factory e muito mais. O Ponto de Extremidade Privado do Azure também pode ajudar a proteger o tráfego entre VNets e serviços como o Armazenamento do Azure, o Backup do Azure e muito mais. O tráfego entre sua rede virtual e o serviço habilitado para ponto de extremidade privado viaja pela rede global da Microsoft, o que impede sua exposição à Internet pública.",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
- "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
- "service": "Logic Apps",
+ "checklist": "SAP Checklist",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "service": "SAP",
"severity": "Alto",
- "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
- "waf": "Fiabilidade"
+ "text": "Verifique se a rede acelerada do Azure está habilitada nas VMs usadas nas camadas de aplicativo SAP e DBMS.",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
- "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
- "service": "Logic Apps",
+ "checklist": "SAP Checklist",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+ "service": "SAP",
"severity": "Média",
- "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico",
- "waf": "Operações"
+ "text": "Verifique se as implantações internas do Azure Load Balancer estão configuradas para usar DSR (Direct Server Return). Essa configuração (Habilitando IP flutuante) reduzirá a latência quando as configurações internas do balanceador de carga forem usadas para configurações de alta disponibilidade na camada DBMS.",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "waf": "Segurança"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
+ "checklist": "SAP Checklist",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "SAP",
"severity": "Média",
- "text": "Use o token revogável de longa duração, armazene seu token em cache e adquira o token silenciosamente usando a Microsoft Identity Library",
- "waf": "Fiabilidade"
+ "text": "Você pode usar as regras ASG (grupo de segurança de aplicativo) e NSG para definir listas de controle de acesso de segurança de rede entre o aplicativo SAP e as camadas DBMS. Os ASGs agrupam máquinas virtuais para ajudar a gerenciar sua segurança.",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "waf": "Segurança"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
- "severity": "Média",
- "text": "Certifique-se de que os fluxos de usuário de entrada sejam armazenados em backup e resilientes. Certifique-se de que o código que você usa para entrar em seus usuários é de backup e recuperável. Interfaces resilientes com processos externos",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Não há suporte para a colocação da camada de aplicativo SAP e do SGBD SAP em diferentes VNets do Azure que não são emparelhadas.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Desempenho"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
+ "checklist": "SAP Checklist",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "Média",
- "text": "Os ativos de marca personalizados devem ser hospedados em uma CDN",
+ "text": "Para obter a latência de rede ideal com aplicativos SAP, considere o uso de grupos de posicionamento de proximidade do Azure.",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
"waf": "Desempenho"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
- "severity": "Baixo",
- "text": "Ter vários provedores de identidade (ou seja, fazer login com suas contas da Microsoft, Google, Facebook)",
- "waf": "Fiabilidade"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Média",
- "text": "Siga as regras de VM para alta disponibilidade no nível da VM (discos premium, dois ou mais em uma região, em zonas de disponibilidade diferentes)",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "NÃO há suporte para executar uma camada do SAP Application Server e uma camada de DBMS dividida entre o local e o Azure. Ambas as camadas precisam residir completamente no local ou no Azure.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Desempenho"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Média",
- "text": "Não replique! A replicação pode criar problemas com a sincronização de diretórios",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Não é recomendado hospedar o sistema de gerenciamento de banco de dados (DBMS) e as camadas de aplicativos dos sistemas SAP em diferentes VNets e conectá-los ao emparelhamento de VNet devido aos custos substanciais que o tráfego de rede excessivo entre as camadas pode produzir. Recomende o uso de sub-redes na rede virtual do Azure para separar a camada de aplicativo SAP e a camada DBMS.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "Custar"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "Média",
- "text": "Ter ativo-ativo para várias regiões",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Se estiver usando o Load Balancer com sistemas operacionais convidados Linux, verifique se o parâmetro de rede Linux net.ipv4.tcp_timestamps está definido como 0.",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "Desempenho"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "checklist": "SAP Checklist",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+ "service": "SAP",
"severity": "Média",
- "text": "Adicionar carimbos de serviço de Domínio do Azure AD a regiões e locais adicionais",
- "waf": "Fiabilidade"
+ "text": "Para implantações SAP RISE/ECS, o emparelhamento virtual é a maneira preferida de estabelecer conectividade com o ambiente existente do Azure do cliente. Tanto a vnet do SAP quanto a(s) vnet(s) do cliente são protegidas com grupos de segurança de rede (NSG), permitindo a comunicação nas portas SAP e de banco de dados por meio do emparelhamento vnet",
+ "waf": "Segurança"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
- "severity": "Média",
- "text": "Usar conjuntos de réplicas para DR",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Revise os backups de banco de dados do SAP HANA para VMs do Azure.",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
- "service": "Azure Data Factory",
+ "checklist": "SAP Checklist",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"severity": "Média",
- "text": "Aproveite o Manual de Resiliência de FTA para o Azure Data Factory",
- "waf": "Fiabilidade"
+ "text": "Revise o monitoramento interno do Site Recovery, quando usado para SAP.",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "checklist": "SAP Checklist",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+ "service": "SAP",
"severity": "Alto",
- "text": "Usar pipelines redundantes de zona em regiões que oferecem suporte a zonas de disponibilidade",
- "waf": "Fiabilidade"
+ "text": "Revise as diretrizes de monitoramento do cenário do sistema SAP HANA.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
- "link": "https://learn.microsoft.com/azure/data-factory/source-control",
- "service": "Azure Data Factory",
+ "checklist": "SAP Checklist",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+ "service": "SAP",
"severity": "Média",
- "text": "Usar DevOps para fazer backup dos modelos ARM com a integração Github/Azure DevOps ",
- "waf": "Fiabilidade"
+ "text": "Revise o Banco de Dados Oracle nas estratégias de backup de VM do Linux do Azure.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "checklist": "SAP Checklist",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+ "service": "SAP",
"severity": "Média",
- "text": "Certifique-se de replicar as VMs do Self-Hosted Integration Runtime em outra região ",
- "waf": "Fiabilidade"
+ "text": "Analise o uso do Armazenamento de Blobs do Azure com o SQL Server 2016.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "checklist": "SAP Checklist",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+ "service": "SAP",
"severity": "Média",
- "text": "Certifique-se de replicar ou duplicar sua rede na região irmã. Você tem que fazer uma cópia do seu Vnet em outra região",
- "waf": "Fiabilidade"
- },
- {
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "description": "Se seus pipelines do ADF usarem o Cofre de Chaves, você não precisará fazer nada para replicar o Cofre de Chaves. O Cofre de Chaves é um serviço gerenciado e a Microsoft cuida dele para você",
- "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Azure Data Factory",
- "severity": "Baixo",
- "text": "Se estiver usando a integração do Keyvault, use o SLA do Keyvault para entender sua disponibilidade",
- "waf": "Fiabilidade"
+ "text": "Analise o uso do Backup Automatizado v2 para VMs do Azure.",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Front Door",
- "severity": "Média",
- "text": "Se você usar certificados TLS gerenciados pelo cliente com o Azure Front Door, use a versão de certificado 'Mais recente'. Reduzir o risco de paralisações causadas pela renovação manual de certificados",
+ "checklist": "SAP Checklist",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Ativando o acelerador de gravação para a série M ao usar discos premium (V1)",
"waf": "Operações"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
- "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "service": "SAP",
"severity": "Média",
- "text": "Verifique se você está usando o SKU do Application Gateway v2",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Segurança"
+ "text": "Testar a latência da zona de disponibilidade.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
- "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "service": "SAP",
"severity": "Média",
- "text": "Verifique se você está usando a SKU padrão para seus Balanceadores de Carga do Azure",
- "waf": "Segurança"
+ "text": "Ative o SAP EarlyWatch Alert para todos os componentes SAP.",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "service": "SAP",
"severity": "Média",
- "text": "Verifique se os endereços IP de front-end dos Load Balancers são redundantes por zona (a menos que você precise de frontends zonais).",
- "waf": "Segurança"
+ "text": "Revise a latência do servidor de aplicativos SAP para o servidor de banco de dados usando o relatório SAP ABAPMeter /SSA/CAT.",
+ "training": "https://me.sap.com/notes/0002879613",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
- "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+ "service": "SAP",
"severity": "Média",
- "text": "Seus Application Gateways v2 devem ser implantados em sub-redes com prefixos IP iguais ou maiores que /24",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Segurança"
+ "text": "Revise o monitoramento de desempenho do SQL Server usando o CCMS.",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "description": "A administração de proxies reversos em geral e do WAF em particular está mais próxima do aplicativo do que da rede, portanto, eles pertencem à mesma assinatura que o aplicativo. Centralizar o Application Gateway e o WAF na assinatura de conectividade pode ser OK se for gerenciado por uma única equipe.",
- "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
+ "service": "SAP",
"severity": "Média",
- "text": "Implante o Gateway de Aplicativo do Azure v2 ou NVAs de parceiros usados para fazer proxy de conexões HTTP(S) de entrada na rede virtual da zona de aterrissagem e com os aplicativos que eles estão protegendo.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Segurança"
+ "text": "Teste a latência de rede entre VMs de camada de aplicativo SAP e VMs DBMS (NIPING).",
+ "training": "https://me.sap.com/notes/1100926/E",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "service": "SAP",
"severity": "Média",
- "text": "Use uma rede DDoS ou planos de proteção IP para todos os endereços IP públicos nas zonas de aterrissagem do aplicativo.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Segurança"
+ "text": "Revise os alertas do SAP HANA Studio.",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
- "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
+ "service": "SAP",
"severity": "Média",
- "text": "Configure o dimensionamento automático com uma quantidade mínima de duas instâncias.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Fiabilidade"
+ "text": "Execute verificações de integridade do SAP HANA usando HANA_Configuration_Minichecks.",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
- "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
- "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
- "service": "App Gateway",
+ "checklist": "SAP Checklist",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "Média",
- "text": "Implantar o Application Gateway em zonas de disponibilidade",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Fiabilidade"
+ "text": "Se você executar VMs do Windows e Linux no Azure, no local ou em outros ambientes de nuvem, poderá usar o Centro de gerenciamento de atualizações na Automação do Azure para gerenciar atualizações do sistema operacional, incluindo patches de segurança.",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "Média",
- "text": "Use o Azure Front Door com políticas WAF para fornecer e ajudar a proteger aplicativos HTTP/S globais que abrangem várias regiões do Azure.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "Analise rotineiramente as notas de OSS de segurança do SAP porque o SAP lança patches de segurança altamente críticos, ou hot fixes, que exigem ação imediata para proteger seus sistemas SAP.",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "Front Door",
- "severity": "Média",
- "text": "Ao usar o Front Door e o Application Gateway para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Front Door. Bloqueie o Application Gateway para receber tráfego somente do Front Door.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "checklist": "SAP Checklist",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
+ "severity": "Baixo",
+ "text": "Para SAP no SQL Server, você pode desabilitar a conta de administrador do sistema do SQL Server porque os sistemas SAP no SQL Server não usam a conta. Certifique-se de que outro usuário com direitos de administrador do sistema possa acessar o servidor antes de desabilitar a conta de administrador do sistema original.",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/trafficManagerProfiles",
- "checklist": "Azure Application Delivery Networking",
- "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Traffic Manager",
+ "checklist": "SAP Checklist",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"severity": "Alto",
- "text": "Use o Gerenciador de Tráfego para fornecer aplicativos globais que abrangem protocolos diferentes de HTTP/S.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Fiabilidade"
+ "text": "Desative xp_cmdshell. O recurso do SQL Server xp_cmdshell habilita um shell de comando do sistema operacional interno do SQL Server. É um risco potencial em auditorias de segurança.",
+ "training": "https://me.sap.com/notes/3019299/E",
+ "waf": "Segurança"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
- "severity": "Baixo",
- "text": "Se os usuários precisarem apenas de acesso a aplicativos internos, o Proxy de Aplicativo de ID do Microsoft Entra foi considerado uma alternativa à Área de Trabalho Virtual (AVD) do Azure?",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "checklist": "SAP Checklist",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "A criptografia de servidores de banco de dados SAP HANA no Azure usa a tecnologia de criptografia nativa do SAP HANA. Além disso, se você estiver usando o SQL Server no Azure, use a TDE (Criptografia de Dados Transparente) para proteger seus dados e arquivos de log e garantir que seus backups também sejam criptografados.",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
"waf": "Segurança"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
+ "checklist": "SAP Checklist",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "SAP",
"severity": "Média",
- "text": "Para reduzir o número de portas de firewall abertas para conexões de entrada em sua rede, considere o uso do Microsoft Entra ID Application Proxy para dar aos usuários remotos acesso seguro e autenticado a aplicativos internos.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "text": "A criptografia de Armazenamento do Azure está habilitada para todas as contas clássicas e do Gerenciador de Recursos do Azure e não pode ser desabilitada. Como seus dados são criptografados por padrão, você não precisa modificar seu código ou aplicativos para usar a criptografia do Armazenamento do Azure.",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "SAP",
"severity": "Alto",
- "text": "Implante sua política de WAF para Front Door no modo 'Prevenção'.",
+ "text": "Usar o Cofre de Chaves do Azure para armazenar seus segredos e credenciais",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Evite combinar o Gerenciador de Tráfego do Azure e o Azure Front Door.",
+ "checklist": "SAP Checklist",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "É recomendável BLOQUEAR os Recursos do Azure após a implantação bem-sucedida para proteger contra alterações não autorizadas. Você também pode impor restrições e regras LOCK em sua base por assinatura usando políticas personalizadas do Azure (função Personalizada).",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Use o mesmo nome de domínio no Azure Front Door e sua origem. Nomes de host incompatíveis podem causar bugs sutis.",
+ "checklist": "SAP Checklist",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "SAP",
+ "severity": "Média",
+ "text": "Provisione o Cofre de Chaves do Azure com as políticas de exclusão e limpeza suaves habilitadas para permitir a proteção de retenção para objetos excluídos.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
- "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "Front Door",
- "severity": "Baixo",
- "text": "Desabilite os testes de integridade quando houver apenas uma origem em um grupo de origem do Azure Front Door.",
- "waf": "Desempenho"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "Front Door",
- "severity": "Média",
- "text": "Selecione bons pontos de extremidade de teste de integridade para o Azure Front Door. Considere a criação de pontos de extremidade de integridade que verifiquem todas as dependências do seu aplicativo.",
- "waf": "Fiabilidade"
+ "checklist": "SAP Checklist",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Com base nos requisitos existentes, controles normativos e de conformidade (internos/externos) - Determine quais Políticas do Azure e a função RBAC do Azure são necessárias",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
- "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "Front Door",
- "severity": "Baixo",
- "text": "Use testes de integridade do HEAD com o Azure Front Door para reduzir o tráfego que o Front Door envia para seu aplicativo.",
- "waf": "Desempenho"
+ "checklist": "SAP Checklist",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Ao habilitar o Microsoft Defender for Endpoint no ambiente SAP, recomende excluir arquivos de dados e de log em servidores DBMS em vez de direcionar todos os servidores. Siga as recomendações do fornecedor do DBMS ao excluir arquivos de destino.",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
- "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "Load Balancer",
+ "checklist": "SAP Checklist",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "service": "SAP",
"severity": "Alto",
- "text": "Usar o Gateway NAT do Azure em vez das regras de saída do Load Balancer para melhor escalabilidade do SNAT",
- "waf": "Fiabilidade"
+ "text": "Delegue uma função personalizada de administrador SAP com acesso just-in-time do Microsoft Defender for Cloud.",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
- "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Use certificados TLS gerenciados com o Azure Front Door. Reduza o custo operacional e o risco de paralisações devido a renovações de certificados.",
- "waf": "Operações"
+ "checklist": "SAP Checklist",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Baixo",
+ "text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações de rede seguras (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "service": "SAP",
"severity": "Média",
- "text": "Defina sua configuração do WAF do Azure Front Door como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
- "waf": "Operações"
+ "text": "O padrão é chaves gerenciadas pela Microsoft para a funcionalidade de criptografia principal e use chaves gerenciadas pelo cliente quando necessário.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "service": "SAP",
"severity": "Alto",
- "text": "Use o TLS de ponta a ponta com o Azure Front Door. Use o TLS para conexões de seus clientes com o Front Door e do Front Door com sua origem.",
+ "text": "Use um Cofre de Chaves do Azure por aplicativo, por ambiente, por região.",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
- "service": "Front Door",
- "severity": "Média",
- "text": "Use o redirecionamento HTTP para HTTPS com o Azure Front Door. Ofereça suporte a clientes mais antigos redirecionando-os para uma solicitação HTTPS automaticamente.",
+ "checklist": "SAP Checklist",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "service": "SAP",
+ "severity": "Alto",
+ "text": "Para controlar e gerenciar chaves de criptografia de disco e segredos para sistemas operacionais Windows e não Windows HANA, use o Cofre de Chaves do Azure. O SAP HANA não tem suporte com o Cofre de Chaves do Azure, portanto, você deve usar métodos alternativos, como chaves SAP ABAP ou SSH.",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "service": "SAP",
"severity": "Alto",
- "text": "Habilite o WAF do Azure Front Door. Proteja seu aplicativo contra uma série de ataques.",
+ "text": "Personalizar funções RBAC (controle de acesso baseado em função) para SAP em assinaturas spoke do Azure para evitar alterações acidentais relacionadas à rede",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "service": "SAP",
"severity": "Alto",
- "text": "Ajuste o WAF do Azure Front Door para sua carga de trabalho. Reduza as detecções de falsos positivos.",
+ "text": "Isole DMZs e NVAs do restante do estado SAP, configure o Azure Private Link e gerencie e controle com segurança os recursos do SAP no Azure",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Habilite o recurso de inspeção do corpo de solicitação habilitado na política WAF do Azure Front Door.",
+ "checklist": "SAP Checklist",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "service": "SAP",
+ "severity": "Baixo",
+ "text": "Considere usar o software antimalware da Microsoft no Azure para proteger suas máquinas virtuais contra arquivos mal-intencionados, adware e outras ameaças.",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
- "service": "Front Door",
- "severity": "Alto",
- "text": "Habilite os conjuntos de regras padrão do WAF do Azure Front Door. Os conjuntos de regras padrão detectam e bloqueiam ataques comuns.",
+ "checklist": "SAP Checklist",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "service": "SAP",
+ "severity": "Baixo",
+ "text": "Para obter uma proteção ainda mais poderosa, considere usar o Microsoft Defender for Endpoint.",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "Alto",
- "text": "Habilite o conjunto de regras de proteção de bot do WAF do Azure Front Door. As regras de bot detectam bots bons e ruins.",
+ "text": "Isole os servidores de aplicativo e banco de dados SAP da Internet ou da rede local passando todo o tráfego pela rede virtual de hub, que está conectada à rede spoke por emparelhamento de rede virtual. As redes virtuais emparelhadas garantem que a solução SAP no Azure seja isolada da Internet pública.",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
- "service": "Front Door",
- "severity": "Média",
- "text": "Use a versão mais recente do conjunto de regras do WAF do Azure Front Door. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário atual de ameaças.",
+ "checklist": "SAP Checklist",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "Baixo",
+ "text": "Para aplicativos voltados para a Internet, como o SAP Fiori, certifique-se de distribuir a carga por requisitos de aplicativo, mantendo os níveis de segurança. Para segurança de Camada 7, você pode usar um WAF (Web Application Firewall) de terceiros disponível no Azure Marketplace.",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
- "service": "Front Door",
+ "checklist": "SAP Checklist",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "service": "SAP",
"severity": "Média",
- "text": "Adicione o limite de taxa ao WAF do Azure Front Door. A limitação de taxa bloqueia clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+ "text": "Para habilitar a comunicação segura no Azure Monitor para soluções SAP, você pode optar por usar um certificado raiz ou um certificado de servidor. É altamente recomendável que você use certificados raiz.",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
- "service": "Front Door",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+ "service": "Entra",
"severity": "Média",
- "text": "Use um limite alto para os limites de taxa do WAF do Azure Front Door. Limites de limite de taxa alta evitam o bloqueio de tráfego legítimo, ao mesmo tempo em que fornecem proteção contra um número extremamente alto de solicitações que podem sobrecarregar sua infraestrutura. ",
- "waf": "Segurança"
+ "text": "Use um locatário do Entra para gerenciar seus recursos do Azure, a menos que você tenha um requisito regulatório ou comercial claro para multilocatários.",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
- "service": "Front Door",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Entra",
"severity": "Baixo",
- "text": "Se você não está esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
- "waf": "Segurança"
+ "text": "Use a abordagem de Automação Multilocatário para gerenciar seus locatários de ID do Microsoft Entra.",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
- "service": "Front Door",
- "severity": "Média",
- "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Azure Front Door. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
- "waf": "Segurança"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "Entra",
+ "severity": "Alto",
+ "text": "Use o Azure Lighthouse para gerenciamento de vários locatários com as mesmas IDs.",
+ "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
+ "waf": "Operações"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
- "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
- "service": "App Gateway",
- "severity": "Alto",
- "text": "Habilitar o conjunto de regras de proteção de bot WAF do Gateway de Aplicativo do Azure As regras de bot detectam bots bons e ruins.",
- "waf": "Segurança"
- },
- {
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "App Gateway",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Entra",
"severity": "Alto",
- "text": "Habilite o recurso de inspeção do corpo de solicitação habilitado na política WAF do Gateway de Aplicativo do Azure.",
- "waf": "Segurança"
+ "text": "Se você conceder a um parceiro acesso para administrar seu locatário, use o Azure Lighthouse.",
+ "waf": "Custar"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
- "service": "App Gateway",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+ "service": "Entra",
"severity": "Alto",
- "text": "Ajuste o WAF do Gateway de Aplicativo do Azure para sua carga de trabalho. Reduza as detecções de falsos positivos.",
+ "text": "Aplique um modelo RBAC que se alinhe ao seu modelo operacional de nuvem. Escopo e Atribuição entre Grupos de Gerenciamento e Assinaturas.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "Segurança"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "App Gateway",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+ "service": "Entra",
"severity": "Alto",
- "text": "Implante sua política de WAF para o Application Gateway no modo 'Prevenção'.",
+ "text": "Use apenas o tipo de autenticação Conta corporativa ou de estudante para todos os tipos de conta. Evite usar a conta da Microsoft",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
- "service": "App Gateway",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "Entra",
"severity": "Média",
- "text": "Adicione o limite de taxa ao WAF do Gateway de Aplicativo do Azure. A limitação de taxa bloqueia clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+ "text": "Use apenas grupos para atribuir permissões. Adicione grupos locais ao grupo Somente ID do Entra se um sistema de gerenciamento de grupo já estiver em vigor.",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
- "service": "App Gateway",
- "severity": "Média",
- "text": "Use um limite alto para os limites de taxa do WAF do Gateway de Aplicativo do Azure. Limites de limite de taxa alta evitam o bloqueio de tráfego legítimo, ao mesmo tempo em que fornecem proteção contra um número extremamente alto de solicitações que podem sobrecarregar sua infraestrutura. ",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+ "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+ "service": "Entra",
+ "severity": "Alto",
+ "text": "Imponha políticas de Acesso Condicional da ID do Microsoft Entra para qualquer usuário com direitos a ambientes do Azure.",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
- "service": "App Gateway",
- "severity": "Baixo",
- "text": "Se você não está esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+ "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+ "service": "Entra",
+ "severity": "Alto",
+ "text": "Imponha a autenticação multifator para qualquer usuário com direitos aos ambientes do Azure.",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
- "service": "App Gateway",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "Entra",
"severity": "Média",
- "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Gateway de Aplicativo do Azure. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
+ "text": "Imponha o Microsoft Entra ID Privileged Identity Management (PIM) para estabelecer acesso permanente zero e privilégios mínimos.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
- "service": "App Gateway",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+ "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
+ "service": "Entra",
"severity": "Média",
- "text": "Use a versão mais recente do conjunto de regras do WAF do Gateway de Aplicativo do Azure. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário atual de ameaças.",
+ "text": "Se estiver planejando alternar dos Serviços de Domínio Active Directory para os serviços de domínio Entra, avalie a compatibilidade de todas as cargas de trabalho.",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "App Gateway",
- "severity": "Média",
- "text": "Adicione configurações de diagnóstico para salvar seus logs WAF do Gateway de Aplicativo do Azure.",
- "waf": "Operações"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "Front Door",
- "severity": "Média",
- "text": "Adicione configurações de diagnóstico para salvar seus logs do WAF do Azure Front Door.",
- "waf": "Operações"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
- "service": "App Gateway",
- "severity": "Média",
- "text": "Envie logs do WAF do Gateway de Aplicativo do Azure para o Microsoft Sentinel.",
- "waf": "Operações"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "Front Door",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+ "service": "Entra",
"severity": "Média",
- "text": "Envie logs do WAF do Azure Front Door para o Microsoft Sentinel.",
- "waf": "Operações"
+ "text": "Integre os logs de ID do Microsoft Entra com o Azure Monitor central da plataforma. O Azure Monitor permite uma única fonte de verdade sobre dados de log e monitoramento no Azure, oferecendo às organizações opções nativas de nuvem para atender aos requisitos de coleta e retenção de logs.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
- "service": "App Gateway",
- "severity": "Média",
- "text": "Defina sua configuração do WAF do Gateway de Aplicativo do Azure como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
- "waf": "Operações"
+ "ammp": true,
+ "checklist": "Azure Landing Zone Review",
+ "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+ "service": "Entra",
+ "severity": "Alto",
+ "text": "Implemente um acesso de emergência ou contas de emergência para evitar o bloqueio de conta em todo o locatário.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
- "service": "App Gateway",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "Entra",
"severity": "Média",
- "text": "Use políticas de WAF em vez da configuração de WAF herdada.",
- "waf": "Operações"
+ "text": "Não use contas sincronizadas locais para atribuições de função de ID do Microsoft Entra, a menos que você tenha um cenário que exija isso especificamente.",
+ "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
- "service": "App Gateway",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Entra",
"severity": "Média",
- "text": "Filtre o tráfego de entrada nos back-ends para que eles só aceitem conexões da sub-rede do Application Gateway, por exemplo, com NSGs.",
+ "text": "Ao usar o Proxy de Aplicativo de ID do Microsoft Entra para fornecer acesso de usuários remotos a aplicativos, gerencie-o como um recurso da plataforma, pois você só pode ter uma instância por locatário.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
- "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
- "service": "Front Door",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+ "service": "VNet",
"severity": "Média",
- "text": "Certifique-se de que suas origens recebam apenas o tráfego de sua instância do Azure Front Door.",
+ "text": "Use uma topologia de rede hub-and-spoke para cenários de rede que exigem flexibilidade máxima.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
- "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
+ "service": "VNet",
"severity": "Alto",
- "text": "Você deve criptografar o tráfego para os servidores de back-end.",
- "waf": "Segurança"
+ "text": "Implante serviços de rede compartilhados, incluindo gateways do ExpressRoute, gateways de VPN e Firewall do Azure ou NVAs de parceiros na rede virtual do hub central. Se necessário, implante também serviços DNS.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "VNet",
"severity": "Alto",
- "text": "Você deve usar um Web Application Firewall.",
+ "text": "Use um plano de proteção de IP ou rede DDoS para todos os endereços IP públicos nas zonas de destino do aplicativo.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
- "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
"severity": "Média",
- "text": "Redirecionar HTTP para HTTPS",
- "waf": "Segurança"
+ "text": "Ao implantar tecnologias de rede de parceiros ou NVAs, siga as diretrizes do fornecedor do parceiro.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
- "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
- "service": "App Gateway",
- "severity": "Média",
- "text": "Usar cookies gerenciados por gateway para direcionar o tráfego de uma sessão de usuário para o mesmo servidor para processamento",
- "waf": "Operações"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+ "service": "ExpressRoute",
+ "severity": "Baixo",
+ "text": "Se você precisar de trânsito entre o ExpressRoute e os gateways de VPN em cenários hub e spoke, use o Servidor de Rota do Azure.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
- "service": "App Gateway",
- "severity": "Alto",
- "text": "Habilite a drenagem de conexão durante as atualizações de serviço planejadas para evitar a perda de conexão com membrs existentes do pool de back-end",
+ "arm-service": "Microsoft.Network/virtualHubs",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+ "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+ "service": "ARS",
+ "severity": "Baixo",
+ "text": "Se estiver usando o Servidor de Roteamento, use um prefixo /27 para a sub-rede do Servidor de Roteamento.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
- "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
- "service": "App Gateway",
- "severity": "Baixo",
- "text": "Criar páginas de erro personalizadas para exibir uma experiência de usuário personalizada",
- "waf": "Operações"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+ "service": "VNet",
+ "severity": "Média",
+ "text": "Para arquiteturas de rede com várias topologias hub-and-spoke em regiões do Azure, use emparelhamentos de rede virtual global entre as VNets do hub para conectar as regiões entre si.",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
- "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+ "service": "VNet",
"severity": "Média",
- "text": "Edite solicitações HTTP e cabeçalhos de resposta para facilitar o roteamento e a troca de informações entre o cliente e o servidor",
- "waf": "Segurança"
+ "text": "Use o Azure Monitor para Redes para monitorar o estado de ponta a ponta das redes no Azure.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+ "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
"severity": "Média",
- "text": "Configure o Front Door para otimizar o roteamento de tráfego global da Web e o desempenho do usuário final de nível superior e a confiabilidade por meio de failover global rápido",
- "waf": "Desempenho"
+ "text": "Se você tiver mais de 400 redes spoke em uma região, implante um hub adicional para ignorar os limites de emparelhamento VNet (500) e o número máximo de prefixos que podem ser anunciados por meio do ExpressRoute (1000).",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+ "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
"severity": "Média",
- "text": "Usar balanceamento de carga da camada de transporte",
- "waf": "Desempenho"
+ "text": "Limite o número de rotas por tabela de rotas a 400.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
- "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+ "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "Use a configuração 'Permitir tráfego para rede virtual remota' ao configurar emparelhamentos VNet.",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Configurar o roteamento com base no host ou nome de domínio para vários aplicativos Web em um único gateway",
+ "text": "Quando você estiver usando o ExpressRoute Direct, configure o MACsec para criptografar o tráfego no nível da camada dois entre os roteadores da organização e o MSEE. O diagrama mostra essa criptografia no fluxo.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
- "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
- "service": "App Gateway",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Centralize o gerenciamento de certificados SSL para reduzir a sobrecarga de criptografia e descriptografia de um farm de servidores back-end",
+ "text": "Para cenários em que o MACsec não é uma opção (por exemplo, não usando o ExpressRoute Direct), use um gateway de VPN para estabelecer túneis IPsec no emparelhamento privado do ExpressRoute.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
- "service": "App Gateway",
- "severity": "Baixo",
- "text": "Usar o Application Gateway para suporte nativo para protocolos WebSocket e HTTP/2",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "ExpressRoute",
+ "severity": "Alto",
+ "text": "Verifique se nenhum espaço de endereço IP sobreposto entre regiões do Azure e locais é usado.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
+ "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
"severity": "Média",
- "text": "Implementar uma política de tratamento de erros em nível global",
- "waf": "Operações"
+ "text": "Use endereços IP dos intervalos de alocação de endereços para Internets privadas (RFC 1918).",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
- "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
- "service": "APIM",
- "severity": "Média",
- "text": "Certifique-se de que todas as políticas de APIs incluam um elemento .",
- "waf": "Operações"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+ "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "Certifique-se de que o espaço de endereço IP não seja desperdiçado, não crie redes virtuais desnecessariamente grandes (por exemplo, /16).",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
- "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
- "service": "APIM",
- "severity": "Média",
- "text": "Usar fragmentos de política para evitar a repetição das mesmas definições de políticas em várias APIs",
- "waf": "Operações"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+ "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "Não use intervalos de endereços IP sobrepostos para sites de produção e recuperação de desastres.",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
- "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
+ "service": "DNS",
"severity": "Média",
- "text": "Se você estiver planejando monetizar suas APIs, consulte o artigo 'suporte à monetização' para obter as práticas recomendadas",
- "waf": "Operações"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
- "service": "APIM",
- "severity": "Alto",
- "text": "Habilitar Configurações de Diagnóstico para exportar logs para o Azure Monitor",
+ "text": "Para ambientes em que a resolução de nomes no Azure é tudo o que é necessário, use o DNS Privado do Azure para resolução com uma zona delegada para resolução de nomes (como 'azure.contoso.com').",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+ "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+ "service": "DNS",
"severity": "Média",
- "text": "Habilite o Application Insights para telemetria mais detalhada",
- "waf": "Operações"
+ "text": "Para ambientes em que a resolução de nomes no Azure e no local é necessária e não há nenhum serviço DNS corporativo existente, como o Active Directory, use o Resolvedor Privado de DNS do Azure para rotear solicitações de DNS para o Azure ou para servidores DNS locais.",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
- "service": "APIM",
- "severity": "Alto",
- "text": "Configurar alertas sobre as métricas mais críticas",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+ "service": "DNS",
+ "severity": "Baixo",
+ "text": "Cargas de trabalho especiais que exigem e implantam seu próprio DNS (como o Red Hat OpenShift) devem usar sua solução de DNS preferida.",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "614658d3-558f-4d77-849b-821112df27ee",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+ "service": "DNS",
"severity": "Alto",
- "text": "Certifique-se de que os certificados SSL personalizados sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança",
- "waf": "Segurança"
+ "text": "Habilite o registro automático para o DNS do Azure para gerenciar automaticamente o ciclo de vida dos registros DNS para as máquinas virtuais implantadas em uma rede virtual.",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
- "service": "APIM",
- "severity": "Alto",
- "text": "Proteger solicitações de entrada para APIs (plano de dados) com o Azure AD",
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+ "service": "Bastion",
+ "severity": "Média",
+ "text": "Use o Azure Bastion para se conectar com segurança à sua rede.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
- "service": "APIM",
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+ "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+ "service": "Bastion",
"severity": "Média",
- "text": "Usar o Microsoft Entra ID para autenticar usuários no Portal do Desenvolvedor",
+ "text": "Use o Azure Bastion em uma sub-rede /26 ou maior.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
- "service": "APIM",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "WAF",
"severity": "Média",
- "text": "Criar grupos apropriados para controlar a visibilidade dos produtos",
+ "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre regiões do Azure para conexões HTTP/S de entrada para uma zona de destino.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "06862505-2d9a-4874-9491-2837b00a3475",
- "link": "https://learn.microsoft.com/azure/api-management/backends",
- "service": "APIM",
- "severity": "Média",
- "text": "Use o recurso Back-ends para eliminar configurações redundantes de back-end de API",
- "waf": "Operações"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
- "service": "APIM",
- "severity": "Média",
- "text": "Usar Valores Nomeados para armazenar valores comuns que podem ser usados em políticas",
- "waf": "Operações"
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "Baixo",
+ "text": "Ao usar o Azure Front Door e o Gateway de Aplicativo do Azure para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Azure Front Door. Bloqueie o Gateway de Aplicativo do Azure para receber tráfego somente do Azure Front Door.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
- "service": "APIM",
- "severity": "Média",
- "text": "Para DR, aproveite o nível premium com implantações dimensionadas em duas ou mais regiões para um SLA de 99,99%",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "Alto",
+ "text": "Quando WAFs e outros proxies reversos forem necessários para conexões HTTP/S de entrada, implante-os em uma rede virtual de zona de destino e junto com os aplicativos que eles estão protegendo e expondo à Internet.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
- "link": "https://learn.microsoft.com/azure/api-management/high-availability",
- "service": "APIM",
- "severity": "Média",
- "text": "Implante pelo menos uma unidade em duas ou mais zonas de disponibilidade para um SLA aumentado de 99,99%",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "Use os planos de Rede ou Proteção de IP do Azure contra DDoS para ajudar a proteger os pontos de extremidade de endereços IP públicos nas redes virtuais.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
- "service": "APIM",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+ "service": "VNet",
"severity": "Alto",
- "text": "Verifique se há uma rotina de backup automatizada",
+ "text": "Planeje como gerenciar a configuração e a estratégia de tráfego de saída da rede antes da próxima alteração significativa. Em 30 de setembro de 2025, o acesso de saída padrão para novas implantações será desativado e somente configurações de acesso explícito serão permitidas.",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
- "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
- "service": "APIM",
- "severity": "Média",
- "text": "Use Políticas para adicionar uma URL de back-end de failover e cache para reduzir chamadas com falha.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "Adicione configurações de diagnóstico para salvar logs relacionados a DDoS para todos os endereços IP públicos protegidos (IP DDoS ou Proteção de Rede).",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
- "service": "APIM",
- "severity": "Baixo",
- "text": "Se você precisar registrar em níveis de alto desempenho, considere a política de Hubs de Eventos",
- "waf": "Operações"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+ "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+ "service": "Policy",
+ "severity": "Alto",
+ "text": "Verifique se há uma atribuição de política para negar endereços IP públicos diretamente vinculados a máquinas virtuais. Use exclusões se IPs públicos forem necessários em VMs específicas.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Aplicar políticas de limitação para controlar o número de solicitações por segundo",
- "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+ "text": "Use o ExpressRoute como a conexão principal com o Azure. Use VPNs como fonte de conectividade de backup.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Desempenho"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "description": "Você pode usar o prefixo AS-path e pesos de conexão para influenciar o tráfego do Azure para o local e toda a gama de atributos BGP em seus próprios roteadores para influenciar o tráfego do local para o Azure.",
+ "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Configurar o dimensionamento automático para dimensionar o número de instâncias quando a carga aumenta",
- "waf": "Desempenho"
+ "text": "Ao usar vários circuitos do ExpressRoute ou vários locais locais, use atributos BGP para otimizar o roteamento.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+ "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Implante gateways auto-hospedados onde o Azure não tem uma região próxima às APIs de back-end.",
+ "text": "Selecione o SKU correto para os gateways ExpressRoute/VPN com base nos requisitos de largura de banda e desempenho.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Desempenho"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
- "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
- "service": "APIM",
- "severity": "Média",
- "text": "Use a camada premium para cargas de trabalho de produção.",
- "waf": "Fiabilidade"
- },
- {
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
- "service": "APIM",
- "severity": "Média",
- "text": "No modelo de várias regiões, use Políticas para rotear as solicitações para back-ends regionais com base na disponibilidade ou latência.",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+ "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+ "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+ "service": "ExpressRoute",
+ "severity": "Alto",
+ "text": "Verifique se você está usando circuitos do ExpressRoute de dados ilimitados somente se atingir a largura de banda que justifica seu custo.",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+ "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+ "service": "ExpressRoute",
"severity": "Alto",
- "text": "Esteja atento aos limites da APIM",
- "waf": "Fiabilidade"
+ "text": "Aproveite o SKU local do ExpressRoute para reduzir o custo de seus circuitos, se o local de emparelhamento de circuito der suporte às regiões do Azure para o SKU Local.",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
- "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
- "service": "APIM",
- "severity": "Alto",
- "text": "Certifique-se de que as implantações de gateway auto-hospedado sejam resilientes.",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+ "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+ "service": "ExpressRoute",
+ "severity": "Média",
+ "text": "Implante um gateway do ExpressRoute com redundância de zona nas regiões do Azure com suporte.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "7519e385-a88b-4d34-966b-6269d686e890",
- "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Usar o Azure Front Door na frente do APIM para implantação em várias regiões",
+ "text": "Para cenários que exigem largura de banda superior a 10 Gbps ou portas dedicadas de 10/100 Gbps, use o ExpressRoute Direct.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Desempenho"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+ "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Implantar o serviço em uma rede virtual (VNet)",
- "waf": "Segurança"
+ "text": "Quando a baixa latência for necessária ou a taxa de transferência do local para o Azure precisar ser maior que 10 Gbps, habilite o FastPath para ignorar o gateway do ExpressRoute do caminho de dados.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
- "service": "APIM",
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+ "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+ "service": "VPN",
"severity": "Média",
- "text": "Implante NSG (grupos de segurança de rede) em suas sub-redes para restringir ou monitorar o tráfego de/para APIM.",
- "waf": "Segurança"
+ "text": "Use gateways de VPN com redundância de zona para conectar branches ou locais remotos ao Azure (quando disponível).",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
- "service": "APIM",
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+ "service": "VPN",
"severity": "Média",
- "text": "Implante pontos de extremidade privados para filtrar o tráfego de entrada quando o APIM não for implantado em uma rede virtual.",
- "waf": "Segurança"
+ "text": "Use dispositivos VPN redundantes locais (ativo/ativo ou ativo/passivo).",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+ "service": "ExpressRoute",
"severity": "Alto",
- "text": "Desabilitar o acesso à rede pública",
- "waf": "Segurança"
+ "text": "Se estiver usando o ExpressRoute Direct, considere usar circuitos locais do ExpressRoute para as regiões locais do Azure para economizar custos.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
- "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Simplifique o gerenciamento com scripts de automação do PowerShell",
- "waf": "Operações"
+ "text": "Quando o isolamento de tráfego ou a largura de banda dedicada for necessária, como para separar ambientes de produção e não produção, use circuitos diferentes do ExpressRoute. Ele ajudará você a garantir domínios de roteamento isolados e aliviar os riscos de vizinhos barulhentos.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Configure APIM via Infrastructure-as-code. Analise as práticas recomendadas de DevOps do Cloud Adaption Framework APIM Landing Zone Accelerator",
+ "text": "Monitore a disponibilidade e a utilização do ExpressRoute usando o Express Route Insights interno.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
- "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+ "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Promover o uso da extensão API do Visual Studio Code para um desenvolvimento de API mais rápido",
+ "text": "Use o Monitor da Conexão para monitoramento de conectividade em toda a rede, especialmente entre o local e o Azure.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
- "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+ "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Implemente DevOps e CI/CD em seu fluxo de trabalho",
- "waf": "Operações"
+ "text": "Use circuitos do ExpressRoute de diferentes locais de emparelhamento para redundância.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "b6439493-426a-45f3-9697-cf65baee208d",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "APIs seguras usando autenticação de certificado de cliente",
- "waf": "Segurança"
+ "text": "Use a VPN site a site como failover do ExpressRoute, se estiver usando apenas um único circuito do ExpressRoute.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2a67d143-1033-4c0a-8732-680896478f08",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
- "service": "APIM",
- "severity": "Média",
- "text": "Serviços de back-end seguros usando autenticação de certificado de cliente",
- "waf": "Segurança"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+ "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+ "service": "ExpressRoute",
+ "severity": "Alto",
+ "text": "Se você estiver usando uma tabela de rotas no GatewaySubnet, certifique-se de que as rotas de gateway sejam propagadas.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
- "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+ "service": "ExpressRoute",
+ "severity": "Alto",
+ "text": "Se estiver usando o ExpressRoute, o roteamento local deverá ser dinâmico: no caso de uma falha de conexão, ele deverá convergir para a conexão restante do circuito. A carga deve ser compartilhada entre ambas as conexões, idealmente como ativa/ativa, embora ativa/passiva também seja suportada.",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Consulte o artigo \"Recomendações para mitigar as 10 principais ameaças da segurança da API OWASP\" e verifique o que é aplicável às suas APIs",
- "waf": "Segurança"
+ "text": "Verifique se os dois links físicos do circuito do ExpressRoute estão conectados a dois dispositivos de borda distintos em sua rede.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
- "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Usar o recurso Autorizações para simplificar o gerenciamento do token OAuth 2.0 para suas APIs de back-end",
- "waf": "Segurança"
+ "text": "Certifique-se de que a Detecção de Encaminhamento Bidirecional (BFD) esteja habilitada e configurada em dispositivos de roteamento de borda do cliente ou provedor.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
- "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "ExpressRoute",
"severity": "Alto",
- "text": "Use a versão mais recente do TLS ao criptografar informações em trânsito. Desative protocolos e cifras desatualizados e desnecessários quando possível.",
- "waf": "Segurança"
+ "text": "Conecte o Gateway do ExpressRoute a dois ou mais circuitos de diferentes locais de emparelhamento para maior resiliência.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "f8af3d94-1d2b-4070-846f-849197524258",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
- "service": "APIM",
- "severity": "Alto",
- "text": "Certifique-se de que os segredos (valores nomeados) sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança",
- "waf": "Segurança"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+ "service": "ExpressRoute",
+ "severity": "Média",
+ "text": "Configure logs de diagnóstico e alertas para o gateway de rede virtual do ExpressRoute.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "791abd8b-7706-4e31-9569-afefde724be3",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
- "service": "APIM",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+ "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+ "service": "ExpressRoute",
"severity": "Média",
- "text": "Use identidades gerenciadas para autenticar em outros recursos do Azure sempre que possível",
- "waf": "Segurança"
+ "text": "Não use circuitos do ExpressRoute para comunicação VNet para VNet.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.ApiManagement/service",
- "checklist": "Azure API Management Review",
- "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
- "service": "APIM",
- "severity": "Alto",
- "text": "Usar o WAF (Web Application Firewall) implantando o Application Gateway na frente do APIM",
- "waf": "Segurança"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "service": "N/A",
+ "severity": "Baixo",
+ "text": "Não envie o tráfego do Azure para locais híbridos para inspeção. Em vez disso, siga o princípio \"o tráfego no Azure permanece no Azure\" para que a comunicação entre os recursos no Azure ocorra por meio da rede de backbone da Microsoft.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
- "service": "IoT",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+ "link": "https://learn.microsoft.com/azure/firewall/overview",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Aproveitar zonas de disponibilidade, se aplicável regionalmente (isso é habilitado automaticamente)",
- "waf": "Fiabilidade"
+ "text": "Use o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir).",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+ "service": "Firewall",
"severity": "Média",
- "text": "Esteja ciente dos failovers iniciados pela Microsoft. Eles são exercidos pela Microsoft em raras situações para fazer failover de todos os hubs IoT de uma região afetada para a região geo-emparelhada correspondente.",
- "waf": "Fiabilidade"
+ "text": "Crie uma política global de Firewall do Azure para controlar a postura de segurança em todo o ambiente de rede global e atribua-a a todas as instâncias do Firewall do Azure. Permita que políticas granulares atendam aos requisitos de regiões específicas delegando políticas de firewall incrementais às equipes de segurança locais por meio do controle de acesso baseado em função do Azure.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
- "service": "IoT",
- "severity": "Alto",
- "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+ "service": "Firewall",
+ "severity": "Baixo",
+ "text": "Configure provedores de segurança SaaS de parceiros compatíveis no Firewall Manager se a organização quiser usar essas soluções para ajudar a proteger as conexões de saída.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+ "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+ "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Saiba como acionar um failover manual.",
- "waf": "Fiabilidade"
+ "text": "Use regras de aplicativo para filtrar o tráfego de saída no nome do host de destino para protocolos com suporte. Use regras de rede baseadas em FQDN e Firewall do Azure com proxy DNS para filtrar o tráfego de saída para a Internet em outros protocolos.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
- "service": "IoT",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+ "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Saiba como fazer failback após um failover.",
- "waf": "Fiabilidade"
+ "text": "Use o Firewall do Azure Premium para habilitar recursos de segurança adicionais.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
- "severity": "Média",
- "text": "Os Aplicativos Spring do Azure permitem duas implantações para cada aplicativo, apenas um dos quais recebe tráfego de produção. Você pode obter tempo de inatividade zero com estratégias de implantação em verde azul. A implantação verde azul só está disponível nas camadas Standard e Enterprise. Você pode automatizar a implantação usando CI/CD com ações do ADO/GitHub",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+ "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
+ "service": "Firewall",
+ "severity": "Alto",
+ "text": "Configure o modo de Inteligência contra Ameaças do Firewall do Azure como Alerta e Negação para proteção adicional.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
- "severity": "Média",
- "text": "As instâncias do Azure Spring Apps podem ser criadas em várias regiões para seus aplicativos e o tráfego pode ser roteado pelo Gerenciador de Tráfego/Front Door.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+ "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+ "service": "Firewall",
+ "severity": "Alto",
+ "text": "Configure o modo IDPS do Firewall do Azure como Negar para proteção adicional.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
- "severity": "Média",
- "text": "Na região com suporte, os Aplicativos Spring do Azure podem ser implantados como zona redundante, o que significa que as instâncias são distribuídas automaticamente entre zonas de disponibilidade. Esse recurso só está disponível nas camadas Standard e Enterprise.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+ "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+ "service": "Firewall",
+ "severity": "Alto",
+ "text": "Para sub-redes em VNets não conectadas à WAN Virtual, anexe uma tabela de rotas para que o tráfego da Internet seja redirecionado para o Firewall do Azure ou uma Solução de Virtualização de Rede.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+ "service": "Firewall",
"severity": "Média",
- "text": "Usar mais de 1 instância de aplicativo para seus aplicativos",
- "waf": "Fiabilidade"
+ "text": "Adicione configurações de diagnóstico para salvar logs, usando a tabela de destino Específico do Recurso, para todas as implantações do Firewall do Azure.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
- "severity": "Média",
- "text": "Monitore os Aplicativos Spring do Azure com logs, métricas e rastreamento. Integre o ASA com insights de aplicativos e rastreie falhas e crie pastas de trabalho.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+ "service": "Firewall",
+ "severity": "Importante",
+ "text": "Migre das regras clássicas do Firewall do Azure (se houver) para a Política de Firewall.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
- "severity": "Média",
- "text": "Configurar o dimensionamento automático no Spring Cloud Gateway",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+ "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+ "service": "Firewall",
+ "severity": "Alto",
+ "text": "Use um prefixo /26 para suas sub-redes do Firewall do Azure.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
- "severity": "Baixo",
- "text": "Habilite o dimensionamento automático para os aplicativos com o plano de consumo padrão e dedicado.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+ "service": "Firewall",
+ "severity": "Média",
+ "text": "Organize as regras dentro da política de firewall em Grupos de Coleção de Regras e Coleções de Regras e com base em sua frequência de uso.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+ "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+ "service": "Firewall",
"severity": "Média",
- "text": "Use o plano Enterprise para suporte comercial de inicialização spring para aplicativos de missão crítica. Com outras camadas, você obtém suporte a OSS.",
- "waf": "Fiabilidade"
+ "text": "Use grupos de IP ou prefixos de IP para reduzir o número de regras de tabela de IP.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "severity": "Alto",
- "text": "Permitir que 2 réplicas tenham 99,9% de disponibilidade para operações de leitura",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+ "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+ "service": "Firewall",
+ "severity": "Média",
+ "text": "Não use curingas como um IP de origem para DNATS, como * ou any, você deve especificar IPs de origem para DNATs de entrada.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+ "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
+ "service": "Firewall",
"severity": "Média",
- "text": "Permitir que 3 réplicas tenham 99,9% de disponibilidade para operações de leitura/gravação",
- "waf": "Fiabilidade"
+ "text": "Evite o esgotamento da porta SNAT monitorando o uso da porta SNAT, avaliando as configurações do NAT Gateway e garantindo um failover contínuo. Se a contagem de portas se aproximar do limite, é um sinal de que o esgotamento do SNAT pode ser iminente.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "346840b8-1064-496e-8396-4b1340172d52",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Aproveite as zonas de disponibilidade habilitando réplicas de leitura e/ou gravação",
- "waf": "Fiabilidade"
+ "text": "Se você estiver usando o Firewall do Azure Premium, habilite a Inspeção TLS.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
- "service": "Cognitive Search",
- "severity": "Média",
- "text": "Para redução regional, crie manualmente serviços em 2 ou mais regiões para a Pesquisa, pois não fornece um método automatizado de replicação de índices de pesquisa entre regiões geográficas",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+ "service": "Firewall",
+ "severity": "Baixo",
+ "text": "Use categorias da Web para permitir ou negar o acesso de saída a tópicos específicos.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
- "service": "Cognitive Search",
- "severity": "Média",
- "text": "Para sincronizar dados em vários serviços: Use indexadores para atualizar conteúdo em vários serviços ou Use APIs REST para enviar atualizações de conteúdo em vários serviços",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+ "service": "Firewall",
+ "severity": "Média",
+ "text": "Como parte da inspeção TLS, planeje o recebimento de tráfego dos Gateways de Aplicativo do Azure para inspeção.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+ "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+ "service": "Firewall",
"severity": "Média",
- "text": "Usar o Gerenciador de Tráfego do Azure para coordenar solicitações",
- "waf": "Fiabilidade"
+ "text": "Habilite a configuração de proxy DNS do Firewall do Azure.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
- "service": "Cognitive Search",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+ "service": "Firewall",
"severity": "Alto",
- "text": "Backup e restauração de um índice de pesquisa cognitiva do Azure. Use este código de exemplo para fazer backup da definição de índice e instantâneo em uma série de arquivos Json",
- "waf": "Fiabilidade"
+ "text": "Integre o Firewall do Azure ao Azure Monitor e habilite o log de diagnóstico para armazenar e analisar logs de firewall.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "service": "Azure Monitor",
- "text": "Regras de coleta de dados no Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Custar"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+ "service": "Firewall",
+ "severity": "Baixo",
+ "text": "Implementar backups para suas regras de firewall",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "45901365-d38e-443f-abcb-d868266abca2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Azure Backup",
- "text": "Verificar instâncias de backup com a fonte de dados subjacente não encontrada",
- "waf": "Custar"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Não interrompa a comunicação do painel de controle para serviços de PaaS do Azure injetados em redes virtuais, como com uma rota 0.0.0.0/0 ou uma regra NSG que bloqueia o tráfego do painel de controle.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "VM",
- "text": "Excluir ou arquivar serviços não associados (discos, nics, endereços IP etc.)",
- "waf": "Custar"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+ "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+ "service": "ExpressRoute",
+ "severity": "Média",
+ "text": "Acesse os serviços de PaaS do Azure localmente por meio de pontos de extremidade privados e emparelhamento privado do ExpressRoute. Esse método evita o trânsito pela Internet pública.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Azure Backup",
- "text": "Considere um bom equilíbrio entre recuperação de local, armazenamento e backup para aplicativos não essenciais",
- "waf": "Custar"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+ "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+ "service": "VNet",
+ "severity": "Alto",
+ "text": "Não habilite pontos de extremidade de serviço de rede virtual por padrão em todas as sub-redes.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
- "service": "Azure Monitor",
- "text": "Verifique os gastos e as oportunidades de economia entre os 40 diferentes espaços de trabalho de análise de log - use retenção e coleta de dados diferentes para espaços de trabalho não prod - crie limite diário para reconhecimento e dimensionamento de camadas - Se você definir um limite diário, além de criar um alerta quando o limite for atingido, certifique-se de também criar uma regra de alerta para ser notificado quando alguma porcentagem for atingida (90%, por exemplo). - considerar a transformação do espaço de trabalho, se possível - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
- "waf": "Custar"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+ "link": "azure/private-link/inspect-traffic-with-azure-firewall",
+ "service": "Firewall",
+ "severity": "Média",
+ "text": "Filtre o tráfego de saída para os serviços de PaaS do Azure usando FQDNs em vez de endereços IP no Firewall do Azure ou em uma NVA para evitar a exfiltração de dados. Se estiver usando o Link Privado, você poderá bloquear todos os FQDNs, caso contrário, permita apenas os serviços de PaaS necessários.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Azure Monitor",
- "text": "Impor uma política de log de limpeza e automação (se necessário, os logs podem ser movidos para armazenamento frio)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "Custar"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+ "service": "ExpressRoute",
+ "severity": "Alto",
+ "text": "Utilize pelo menos um prefixo /27 para as sub-redes do Gateway.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "VM",
- "text": "Verifique se os discos são realmente necessários, se não: excluir. Se forem necessários, encontre níveis de armazenamento mais baixos ou use backup -",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "Custar"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+ "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+ "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+ "service": "NSG",
+ "severity": "Alto",
+ "text": "Não confie nas regras padrão de entrada do NSG usando a marca de serviço VirtualNetwork para limitar a conectividade.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
- "text": "Considere mover o armazenamento não utilizado para o nível inferior, com regra personalizada - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "waf": "Custar"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+ "service": "NSG",
+ "severity": "Média",
+ "text": "Use NSGs para ajudar a proteger o tráfego entre sub-redes, bem como o tráfego leste/oeste na plataforma (tráfego entre zonas de destino).",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "VM",
- "text": "Verifique se o Advisor está configurado para o dimensionamento correto da VM ",
- "waf": "Custar"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "NSG",
+ "severity": "Média",
+ "text": "Use NSGs e grupos de segurança de aplicativos para microssegmentar o tráfego dentro da zona de destino e evite usar uma NVA central para filtrar fluxos de tráfego.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "description": "verifique pesquisando as Licenças de Categoria de Medidor na Análise de Custos",
- "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
- "service": "VM",
- "text": "executar o script em todas as VMs do Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- considere implementar uma diretiva se as VMs do Windows forem criadas com frequência",
- "waf": "Custar"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+ "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
+ "service": "NSG",
+ "severity": "Média",
+ "text": "Habilite os Logs de Fluxo de VNet e alimente-os na Análise de Tráfego para obter insights sobre fluxos de tráfego internos e externos.",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "VM",
- "text": " isso também pode ser colocado no AHUB se você já tiver licenças https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
- "waf": "Custar"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+ "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "NSG",
+ "severity": "Média",
+ "text": "Não implemente mais de 900 regras de NSG por NSG, devido ao limite de 1000 regras.",
+ "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "VM",
- "text": "Consolidar famílias de VM reservadas com opção de flexibilidade (não mais do que 4-5 famílias)",
- "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+ "service": "VWAN",
+ "severity": "Média",
+ "text": "Use a WAN Virtual se o cenário estiver explicitamente descrito na lista de designs de roteamento da WAN Virtual.",
+ "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
- "service": "VM",
- "text": "Utilize instâncias reservadas do Azure: esse recurso permite reservar VMs por um período de 1 ou 3 anos, proporcionando uma economia significativa em comparação com os preços do PAYG.",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
+ "service": "VWAN",
+ "severity": "Média",
+ "text": "Use um hub de WAN Virtual por região do Azure para conectar várias zonas de destino entre regiões do Azure por meio de uma WAN Virtual do Azure global comum.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "service": "VM",
- "text": "Somente discos maiores podem ser reservados => 1 TiB -",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+ "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
+ "service": "VWAN",
+ "severity": "Média",
+ "text": "Para proteção e filtragem de tráfego de saída da Internet, implante o Firewall do Azure em hubs seguros.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
- "service": "VM",
- "text": "Após a otimização do dimensionamento correto",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
+ "service": "VWAN",
+ "severity": "Média",
+ "text": "Verifique se a arquitetura de rede da WAN virtual está alinhada a um cenário de arquitetura identificado.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Sql/servers",
- "checklist": "Cost Optimization Checklist",
- "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Azure SQL",
- "text": "Verifique se aplicável e aplique a política/alteração https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+ "service": "VWAN",
+ "severity": "Média",
+ "text": "Use o Azure Monitor Insights para WAN Virtual para monitorar a topologia de ponta a ponta da WAN Virtual, o status e as principais métricas.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "VM",
- "text": "O desconto da peça de licença VM + (ahub + 3YRI) é de cerca de 70% de desconto",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+ "service": "VWAN",
+ "severity": "Média",
+ "text": "Não desabilite o tráfego branch a branch na WAN Virtual, a menos que esses fluxos devam ser bloqueados explicitamente.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "VM",
- "text": "Considere o uso de um VMSS para corresponder à demanda em vez de dimensionamento simples",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+ "service": "VWAN",
+ "severity": "Média",
+ "text": "Use AS-Path como preferência de roteamento de hub, pois é mais flexível que ExpressRoute ou VPN.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Cost Optimization Checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "AKS",
- "text": "Use o autoscaler AKS para corresponder ao uso de clusters (verifique se os requisitos dos pods correspondem ao dimensionador)",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+ "service": "VWAN",
+ "severity": "Média",
+ "text": "Configure a propagação baseada em rótulos na WAN Virtual, caso contrário, a conectividade entre hubs virtuais será prejudicada.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Azure Backup",
- "text": "Mover pontos de recuperação para o vault-archive, quando aplicável (Validar)",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "Custar"
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "9c75dfef-573c-461c-a698-68598595581a",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+ "service": "VWAN",
+ "severity": "Alto",
+ "text": "Atribua pelo menos um prefixo /23 a hubs virtuais para garantir que haja espaço IP suficiente disponível.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Databricks/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
- "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
- "service": "Databricks",
- "text": "Considere o uso de VMs spot com fallback sempre que possível. Considere o autotermination de clusters.",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "Alto",
+ "text": "Aproveite o Azure Policy estrategicamente, defina controles para seu ambiente, usando Iniciativas de Política para agrupar políticas relacionadas.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
- "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
- "service": "Azure Functions",
- "text": "Funções - Reutilizar conexões",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "Média",
+ "text": "Mapeie os requisitos regulatórios e de conformidade para definições do Azure Policy e atribuições de função do Azure.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
- "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "service": "Azure Functions",
- "text": "Funções - Armazenar dados em cache localmente",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "Média",
+ "text": "Estabeleça definições do Azure Policy no grupo de gerenciamento raiz intermediário para que elas possam ser atribuídas em escopos herdados.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Azure Functions",
- "text": "Funções - Partidas a frio - Use a funcionalidade 'Executar do pacote'. Dessa forma, o código é baixado como um único arquivo zip. Isso pode, por exemplo, resultar em melhorias significativas com as funções Javascript, que possuem muitos módulos de nó. Use ferramentas específicas de linguagem para reduzir o tamanho do pacote, por exemplo, aplicativos Javascript que agitam árvores.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "Alto",
+ "text": "Gerencie atribuições de política no nível apropriado mais alto com exclusões nos níveis inferiores, se necessário.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "Azure Functions",
- "text": "Funções - Mantenha suas funções aquecidas",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "43334f24-9116-4341-a2ba-527526944008",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+ "service": "Policy",
+ "severity": "Baixo",
+ "text": "Use o Azure Policy para controlar quais serviços os usuários podem provisionar no nível da assinatura/grupo de gerenciamento.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
"link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Azure Functions",
- "text": "Ao usar o dimensionamento automático com funções diferentes, pode haver um que conduza todo o dimensionamento automático para todos os recursos - considere movê-lo para um plano de consumo separado (e considere um plano mais alto para a CPU)",
- "waf": "Custar"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
- "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
- "service": "Azure Functions",
- "text": "Os aplicativos de função em um determinado plano são todos dimensionados juntos, portanto, quaisquer problemas com o dimensionamento podem afetar todos os aplicativos no plano.",
- "waf": "Custar"
+ "service": "Policy",
+ "severity": "Alto",
+ "text": "Use políticas internas sempre que possível para minimizar a sobrecarga operacional.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
- "service": "Azure Functions",
- "text": "Sou cobrado por 'tempo de espera'? Essa pergunta geralmente é feita no contexto de uma função C# que faz uma operação assíncrona e aguarda o resultado, por exemplo, aguardar Task.Delay(1000) ou aguardar cliente. GetAsync('http://google.com'). A resposta é sim - o segundo cálculo de GB é baseado na hora de início e término da função e no uso de memória durante esse período. O que realmente acontece ao longo desse tempo em termos de atividade da CPU não é levado em consideração no cálculo. Uma exceção a essa regra é se você estiver usando funções duráveis. Você não é cobrado pelo tempo gasto em espera em funções de orquestrador.aplique técnicas de modelagem de demanda sempre que possível (ambientes de desenvolvimento?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "description": "Atribuir a função Colaborador de Política de Recursos a escopos específicos permite delegar o gerenciamento de políticas a equipes relevantes. Por exemplo, uma equipe central de TI pode supervisionar as políticas no nível do grupo de gerenciamento, enquanto as equipes de aplicativos lidam com as políticas de suas assinaturas, permitindo a governança distribuída com adesão aos padrões organizacionais.",
+ "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+ "service": "Policy",
+ "severity": "Média",
+ "text": "Atribua a função interna de Colaborador de Política de Recursos em um escopo específico para habilitar a governança no nível do aplicativo.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Front Door",
- "text": "Frontdoor - Desativar a página inicial padrãoNas configurações do aplicativo do seu aplicativo, defina AzureWebJobsDisableHomepage como true. Isso retornará um 204 (Sem Conteúdo) para o PoP para que apenas os dados de cabeçalho sejam retornados.",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "19048384-5c98-46cb-8913-156a12476e49",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "Média",
+ "text": "Limite o número de atribuições do Azure Policy feitas no escopo do grupo de gerenciamento raiz para evitar o gerenciamento por meio de exclusões em escopos herdados.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Front Door",
- "text": "Frontdoor - Rota para algo que não retorna nada. Configure uma Função, Proxy de Função ou adicione uma rota em seu WebApp que retorne 200 (OK) e envie conteúdo nulo ou mínimo. A vantagem disso é que você poderá fazer logout quando for chamado.",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+ "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+ "service": "Policy",
+ "severity": "Média",
+ "text": "Se houver requisitos de soberania de dados, as Políticas do Azure deverão ser implantadas para aplicá-los.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
- "service": "Storage",
- "text": "Considere níveis de arquivamento para dados menos usados",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+ "service": "Policy",
+ "severity": "Média",
+ "text": "Para a Zona de Destino Soberana, implante a linha de base da política de soberania e atribua no nível correto do grupo de gerenciamento.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "VM",
- "text": "Verifique os tamanhos de disco em que o tamanho não corresponde à camada (ou seja, um disco de 513 GiB pagará um P30 (1TiB) e considere o redimensionamento",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+ "service": "Policy",
+ "severity": "Média",
+ "text": "Para Zona de Aterrissagem Soberana, documente os objetivos de Controle Soberano para mapeamento de políticas.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "Storage",
- "text": "Considere usar SSD padrão em vez de Premium ou Ultra sempre que possível",
- "waf": "Custar"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
+ "service": "Policy",
+ "severity": "Média",
+ "text": "Para a Zona de Aterrissagem Soberana, certifique-se de que o processo esteja em vigor para o gerenciamento de 'Objetivos de Controle Soberano para mapeamento de políticas'.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "Storage",
- "text": "Para contas de armazenamento, verifique se a camada escolhida não está somando encargos de transação (pode ser mais barato passar para a próxima camada)",
- "waf": "Custar"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
+ "severity": "Média",
+ "text": "Use um workspace de logs de monitor único para gerenciar plataformas centralmente, exceto quando o RBAC (controle de acesso baseado em função) do Azure, os requisitos de soberania de dados ou as políticas de retenção de dados exigirem workspaces separados.",
+ "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "Site Recovery",
- "text": "Para ASR, considere o uso de discos SSD padrão se o RPO/RTO e a taxa de transferência de replicação permitirem",
- "waf": "Custar"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Monitor",
+ "severity": "Alto",
+ "text": "Exporte logs para o Armazenamento do Azure se os requisitos de retenção de log excederem doze anos. Use o armazenamento imutável com uma política de gravação única e leitura múltipla para tornar os dados não apagáveis e não modificáveis por um intervalo especificado pelo usuário.",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
- "service": "Storage",
- "text": "Contas de armazenamento: verifique o hot tier e/ou o GRS necessário",
- "waf": "Custar"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+ "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+ "service": "VM",
+ "severity": "Média",
+ "text": "Monitore o descompasso de configuração da VM (máquina virtual) no nível do sistema operacional usando o Azure Policy. Habilitar os recursos de auditoria da Configuração de Computador do Gerenciamento Automatizado do Azure por meio da política ajuda as cargas de trabalho da equipe de aplicativos a consumir imediatamente os recursos de recursos com pouco esforço.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Operações"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
"service": "VM",
- "text": "Discos - valide o uso de discos SSD Premium em todos os lugares: por exemplo, não-prod pode trocar para SSD padrão ou SSD Premium sob demanda ",
- "waf": "Custar"
+ "severity": "Média",
+ "text": "Use o Azure Update Manager como um mecanismo de aplicação de patch para VMs Windows e Linux no Azure.",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "Synapse",
- "text": "Crie orçamentos para gerenciar custos e crie alertas que notifiquem automaticamente as partes interessadas sobre anomalias de gastos e riscos de gastos excessivos.",
- "waf": "Custar"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+ "service": "VM",
+ "severity": "Média",
+ "text": "Use o Gerenciador de Atualizações do Azure como um mecanismo de aplicação de patch para VMs do Windows e do Linux fora do Azure usando o Azure Arc.",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "Synapse",
- "text": "Exporte dados de custo para uma conta de armazenamento para análise de dados adicionais.",
- "waf": "Custar"
+ "arm-service": "microsoft.network/networkWatchers",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Network Watcher",
+ "severity": "Média",
+ "text": "Use o Observador de Rede para monitorar proativamente os fluxos de tráfego.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Synapse",
- "text": "Controle os custos de um pool SQL dedicado pausando o recurso quando ele não estiver em uso.",
- "waf": "Custar"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Monitor",
+ "severity": "Média",
+ "text": "Use os Logs do Azure Monitor para obter insights e relatórios.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
- "service": "Synapse",
- "text": "Habilite o recurso de pausa automática do Apache Spark sem servidor e defina seu valor de tempo limite de acordo.",
- "waf": "Custar"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+ "service": "Monitor",
+ "severity": "Média",
+ "text": "Use alertas do Azure Monitor para a geração de alertas operacionais.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Synapse",
- "text": "Crie várias definições de pool do Apache Spark de vários tamanhos.",
- "waf": "Custar"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "Monitor",
+ "severity": "Média",
+ "text": "Ao usar o Acompanhamento de Alterações e Inventário por meio de Contas de Automação do Azure, verifique se você selecionou regiões com suporte para vincular seu workspace do Log Analytics e contas de automação.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "service": "Synapse",
- "text": "Adquira unidades de confirmação (SCU) do Azure Synapse por um ano com um plano de pré-compra para economizar nos custos do Azure Synapse Analytics.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Custar"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Backup",
+ "severity": "Baixo",
+ "text": "Ao usar o Backup do Azure, use os tipos de backup corretos (GRS, ZRS E LRS) para o backup, pois a configuração padrão é GRS.",
+ "waf": "Fiabilidade"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
"service": "VM",
- "text": "Usar VMs spot para trabalhos interruptíveis: são VMs que podem ser licitadas e compradas a um preço com desconto, fornecendo uma solução econômica para cargas de trabalho não críticas.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Custar"
+ "severity": "Média",
+ "text": "Use as políticas de convidado do Azure para implantar automaticamente as configurações de software por meio de extensões de VM e impor uma configuração de VM de linha de base compatível.",
+ "waf": "Segurança"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "checklist": "Azure Landing Zone Review",
+ "description": "Use os recursos de configuração de convidado do Azure Policy para auditar e corrigir as configurações do computador (por exemplo, sistema operacional, aplicativo, ambiente) para garantir que os recursos estejam alinhados com as configurações esperadas e que o Gerenciamento de Atualizações possa impor o gerenciamento de patches para VMs.",
+ "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
"service": "VM",
- "text": "Dimensionamento correto de todas as VMs",
- "waf": "Custar"
+ "severity": "Média",
+ "text": "Monitore o descompasso de configuração de segurança da VM por meio do Azure Policy.",
+ "waf": "Segurança"
},
{
"arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
"service": "VM",
- "text": "Trocar VM dimensionada com tamanhos normalizados e mais recentes",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Custar"
+ "severity": "Média",
+ "text": "Use o Azure Site Recovery para cenários de recuperação de desastre de Máquinas Virtuais do Azure para o Azure. Isso permite replicar cargas de trabalho entre regiões.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "VMs de dimensionamento correto - comece com o monitoramento do uso abaixo de 5% e, em seguida, trabalhe até 40%",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Custar"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "Backup",
+ "severity": "Média",
+ "text": "Use recursos de backup nativos do Azure ou uma solução de backup de terceiros compatível com o Azure.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "A conteinerização de um aplicativo pode melhorar a densidade da VM e economizar dinheiro no dimensionamento",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Custar"
- },
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "WAF",
+ "severity": "Alto",
+ "text": "Adicione configurações de diagnóstico para salvar logs do WAF de serviços de entrega de aplicativos, como o Azure Front Door e o Gateway de Aplicativo do Azure. Revise regularmente os logs para verificar se há ataques e detecções de falsos positivos.",
+ "waf": "Operações"
+ },
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "WAF",
"severity": "Média",
- "text": "Aproveite o servidor flexível",
- "waf": "Fiabilidade"
+ "text": "Envie logs do WAF de seus serviços de entrega de aplicativos, como o Azure Front Door e o Gateway de Aplicativo do Azure, para o Microsoft Sentinel. Detecte ataques e integre a telemetria do WAF ao seu ambiente geral do Azure.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5017f154-e3ab-4369-9829-e7e316183687",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "Key Vault",
"severity": "Alto",
- "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente",
- "waf": "Fiabilidade"
+ "text": "Use o Azure Key Vault para armazenar seus segredos e credenciais.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+ "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+ "service": "Key Vault",
"severity": "Média",
- "text": "Aproveite a replicação de dados para cenários de DR entre regiões",
- "waf": "Fiabilidade"
+ "text": "Use diferentes Azure Key Vaults para diferentes aplicativos e regiões para evitar limites de escala de transação e restringir o acesso a segredos.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Média",
- "text": "O Azure Center for SAP solutions (ACSS) é uma oferta do Azure que torna o SAP uma carga de trabalho de nível superior no Azure. O ACSS é uma solução de ponta a ponta que permite criar e executar sistemas SAP como uma carga de trabalho unificada no Azure e fornece uma base mais perfeita para a inovação. Você pode aproveitar os recursos de gerenciamento para sistemas SAP novos e existentes baseados no Azure.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
- "waf": "Operações"
+ "text": "Provisione o Azure Key Vault com as políticas de exclusão reversível e limpeza habilitadas para permitir a proteção de retenção para objetos excluídos.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Média",
- "text": "O Azure dá suporte à automação de implantações SAP no Linux e no Windows. O SAP Deployment Automation Framework é uma ferramenta de orquestração de código aberto que pode implantar, instalar e manter ambientes SAP.",
- "training": "https://github.com/Azure/sap-automation",
- "waf": "Operações"
+ "text": "Siga um modelo de privilégios mínimos limitando a autorização para excluir permanentemente chaves, segredos e certificados a funções personalizadas especializadas de ID do Microsoft Entra.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Média",
- "text": "Executar uma recuperação point-in-time para seus bancos de dados de produção em qualquer ponto e em um período de tempo que atenda ao seu RTO; A recuperação point-in-time normalmente inclui erros do operador excluindo dados na camada DBMS ou por meio do SAP, incidentalmente",
- "waf": "Fiabilidade"
+ "text": "Automatize o processo de gerenciamento e renovação de certificados com autoridades de certificação públicas para facilitar a administração.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "913156a1-2476-4e49-b541-acdce979377b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Média",
- "text": "Teste os tempos de backup e recuperação para verificar se eles atendem aos requisitos de RTO para restaurar todos os sistemas simultaneamente após um desastre.",
- "waf": "Fiabilidade"
+ "text": "Estabeleça um processo automatizado para rotação de chaves e certificados.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "SAP",
- "severity": "Alto",
- "text": "Você pode replicar o armazenamento padrão entre regiões emparelhadas, mas não pode usar o armazenamento padrão para armazenar seus bancos de dados ou discos rígidos virtuais. Você pode replicar backups somente entre regiões emparelhadas que você usa. Para todos os outros dados, execute sua replicação usando recursos nativos de DBMS, como SQL Server Always On ou SAP HANA System Replication. Use uma combinação de Site Recovery, rsync ou robocopy e outros softwares de terceiros para a camada de aplicativos SAP.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "Média",
+ "text": "Habilite o firewall e o ponto de extremidade de serviço de rede virtual ou o ponto de extremidade privado no cofre para controlar o acesso ao cofre de chaves.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+ "service": "Key Vault",
"severity": "Média",
- "text": "Ao usar as Zonas de Disponibilidade do Azure para obter alta disponibilidade, você deve considerar a latência entre servidores de aplicativos SAP e servidores de banco de dados. Para zonas com altas latências, os procedimentos operacionais precisam estar em vigor para garantir que os servidores de aplicativos SAP e os servidores de banco de dados estejam sendo executados na mesma zona o tempo todo.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Use o workspace do Log Analytics do Azure Monitor central da plataforma para auditar o uso de chave, certificado e segredo em cada instância do Key Vault.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "SAP",
- "severity": "Alto",
- "text": "Configure conexões de Rota Expressa do local para as regiões primária e secundária de recuperação de desastres do Azure. Além disso, como alternativa ao uso da Rota Expressa, considere configurar conexões VPN locais para as regiões primária e secundária de recuperação de desastres do Azure.",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "Média",
+ "text": "Delegue a instanciação e o acesso privilegiado do Key Vault e use o Azure Policy para impor uma configuração consistente e compatível.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Replique o conteúdo do cofre de chaves, como certificados, segredos ou chaves entre regiões, para que você possa descriptografar dados na região de recuperação de desastres.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "Média",
+ "text": "Use um Azure Key Vault por aplicativo por ambiente por região.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "Média",
- "text": "Emparelhar as redes virtuais primária e de recuperação de desastres. Por exemplo, para a replicação do sistema HANA, uma rede virtual SAP HANA DB precisa ser emparelhada para a rede virtual SAP HANA DB do site de recuperação de desastres.",
- "waf": "Fiabilidade"
+ "text": "Se você quiser trazer suas próprias chaves, isso pode não ser compatível com todos os serviços considerados. Implemente mitigação relevante para que as inconsistências não prejudiquem os resultados desejados. Escolha pares de regiões apropriados e regiões de recuperação de desastre que minimizem a latência.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Se você usar o armazenamento do Azure NetApp Files para suas implantações SAP, no mínimo, crie duas contas do Azure NetApp Files na camada Premium, em duas regiões.",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+ "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+ "service": "Key Vault",
+ "severity": "Média",
+ "text": "Para a Zona de Destino Soberana, use o HSM gerenciado do Azure Key Vault para armazenar seus segredos e credenciais.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+ "service": "Entra",
+ "severity": "Média",
+ "text": "Use os recursos de relatório de ID do Microsoft Entra para gerar relatórios de auditoria de controle de acesso.",
+ "waf": "Segurança"
+ },
+ {
+ "checklist": "Azure Landing Zone Review",
+ "guid": "09945bda-4333-44f2-9911-634182ba5275",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+ "service": "Defender",
"severity": "Alto",
- "text": "A tecnologia de replicação de banco de dados nativo deve ser usada para sincronizar o banco de dados em um par de HA.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Habilite o Gerenciamento de Postura de Segurança de Nuvem do Defender para todas as assinaturas.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+ "service": "Defender",
"severity": "Alto",
- "text": "O CIDR da rede virtual primária (VNet) não deve entrar em conflito ou se sobrepor ao CIDR da VNet do site de recuperação de desastres",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Habilite um Plano de Proteção de Carga de Trabalho de Nuvem do Defender para Servidores em todas as assinaturas.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+ "service": "Defender",
"severity": "Alto",
- "text": "Use a Recuperação de Site para replicar um servidor de aplicativos para um site de recuperação de desastres. A Recuperação de Site também pode ajudar na replicação de VMs de cluster de serviços centrais para o site de recuperação de desastres. Ao invocar o DR, você precisará reconfigurar o cluster do Linux Pacemaker no site de DR (por exemplo, substitua o VIP ou o SBD, execute o corosync.conf e muito mais).",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "Fiabilidade"
+ "text": "Habilite os Planos de Proteção de Carga de Trabalho de Nuvem do Defender para Recursos do Azure em todas as assinaturas.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+ "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+ "service": "VM",
"severity": "Alto",
- "text": "Considere a disponibilidade do software SAP em relação a pontos únicos de falha. Isso inclui pontos únicos de falha em aplicativos como SGBDs utilizados nas arquiteturas SAP NetWeaver e SAP S/4HANA, SAP ABAP e ASCS + SCS. Além disso, outras ferramentas, como o SAP Web Dispatcher.",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Habilite o Endpoint Protection em servidores IaaS.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
- "service": "SAP",
- "severity": "Alto",
- "text": "Para bancos de dados SAP e SAP, considere a implementação de clusters de failover automático. No Windows, o Clustering de Failover do Windows Server oferece suporte a failover. No Linux, Linux Pacemaker ou ferramentas de terceiros como SIOS Protection Suite e Veritas InfoScale suportam failover.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+ "link": "https://learn.microsoft.com/azure/security-center/",
+ "service": "VM",
+ "severity": "Média",
+ "text": "Monitore o descompasso de aplicação de patch do sistema operacional base por meio dos Logs do Azure Monitor e do Defender para Nuvem.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
- "severity": "Alto",
- "text": "O Azure não oferece suporte a arquiteturas nas quais as VMs primária e secundária compartilham armazenamento para dados DBMS. Para a camada DBMS, o padrão de arquitetura comum é replicar bancos de dados ao mesmo tempo e com pilhas de armazenamento diferentes daquelas que as VMs primária e secundária usam.",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
+ "severity": "Média",
+ "text": "Conecte as configurações de recursos padrão a um workspace centralizado do Log Analytics do Azure Monitor.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
- "service": "SAP",
- "severity": "Alto",
- "text": "Os dados do DBMS e os arquivos de log de transação/refazer são armazenados no armazenamento em bloco com suporte do Azure ou nos Arquivos do Azure NetApp. Os Arquivos do Azure ou os Arquivos Premium do Azure não têm suporte como armazenamento para dados DBMS e/ou arquivos de log de refazer com a carga de trabalho SAP.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "Fiabilidade"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+ "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+ "service": "Entra",
+ "severity": "Média",
+ "text": "Para Zona de Destino Soberana, habilite os logs de transparência no locatário da ID do Entra.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
- "service": "SAP",
- "severity": "Alto",
- "text": "Você pode usar discos compartilhados do Azure no Windows para componentes ASCS + SCS e cenários específicos de alta disponibilidade. Configure seus clusters de failover separadamente para componentes da camada de aplicativo SAP e a camada DBMS. No momento, o Azure não oferece suporte a arquiteturas de alta disponibilidade que combinam componentes da camada de aplicativo SAP e a camada DBMS em um cluster de failover.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidade"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+ "service": "Entra",
+ "severity": "Média",
+ "text": "Para Zona de Destino Soberana, habilite o Sistema de Proteção de Dados do cliente no locatário da ID do Entra.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
- "service": "SAP",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Storage",
"severity": "Alto",
- "text": "A maioria dos clusters de failover para ASCS (Application Layer Components, componentes da camada de aplicativo) SAP e a camada DBMS exigem um endereço IP virtual para um cluster de failover. O Balanceador de Carga do Azure deve manipular o endereço IP virtual para todos os outros casos. Um princípio de design é usar um balanceador de carga por configuração de cluster. Recomendamos que você use a versão padrão do balanceador de carga (SKU do Standard Load Balancer).",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Habilite a transferência segura para contas de armazenamento.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
- "service": "SAP",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+ "service": "Storage",
"severity": "Alto",
- "text": "Verifique se o IP flutuante está habilitado no balanceador de carga",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Habilite a exclusão reversível do contêiner para a conta de armazenamento para recuperar um contêiner excluído e seu conteúdo.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+ "service": "Key Vault",
"severity": "Alto",
- "text": "Antes de implantar sua infraestrutura de alta disponibilidade, e dependendo da região escolhida, determine se deseja implantar com um conjunto de disponibilidade do Azure ou uma zona de disponibilidade.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Use segredos do Key Vault para evitar codificar informações confidenciais, como credenciais (máquinas virtuais, senhas de usuário), certificados ou chaves.",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+ "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+ "service": "Logic Apps",
"severity": "Alto",
- "text": "Se desejar atender aos SLAs de infraestrutura de seus aplicativos para componentes SAP (serviços centrais, servidores de aplicativos e bancos de dados), você deverá escolher as mesmas opções de alta disponibilidade (VMs, conjuntos de disponibilidade, zonas de disponibilidade) para todos os componentes.",
+ "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO",
"waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+ "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "Logic Apps",
"severity": "Alto",
- "text": "Não misture servidores de funções diferentes no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados, VMs de aplicativos em seus próprios conjuntos de disponibilidade",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "Fiabilidade"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
- "service": "SAP",
- "severity": "Média",
- "text": "Você não pode implantar conjuntos de disponibilidade do Azure em uma zona de disponibilidade do Azure, a menos que use grupos de posicionamento de proximidade.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade",
"waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+ "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Logic Apps",
"severity": "Alto",
- "text": "Ao criar conjuntos de disponibilidade, use o número máximo de domínios de falha e atualize domínios disponíveis. Por exemplo, se você implantar mais de duas VMs em um conjunto de disponibilidade, use o número máximo de domínios de falha (três) e domínios de atualização suficientes para limitar o efeito de possíveis falhas de hardware físico, interrupções de rede ou interrupções de energia, além da manutenção planejada do Azure. O número padrão de domínios de falha é dois e você não pode alterá-lo online mais tarde.",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
"waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+ "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+ "service": "Logic Apps",
"severity": "Alto",
- "text": "Quando você usa grupos de posicionamento de proximidade do Azure em uma implantação de conjunto de disponibilidade, todos os três componentes SAP (serviços centrais, servidor de aplicativos e banco de dados) devem estar no mesmo grupo de posicionamento de proximidade.",
+ "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
"waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "Alto",
- "text": "Use um grupo de posicionamento de proximidade por SAP SID. Os grupos não se estendem por zonas de disponibilidade ou regiões do Azure",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+ "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+ "service": "Logic Apps",
+ "severity": "Média",
+ "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+ "service": "AVS",
"severity": "Alto",
- "text": "Use um dos seguintes serviços para executar clusters de serviços centrais SAP, dependendo do sistema operacional.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Verifique se os controladores de domínio ADDS estão implantados na assinatura de identidade no Azure nativo",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "75089c20-990d-4927-b105-885576f76fc2",
+ "service": "AVS",
"severity": "Média",
- "text": "No momento, o Azure não oferece suporte à combinação de ASCS e HA de banco de dados no mesmo cluster do Linux Pacemaker; Separe-os em agrupamentos individuais. No entanto, você pode combinar até cinco clusters de serviços centrais em um par de VMs.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Verifique se os sites e serviços do ADDS estão configurados para manter as solicitações de autenticação de recursos baseados no Azure (incluindo a Solução VMware do Azure) locais para o Azure",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
- "severity": "Média",
- "text": "Implante ambas as VMs no par de alta disponibilidade em um conjunto de disponibilidade ou em zonas de disponibilidade. Essas VMs devem ter o mesmo tamanho e a mesma configuração de armazenamento.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Verifique se o vCenter está conectado ao ADDS para habilitar a autenticação com base em 'contas de usuário nomeadas'",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+ "service": "AVS",
"severity": "Média",
- "text": "O Azure oferece suporte à instalação e configuração de instâncias SAP HANA e ASCS/SCS e ERS no mesmo cluster de alta disponibilidade em execução no Red Hat Enterprise Linux (RHEL).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Verifique se a conexão do vCenter com o ADDS está usando um protocolo seguro (LDAPS)",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
- "severity": "Alto",
- "text": "Execute todos os sistemas de produção em SSDs gerenciados Premium e use o Azure NetApp Files ou o Ultra Disk Storage. Pelo menos o disco do sistema operacional deve estar na camada Premium para que você possa obter melhor desempenho e o melhor SLA.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "A conta do CloudAdmin no vCenter IdP é usada apenas como uma conta de emergência (break-glass)",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+ "service": "AVS",
"severity": "Alto",
- "text": "Você deve executar o SAP HANA no Azure somente nos tipos de armazenamento certificados pela SAP. Observe que determinados volumes devem ser executados em determinadas configurações de disco, quando aplicável. Essas configurações incluem a habilitação do Acelerador de Gravação e o uso do armazenamento Premium. Você também precisa garantir que o sistema de arquivos executado no armazenamento seja compatível com o DBMS executado na máquina.",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Certifique-se de que o NSX-Manager esteja integrado a um provedor de identidade externo (LDAPS)",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "Foi criado um modelo RBAC para uso no VMware vSphere",
+ "waf": "Segurança"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "As permissões RBAC devem ser concedidas em grupos ADDS e não em usuários específicos",
+ "waf": "Segurança"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+ "service": "AVS",
"severity": "Alto",
- "text": "Considere configurar a alta disponibilidade dependendo do tipo de armazenamento usado para suas cargas de trabalho SAP. Alguns serviços de armazenamento disponíveis no Azure não têm suporte no Azure Site Recovery, portanto, sua configuração de alta disponibilidade pode ser diferente.",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
- "waf": "Fiabilidade"
+ "text": "As permissões RBAC no recurso Solução VMware do Azure no Azure são 'bloqueadas' apenas para um conjunto limitado de proprietários",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+ "service": "AVS",
"severity": "Alto",
- "text": "Diferentes serviços de armazenamento nativos do Azure (como Arquivos do Azure, Arquivos do Azure NetApp, Disco Compartilhado do Azure) podem não estar disponíveis em todas as regiões. Portanto, para ter uma configuração SAP semelhante na região de DR após o failover, certifique-se de que o respectivo serviço de armazenamento seja oferecido no local de DR.",
- "waf": "Fiabilidade"
+ "text": "Certifique-se de que todas as funções personalizadas tenham escopo com autorizações permitidas do CloudAdmin",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+ "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "O modelo de conectividade correto da Solução VMware do Azure está selecionado para o caso de uso do cliente em mãos?",
+ "waf": "Desempenho"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Garantir que as conexões de Rota Expressa ou VPN do local para o Azure sejam monitoradas usando o 'monitor de conexão'",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+ "service": "AVS",
"severity": "Média",
- "text": "Automatize o Start-Stop do sistema SAP para gerenciar custos.",
- "waf": "Custar"
+ "text": "Verifique se um monitor de conexão foi criado a partir de um recurso nativo do Azure para uma máquina virtual da Solução VMware do Azure para monitorar a conexão de Rota Expressa de back-end da Solução VMware do Azure",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "Baixo",
- "text": "No caso de usar o Armazenamento Premium do Azure com o SAP HANA, o armazenamento SSD padrão do Azure pode ser usado para selecionar uma solução de armazenamento econômica. No entanto, observe que escolher o armazenamento padrão SSD ou HDD padrão do Azure afetará o SLA das VMs individuais. Além disso, para sistemas com menor taxa de transferência de E/S e baixa latência, como ambientes que não são de produção, VMs de série mais baixa podem ser usadas.",
- "waf": "Custar"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "Verifique se um monitor de conexão é criado a partir de um recurso local para uma máquina virtual da Solução VMware do Azure para monitorar a conectividade de ponta 2",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Como uma configuração alternativa de baixo custo (multiuso), você pode escolher uma SKU de baixo desempenho para suas VMs de servidor de banco de dados HANA que não são de produção. No entanto, é importante observar que alguns tipos de VM, como a série E, não são certificados pelo HANA (SAP HANA Hardware Directory) ou não podem atingir latência de armazenamento inferior a 1ms.",
- "waf": "Custar"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Quando o servidor de rotas for usado, certifique-se de que não mais de 1000 rotas sejam propagadas do servidor de rotas para o gateway ExR para o local (limite ARS).",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+ "service": "AVS",
"severity": "Alto",
- "text": "Impor um modelo RBAC para grupos de gerenciamento, assinaturas, grupos de recursos e recursos",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "text": "O Gerenciamento de Identidades Privilegiadas é implementado para funções que gerenciam o recurso da Solução VMware do Azure no Portal do Azure (não são permitidas permissões permanentes)",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
- "severity": "Média",
- "text": "Impor a propagação principal para encaminhar a identidade do aplicativo de nuvem SAP para o SAP local (incluindo IaaS) por meio do conector de nuvem",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Os relatórios de auditoria do Gerenciamento de Identidades Privilegiadas devem ser implementados para as funções PIM da Solução VMware do Azure",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+ "service": "AVS",
"severity": "Média",
- "text": "Implemente SSO em aplicativos SAP SaaS como SAP Analytics Cloud, SAP Cloud Platform, Business by design, SAP Qualtrics e SAP C4C com o Azure AD usando SAML.",
+ "text": "Se o uso do Gerenciamento de Identidades Privilegiadas estiver sendo usado, certifique-se de que uma conta válida habilitada para ID do Entra seja criada com um registro SMTP válido para notificações de substituição automática do Host da Solução VMware do Azure. (permissões permanentes necessárias)",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
- "severity": "Média",
- "text": "Implemente SSO em aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Limitar o uso da conta do CloudAdmin apenas ao acesso de emergência",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+ "service": "AVS",
"severity": "Média",
- "text": "Implemente SSO em aplicativos Web baseados no SAP NetWeaver, como SAP Fiori e SAP Web GUI, usando SAML.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "text": "Criar funções RBAC personalizadas no vCenter para implementar um modelo de privilégios mínimos dentro do vCenter",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+ "service": "AVS",
"severity": "Média",
- "text": "Você pode implementar o SSO no SAP GUI usando o SAP NetWeaver SSO ou uma solução de parceiro.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "text": "É um processo definido para alternar regularmente as credenciais cloudadmin (vCenter) e admin (NSX)",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
- "service": "SAP",
- "severity": "Média",
- "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido a sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Usar um provedor de identidade centralizado a ser usado para cargas de trabalho (VMs) em execução na Solução VMware do Azure",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+ "service": "AVS",
"severity": "Média",
- "text": "Para SSO para SAP GUI e acesso ao navegador web, implemente SNC / Kerberos / SPNEGO (mecanismo de negociação GSSAPI simples e protegido) devido a sua facilidade de configuração e manutenção. Para SSO com certificados de cliente X.509, considere o SAP Secure Login Server, que é um componente da solução SAP SSO.",
+ "text": "A filtragem de tráfego Leste-Oeste é implementada no NSX-T",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
- "service": "SAP",
- "severity": "Média",
- "text": "Implemente o SSO usando o OAuth for SAP NetWeaver para permitir que aplicativos de terceiros ou personalizados acessem os serviços OData do SAP NetWeaver.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "As cargas de trabalho na Solução VMware do Azure não são diretamente expostas à Internet. O tráfego é filtrado e inspecionado pelo Gateway de Aplicativo do Azure, pelo Firewall do Azure ou por soluções de terceiros",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
- "service": "SAP",
- "severity": "Média",
- "text": "Implementar SSO no SAP HANA",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "A auditoria e o registro em log são implementados para solicitações de entrada da Internet para cargas de trabalho baseadas na Solução VMware do Azure e na Solução VMware do Azure",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+ "service": "AVS",
"severity": "Média",
- "text": "Considere o Azure AD um provedor de identidade para sistemas SAP hospedados no RISE. Para obter mais informações, consulte Integrando o serviço ao Azure AD.",
+ "text": "O monitoramento de sessão é implementado para conexões de saída da Internet a partir da Solução VMware do Azure ou cargas de trabalho baseadas na Solução VMware do Azure para identificar atividades suspeitas/mal-intencionadas",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "334fdf91-c234-4182-a652-75269440b4be",
+ "service": "AVS",
"severity": "Média",
- "text": "Para aplicativos que acessam o SAP, convém usar a propagação principal para estabelecer o SSO.",
+ "text": "A proteção padrão contra DDoS está habilitada na sub-rede do Gateway ExR/VPN no Azure",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+ "service": "AVS",
"severity": "Média",
- "text": "Se você estiver usando serviços SAP BTP ou soluções SaaS que exigem o SAP Identity Authentication Service (IAS), considere implementar SSO entre o SAP Cloud Identity Authentication Services e o Azure AD para acessar esses serviços SAP. Essa integração permite que o SAP IAS atue como um provedor de identidade de proxy e encaminhe solicitações de autenticação para o Azure AD como o repositório central do usuário e o provedor de identidade.",
+ "text": "Usar uma estação de trabalho de acesso privilegiado (PAW) dedicada para gerenciar a Solução VMware do Azure, o vCenter, o gerenciador NSX e o gerenciador HCX",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+ "service": "AVS",
"severity": "Média",
- "text": "Implementar SSO no SAP BTP",
+ "text": "Habilitar a Detecção Avançada de Ameaças (Microsoft Defender for Cloud, também conhecido como ASC) para cargas de trabalho em execução na Solução VMware do Azure",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+ "service": "AVS",
"severity": "Média",
- "text": "Se você estiver usando o SAP SuccessFactors, considere usar o provisionamento automatizado de usuários do Azure AD. Com essa integração, à medida que você adiciona novos funcionários ao SAP SuccessFactors, pode criar automaticamente suas contas de usuário no Azure AD. Opcionalmente, você pode criar contas de usuário no Microsoft 365 ou em outros aplicativos SaaS com suporte no Azure AD. Use write-back do endereço de e-mail para SAP SuccessFactors.",
+ "text": "Usar o Azure ARC for Servers para controlar corretamente as cargas de trabalho em execução na Solução VMware do Azure usando tecnologias nativas do Azure (o Azure ARC for Azure VMware Solution ainda não está disponível)",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
- "severity": "Média",
- "text": "impor políticas existentes do Grupo de Gerenciamento às assinaturas SAP",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
- "waf": "Operações"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Garanta que as cargas de trabalho na Solução VMware do Azure usem criptografia de dados suficiente durante o tempo de execução (como criptografia de disco convidado e SQL TDE). (a criptografia vSAN em repouso é padrão)",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "Alto",
- "text": "Integre aplicativos fortemente acoplados na mesma assinatura SAP para evitar complexidade adicional de roteamento e gerenciamento",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
- "waf": "Operações"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Quando a criptografia no convidado é usada, armazene chaves de criptografia no cofre de chaves do Azure quando possível",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "Alto",
- "text": "Aproveite a assinatura como unidade de escala e dimensione nossos recursos, considere implantar a assinatura por ambiente, por exemplo. Sandbox, não-prod, prod ",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
- "waf": "Operações"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5ac94222-3e13-4810-9230-81a941741583",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "Considere usar o suporte estendido de atualização de segurança para cargas de trabalho em execução na Solução VMware do Azure (a Solução VMware do Azure é qualificada para ESU)",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+ "service": "AVS",
"severity": "Alto",
- "text": "Garantir o aumento da cota como parte do provisionamento de assinatura (por exemplo, total de núcleos de VM disponíveis em uma assinatura)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "waf": "Operações"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
- "severity": "Baixo",
- "text": "A API de Cota é uma API REST que você pode usar para exibir e gerenciar cotas para serviços do Azure. Considere usá-lo, se necessário.",
- "waf": "Operações"
+ "text": "Certifique-se de que o método de redundância de dados vSAN apropriado seja usado (especificação RAID)",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d88408f3-7273-44c8-96ba-280214590146",
+ "service": "AVS",
"severity": "Alto",
- "text": "Se estiver implantando em uma zona de disponibilidade, verifique se a implantação da zona da VM estará disponível depois que a cota for aprovada. Envie uma solicitação de suporte com a assinatura, a série VM, o número de CPUs e a zona de disponibilidade necessárias.",
- "waf": "Operações"
+ "text": "Certifique-se de que a política de falha na tolerância esteja em vigor para atender às suas necessidades de armazenamento vSAN",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+ "service": "AVS",
"severity": "Alto",
- "text": "Certifique-se de que os serviços e recursos necessários estejam disponíveis nas regiões de implantação escolhidas, por exemplo. ANF, Zona etc.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
- "waf": "Operações"
+ "text": "Certifique-se de ter solicitado cota suficiente, garantindo que você tenha considerado o crescimento e o requisito de recuperação de desastres",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+ "service": "AVS",
"severity": "Média",
- "text": "Aproveite a marca de recurso do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Camada (Camada da Web, Camada de Aplicativo), Proprietário do Aplicativo, ProjectName)",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "text": "Certifique-se de que as restrições de acesso ao ESXi sejam compreendidas, há limites de acesso que podem afetar as soluções de terceiros 3rd.",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
- "severity": "Alto",
- "text": "Ajude a proteger seu banco de dados HANA usando o serviço de Backup do Azure.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Fiabilidade"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+ "service": "AVS",
"severity": "Média",
- "text": "Se você implantar os Arquivos NetApp do Azure para seu banco de dados HANA, Oracle ou DB2, use a ferramenta Azure Application Consistent Snapshot (AzAcSnap) para tirar instantâneos consistentes com o aplicativo. O AzAcSnap também suporta bancos de dados Oracle. Considere usar o AzAcSnap em uma VM central em vez de em VMs individuais.",
- "waf": "Fiabilidade"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
- "severity": "Alto",
- "text": "Garanta as correspondências de fuso horário entre o sistema operacional e o sistema SAP.",
+ "text": "Certifique-se de ter uma política em torno da densidade e eficiência do host ESXi, tendo em mente o prazo de espera para solicitar novos nós",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+ "service": "AVS",
"severity": "Média",
- "text": "Não agrupe serviços de aplicativos diferentes no mesmo cluster. Por exemplo, não combine clusters DRBD e de serviços centrais no mesmo cluster. No entanto, você pode usar o mesmo cluster do Pacemaker para gerenciar aproximadamente cinco serviços centrais diferentes (cluster multi-SID).",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Fiabilidade"
+ "text": "Garantir que um bom processo de gerenciamento de custos esteja em vigor para a Solução VMware do Azure - o Gerenciamento de Custos do Azure pode ser usado",
+ "waf": "Custar"
},
{
- "checklist": "SAP Checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+ "service": "AVS",
"severity": "Baixo",
- "text": "Considere executar sistemas de desenvolvimento/teste em um modelo de soneca para economizar e otimizar os custos de execução do Azure.",
+ "text": "As instâncias reservadas do Azure são usadas para otimizar o custo de uso da Solução VMware do Azure",
"waf": "Custar"
},
{
- "checklist": "SAP Checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+ "service": "AVS",
"severity": "Média",
- "text": "Se você faz parceria com clientes gerenciando suas propriedades SAP, considere o Farol do Azure. O Azure Lighthouse permite que os provedores de serviços gerenciados usem os serviços de identidade nativos do Azure para se autenticar no ambiente dos clientes. Ele coloca o controle nas mãos dos clientes, porque eles podem revogar o acesso a qualquer momento e auditar as ações dos prestadores de serviços.",
- "waf": "Operações"
+ "text": "Considere o uso do Azure Private-Link ao usar outros Serviços Nativos do Azure",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
- "severity": "Média",
- "text": "Use o Azure Update Manager para verificar o status das atualizações disponíveis para uma única VM ou várias VMs e considere agendar patches regulares.",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
- "waf": "Operações"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Verifique se todos os recursos necessários residem na(s) mesma(s) zona(s) de disponibilidade do Azure",
+ "waf": "Desempenho"
},
{
- "checklist": "SAP Checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Otimize e gerencie as operações do SAP Basis usando o SAP Landscape Management (LaMa). Use o conector SAP LaMa para Azure para realocar, copiar, clonar e atualizar sistemas SAP.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
- "waf": "Operações"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "Habilitar cargas de trabalho de VM convidada do Microsoft Defender for Cloud for Azure VMware Solution",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+ "service": "AVS",
"severity": "Média",
- "text": "Use as soluções do Azure Monitor for SAP para monitorar suas cargas de trabalho SAP (SAP HANA, clusters SUSE de alta disponibilidade e sistemas SQL) no Azure. Considere complementar o Azure Monitor para soluções SAP com o SAP Solution Manager.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Operações"
+ "text": "Usar servidores habilitados para Arc do Azure para gerenciar suas cargas de trabalho de VM convidada da Solução VMware do Azure",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+ "service": "AVS",
"severity": "Alto",
- "text": "Execute uma verificação de extensão de VM para SAP. A Extensão de VM para SAP usa a identidade gerenciada atribuída de uma máquina virtual (VM) para acessar dados de monitoramento e configuração de VM. A verificação garante que todas as métricas de desempenho em seu aplicativo SAP venham da Extensão do Azure para SAP subjacente.",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
+ "text": "Habilitar o log de diagnóstico e de métrica na solução VMware do Azure",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+ "service": "AVS",
"severity": "Média",
- "text": "Use a Política do Azure para controle de acesso e relatórios de conformidade. A Política do Azure fornece a capacidade de impor configurações em toda a organização para garantir a adesão consistente à política e a detecção rápida de violações. ",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
+ "text": "Implantar os agentes do Log Analytics nas cargas de trabalho da VM convidada da Solução VMware do Azure",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+ "service": "AVS",
"severity": "Média",
- "text": "Use o Monitor de Conexão no Inspetor de Rede do Azure para monitorar métricas de latência para bancos de dados SAP e servidores de aplicativos. Ou colete e exiba medições de latência de rede usando o Azure Monitor.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
+ "text": "Verifique se você tem uma política e uma solução de backup documentadas e implementadas para cargas de trabalho de VM da Solução VMware do Azure",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+ "service": "AVS",
"severity": "Média",
- "text": "Execute uma verificação de qualidade para o SAP HANA na infraestrutura provisionada do Azure para verificar se as VMs provisionadas estão em conformidade com as práticas recomendadas do SAP HANA no Azure.",
- "waf": "Operações"
+ "text": "Usar o Microsoft Defender for Cloud para monitoramento de conformidade de cargas de trabalho em execução no Azure VMware Solution",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
- "severity": "Alto",
- "text": "Para cada assinatura do Azure, execute um teste de latência nas zonas de disponibilidade do Azure antes da implantação zonal para escolher zonas de baixa latência para implantação do SAP no Azure.",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "São as linhas de base de conformidade aplicáveis adicionadas ao Microsoft Defender for Cloud",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
- "severity": "Média",
- "text": "Execute o Relatório de Resiliência para garantir que a configuração de toda a infraestrutura provisionada do Azure (Computação, Banco de Dados, Rede, Armazenamento, Recuperação de Site) esteja em conformidade com a configuração definida pelo Cloud Adaption Framework para Azure.",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "A residência de dados foi avaliada ao selecionar regiões do Azure a serem usadas para a implantação da Solução VMware do Azure",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
- "severity": "Média",
- "text": "Implemente a proteção contra ameaças usando a solução Microsoft Sentinel para SAP. Use esta solução para monitorar seus sistemas SAP e detectar ameaças sofisticadas em toda a lógica de negócios e camadas de aplicativos.",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "As implicações do processamento de dados (modelo de prestador de serviços / consumidor de serviços) são claras e documentadas",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+ "service": "AVS",
"severity": "Média",
- "text": "A marcação do Azure pode ser aproveitada para agrupar e controlar recursos logicamente, automatizar suas implantações e, o mais importante, fornecer visibilidade sobre os custos incorridos.",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
- "waf": "Operações"
+ "text": "Considere o uso de CMK (Customer Managed Key) para vSAN somente se necessário por motivo(s) de conformidade.",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Use o monitoramento de latência entre VMs para aplicativos sensíveis à latência.",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Criar painéis para habilitar os principais insights de monitoramento da Solução VMware do Azure",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
- "severity": "Média",
- "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastres para servidores de aplicativos SAP.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Criar alertas de aviso para limites críticos para alertas automáticos sobre o desempenho da solução VMware do Azure (CPU >80%, memória média >80%, vSAN >70%)",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
- "severity": "Média",
- "text": "Exclua todos os sistemas de arquivos de banco de dados e programas executáveis das verificações antivírus. Incluí-los pode levar a problemas de desempenho. Verifique com os fornecedores do banco de dados para obter detalhes prescritivos na lista de exclusão. Por exemplo, a Oracle recomenda excluir /oracle//sapdata das verificações antivírus.",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Certifique-se de que o alerta crítico seja criado para monitorar se o consumo de vSAN está abaixo de 75%, pois esse é um limite de suporte do VMware",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Considere a coleta de estatísticas completas de banco de dados para bancos de dados não-HANA após a migração. Por exemplo, implemente a nota SAP 1020260 - Entrega de estatísticas Oracle.",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Verifique se os alertas estão configurados para alertas e notificações de Integridade do Serviço do Azure",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+ "service": "AVS",
"severity": "Média",
- "text": "Considere o uso do Oracle Automatic Storage Management (ASM) para todas as implantações Oracle que usam SAP no Azure.",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
- "waf": "Desempenho"
+ "text": "Configurar o log da Solução VMware do Azure para ser enviado a uma conta de Armazenamento do Azure ou ao Azure EventHub para processamento",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
- "severity": "Média",
- "text": "Para SAP no Azure executando Oracle, uma coleção de scripts SQL pode ajudá-lo a diagnosticar problemas de desempenho. Os relatórios do Automatic Workload Repository (AWR) contêm informações valiosas para diagnosticar problemas no sistema Oracle. Recomendamos que você execute um relatório AWR durante várias sessões e escolha horários de pico para ele, para garantir uma ampla cobertura para a análise.",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Se for necessário um insight profundo no VMware vSphere: o vRealize Operations e/ou o vRealize Network Insights são usados na solução?",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+ "service": "AVS",
"severity": "Alto",
- "text": "Use o monitoramento do Azure Site Recovery para manter a integridade do serviço de recuperação de desastres para servidores de aplicativos SAP.",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "text": "Verifique se a política de armazenamento vSAN para VMs NÃO é a política de armazenamento padrão, pois essa política aplica provisionamento espesso",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+ "service": "AVS",
"severity": "Média",
- "text": "Para a entrega segura de aplicativos HTTP/S, use o Application Gateway v2 e verifique se a proteção e as políticas do WAF estão habilitadas.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
- "waf": "Segurança"
+ "text": "Verifique se as bibliotecas de conteúdo do vSphere não são colocadas no vSAN, pois o vSAN é um recurso finito",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+ "service": "AVS",
"severity": "Média",
- "text": "Se o DNS ou o nome virtual da máquina virtual não for alterado durante a migração para o Azure, o DNS em segundo plano e os nomes virtuais conectam muitas interfaces do sistema no cenário SAP, e os clientes só às vezes estão cientes das interfaces que os desenvolvedores definem ao longo do tempo. Surgem desafios de conexão entre vários sistemas quando os nomes virtuais ou DNS mudam após as migrações, e é recomendável manter os aliases DNS para evitar esses tipos de dificuldades.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "text": "Certifique-se de que os repositórios de dados da solução de backup sejam armazenados fora do armazenamento vSAN. No nativo do Azure ou em um armazenamento de dados com backup de pool de discos",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+ "service": "AVS",
"severity": "Média",
- "text": "Use zonas DNS diferentes para distinguir cada ambiente (sandbox, desenvolvimento, pré-produção e produção) um do outro. A exceção é para implantações SAP com sua própria VNet; aqui, zonas DNS privadas podem não ser necessárias.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam gerenciadas de forma híbrida usando o Azure Arc for Servers (a Solução VMware do Arc for Azure está em visualização)",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+ "service": "AVS",
"severity": "Média",
- "text": "Emparelhamento de rede virtual local e global fornecem conectividade e são as abordagens preferidas para garantir a conectividade entre zonas de aterrissagem para implantações SAP em várias regiões do Azure",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
- "waf": "Fiabilidade"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
- "severity": "Alto",
- "text": "Não há suporte para implantar qualquer NVA entre o aplicativo SAP e o servidor de banco de dados SAP",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "Desempenho"
+ "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam monitoradas usando o Azure Log Analytics e o Azure Monitor",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+ "service": "AVS",
"severity": "Média",
- "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais onde você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "text": "Incluir cargas de trabalho em execução na Solução VMware do Azure nas ferramentas de gerenciamento de atualizações existentes ou no Gerenciamento de Atualizações do Azure",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+ "service": "AVS",
"severity": "Média",
- "text": "Considere a implantação de dispositivos virtuais de rede (NVAs) entre regiões somente se NVAs de parceiros forem usados. NVAs entre regiões ou VNets não são necessários se NVAs nativos estiverem presentes. Ao implantar tecnologias de rede de parceiros e NVAs, siga as orientações do fornecedor para verificar configurações conflitantes com a rede do Azure.",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "text": "Usar a Política do Azure para integrar cargas de trabalho da Solução VMware do Azure nas soluções de Gerenciamento, Monitoramento e Segurança do Azure",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+ "service": "AVS",
"severity": "Média",
- "text": "A WAN virtual gerencia a conectividade entre VNets spoke para topologias baseadas em WAN virtual (não há necessidade de configurar o roteamento definido pelo usuário [UDR] ou NVAs), e a taxa de transferência máxima de rede para o tráfego de VNet-to-VNet no mesmo hub virtual é de 50 gigabits por segundo. Se necessário, as zonas de aterrissagem SAP podem usar o emparelhamento de VNet para se conectar a outras zonas de aterrissagem e superar essa limitação de largura de banda.",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
- "waf": "Operações"
+ "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam integradas ao Microsoft Defender for Cloud",
+ "waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "Alto",
- "text": "A atribuição de IP público à VM que executa o SAP Workload não é recomendada.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Segurança"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
- "severity": "Alto",
- "text": "Considere reservar o endereço IP no lado do DR ao configurar o ASR",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Operações"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "Certifique-se de que os backups não sejam armazenados no vSAN, pois o vSAN é um recurso finito",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "Alto",
- "text": "Evite usar intervalos de endereços IP sobrepostos para sites de produção e DR.",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "Operações"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "Todas as soluções de DR foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [SRM/JetStream/Zerto/Veeam/...]",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+ "service": "AVS",
"severity": "Média",
- "text": "Embora o Azure ajude você a criar várias sub-redes delegadas em uma rede virtual, apenas uma sub-rede delegada pode existir em uma rede virtual para arquivos do Azure NetApp. As tentativas de criar um novo volume falharão se você usar mais de uma sub-rede delegada para Arquivos do Azure NetApp.",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
- "waf": "Operações"
+ "text": "Usar o Azure Site Recovery quando a tecnologia de Recuperação de Desastres for IaaS nativa do Azure",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
- "severity": "Média",
- "text": "Usar o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir)",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Use planos de recuperação automatizados com qualquer uma das soluções de desastre, evite ao máximo tarefas manuais",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+ "service": "AVS",
"severity": "Média",
- "text": "O Application Gateway e o Web Application Firewall têm limitações quando o Application Gateway serve como um proxy reverso para aplicativos Web SAP, conforme mostrado na comparação entre o Application Gateway, o SAP Web Dispatcher e outros serviços de terceiros.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
- "waf": "Segurança"
+ "text": "Usar o par de regiões geopolíticas como o ambiente secundário de recuperação de desastres",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
- "severity": "Média",
- "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre as regiões do Azure para conexões HTTP/S de entrada para uma zona de aterrissagem.",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Use 2 espaços de endereço diferentes entre as regiões, por exemplo: 10.0.0.0/16 e 192.168.0.0/16 para as diferentes regiões",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+ "service": "AVS",
"severity": "Média",
- "text": "Aproveite as políticas do Web Application Firewall no Azure Front Door quando estiver usando o Azure Front Door e o Application Gateway para proteger aplicativos HTTP/S. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Azure Front Door.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Segurança"
+ "text": "O ExpressRoute Global Reach será usado para conectividade entre as Nuvens Privadas da Solução VMware do Azure primária e secundária ou o roteamento é feito por meio de dispositivos virtuais de rede?",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+ "service": "AVS",
"severity": "Média",
- "text": "Use um firewall de aplicativo Web para verificar seu tráfego quando ele estiver exposto à Internet. Outra opção é usá-lo com seu balanceador de carga ou com recursos que tenham recursos internos de firewall, como o Application Gateway ou soluções de terceiros.",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "Segurança"
+ "text": "Todas as soluções de backup foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [ MABS/CommVault/Metallic.io/Veeam/ . ]",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+ "service": "AVS",
"severity": "Média",
- "text": "Use a WAN Virtual para implantações do Azure em redes novas, grandes ou globais onde você precisa de conectividade de trânsito global entre regiões do Azure e locais locais. Com essa abordagem, você não precisará configurar manualmente o roteamento transitivo para a rede do Azure e poderá seguir um padrão para implantações do SAP no Azure.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
- "waf": "Desempenho"
+ "text": "Implante sua solução de backup na mesma região que sua nuvem privada da Solução VMware do Azure",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+ "service": "AVS",
"severity": "Média",
- "text": "Para evitar o vazamento de dados, use o Link Privado do Azure para acessar com segurança recursos de plataforma como serviço, como Armazenamento de Blobs do Azure, Arquivos do Azure, Azure Data Lake Storage Gen2, Azure Data Factory e muito mais. O Ponto de Extremidade Privado do Azure também pode ajudar a proteger o tráfego entre VNets e serviços como o Armazenamento do Azure, o Backup do Azure e muito mais. O tráfego entre sua rede virtual e o serviço habilitado para ponto de extremidade privado viaja pela rede global da Microsoft, o que impede sua exposição à Internet pública.",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
- "waf": "Segurança"
+ "text": "Implante sua solução de backup fora do vSan, em componentes nativos do Azure",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
- "severity": "Alto",
- "text": "Verifique se a rede acelerada do Azure está habilitada nas VMs usadas nas camadas de aplicativo SAP e DBMS.",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Existe um processo para solicitar uma restauração dos componentes VMware gerenciados pela Plataforma Azure?",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
- "severity": "Média",
- "text": "Verifique se as implantações internas do Azure Load Balancer estão configuradas para usar DSR (Direct Server Return). Essa configuração (Habilitando IP flutuante) reduzirá a latência quando as configurações internas do balanceador de carga forem usadas para configurações de alta disponibilidade na camada DBMS.",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Para implantações manuais, todas as configurações e implantações devem ser documentadas",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
- "severity": "Média",
- "text": "Você pode usar as regras ASG (grupo de segurança de aplicativo) e NSG para definir listas de controle de acesso de segurança de rede entre o aplicativo SAP e as camadas DBMS. Os ASGs agrupam máquinas virtuais para ajudar a gerenciar sua segurança.",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Para implantações manuais, considere implementar bloqueios de recursos para evitar ações acidentais em sua nuvem privada de solução VMware do Azure",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "Alto",
- "text": "Não há suporte para a colocação da camada de aplicativo SAP e do SGBD SAP em diferentes VNets do Azure que não são emparelhadas.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Para implantações automatizadas, implante uma nuvem privada mínima e dimensione conforme necessário",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "Média",
- "text": "Para obter a latência de rede ideal com aplicativos SAP, considere o uso de grupos de posicionamento de proximidade do Azure.",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Para implantações automatizadas, solicite ou reserve cota antes de iniciar a implantação",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "Alto",
- "text": "NÃO há suporte para executar uma camada do SAP Application Server e uma camada de DBMS dividida entre o local e o Azure. Ambas as camadas precisam residir completamente no local ou no Azure.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Para implantação automatizada, verifique se os bloqueios de recursos relevantes são criados por meio da automação ou da Política do Azure para uma governança adequada",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "Alto",
- "text": "Não é recomendado hospedar o sistema de gerenciamento de banco de dados (DBMS) e as camadas de aplicativos dos sistemas SAP em diferentes VNets e conectá-los ao emparelhamento de VNet devido aos custos substanciais que o tráfego de rede excessivo entre as camadas pode produzir. Recomende o uso de sub-redes na rede virtual do Azure para separar a camada de aplicativo SAP e a camada DBMS.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "Custar"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Implemente nomes humanos compreensíveis para chaves de autorização ExR para permitir a fácil identificação da finalidade/uso das chaves",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
- "severity": "Alto",
- "text": "Se estiver usando o Load Balancer com sistemas operacionais convidados Linux, verifique se o parâmetro de rede Linux net.ipv4.tcp_timestamps está definido como 0.",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "Desempenho"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
- "severity": "Média",
- "text": "Para implantações SAP RISE/ECS, o emparelhamento virtual é a maneira preferida de estabelecer conectividade com o ambiente existente do Azure do cliente. Tanto a vnet do SAP quanto a(s) vnet(s) do cliente são protegidas com grupos de segurança de rede (NSG), permitindo a comunicação nas portas SAP e de banco de dados por meio do emparelhamento vnet",
- "waf": "Segurança"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
- "severity": "Alto",
- "text": "Revise os backups de banco de dados do SAP HANA para VMs do Azure.",
- "waf": "Custar"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
- "severity": "Média",
- "text": "Revise o monitoramento interno do Site Recovery, quando usado para SAP.",
- "waf": "Custar"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
- "severity": "Alto",
- "text": "Revise as diretrizes de monitoramento do cenário do sistema SAP HANA.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Usar o Cofre de chaves para armazenar segredos e chaves de autorização quando Princípios de Serviço separados são usados para implantar a Solução VMware do Azure e a Rota Expressa",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
- "severity": "Média",
- "text": "Revise o Banco de Dados Oracle nas estratégias de backup de VM do Linux do Azure.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Defina dependências de recursos para serializar ações no IaC quando muitos recursos precisarem ser implantados no/na Solução VMware do Azure, pois a Solução VMware do Azure oferece suporte apenas a um número limitado de operações paralelas.",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
- "severity": "Média",
- "text": "Analise o uso do Armazenamento de Blobs do Azure com o SQL Server 2016.",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+ "service": "AVS",
+ "severity": "Baixo",
+ "text": "Ao executar a configuração automatizada de segmentos NSX-T com um único gateway de Camada 1, use as APIs do Portal do Azure em vez das APIs do NSX-Manager",
"waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+ "service": "AVS",
"severity": "Média",
- "text": "Analise o uso do Backup Automatizado v2 para VMs do Azure.",
- "waf": "Operações"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
- "severity": "Alto",
- "text": "Ativando o acelerador de gravação para a série M ao usar discos premium (V1)",
- "waf": "Operações"
+ "text": "Ao pretender usar a expansão automatizada, certifique-se de aplicar cota suficiente da Solução VMware do Azure para as assinaturas que executam a Solução VMware do Azure",
+ "waf": "Desempenho"
},
{
- "checklist": "SAP Checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+ "service": "AVS",
"severity": "Média",
- "text": "Testar a latência da zona de disponibilidade.",
+ "text": "Ao pretender usar o scale-in automatizado, certifique-se de levar em consideração os requisitos da política de armazenamento antes de executar essa ação",
"waf": "Desempenho"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+ "service": "AVS",
"severity": "Média",
- "text": "Ative o SAP EarlyWatch Alert para todos os componentes SAP.",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "text": "As operações de dimensionamento sempre precisam ser serializadas em um único SDDC, pois apenas uma operação de escala pode ser executada por vez (mesmo quando vários clusters são usados)",
"waf": "Desempenho"
},
{
- "checklist": "SAP Checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+ "service": "AVS",
"severity": "Média",
- "text": "Revise a latência do servidor de aplicativos SAP para o servidor de banco de dados usando o relatório SAP ABAPMeter /SSA/CAT.",
- "training": "https://me.sap.com/notes/0002879613",
+ "text": "Considerar e validar operações de dimensionamento em soluções de terceiros 3rd usadas na arquitetura (suportadas ou não)",
"waf": "Desempenho"
},
{
- "checklist": "SAP Checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+ "service": "AVS",
"severity": "Média",
- "text": "Revise o monitoramento de desempenho do SQL Server usando o CCMS.",
+ "text": "Definir e impor limites máximos de entrada/saída de escala para seu ambiente nas automações",
"waf": "Desempenho"
},
{
- "checklist": "SAP Checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+ "service": "AVS",
"severity": "Média",
- "text": "Teste a latência de rede entre VMs de camada de aplicativo SAP e VMs DBMS (NIPING).",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "Desempenho"
+ "text": "Implementar regras de monitoramento para monitorar operações de dimensionamento automatizadas e monitorar o sucesso e a falha para habilitar respostas apropriadas (automatizadas)",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Ao usar o MON, esteja ciente dos limites de VMs configuradas simulataneamente (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Ao usar o MON, você não pode habilitar o MON em mais de 100 extensões de rede",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+ "service": "AVS",
"severity": "Média",
- "text": "Revise os alertas do SAP HANA Studio.",
+ "text": "Se estiver usando uma conexão VPN para migrações, ajuste o tamanho da MTU de acordo.",
"waf": "Desempenho"
},
{
- "checklist": "SAP Checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+ "service": "AVS",
"severity": "Média",
- "text": "Execute verificações de integridade do SAP HANA usando HANA_Configuration_Minichecks.",
+ "text": "Para regiões de baixa conectividade conectadas ao Azure (500Mbps ou menos), considere implantar o dispositivo de otimização de WAN HCX",
"waf": "Desempenho"
},
{
- "checklist": "SAP Checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+ "service": "AVS",
"severity": "Média",
- "text": "Se você executar VMs do Windows e Linux no Azure, no local ou em outros ambientes de nuvem, poderá usar o Centro de gerenciamento de atualizações na Automação do Azure para gerenciar atualizações do sistema operacional, incluindo patches de segurança.",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "waf": "Segurança"
+ "text": "Certifique-se de que as migrações sejam iniciadas a partir do dispositivo local e NÃO do dispositivo em nuvem (NÃO execute uma migração reversa)",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AVS",
"severity": "Média",
- "text": "Analise rotineiramente as notas de OSS de segurança do SAP porque o SAP lança patches de segurança altamente críticos, ou hot fixes, que exigem ação imediata para proteger seus sistemas SAP.",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
- "waf": "Segurança"
+ "text": "Quando o Azure Netapp Files for usado para estender o armazenamento para a Solução VMware do Azure, considere usá-lo como um armazenamento de dados VMware em vez de anexá-lo diretamente a uma VM.",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Para SAP no SQL Server, você pode desabilitar a conta de administrador do sistema do SQL Server porque os sistemas SAP no SQL Server não usam a conta. Certifique-se de que outro usuário com direitos de administrador do sistema possa acessar o servidor antes de desabilitar a conta de administrador do sistema original.",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "Verifique se um ExpressRoute Gateway dedicado está sendo usado para soluções de armazenamento de dados externos",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "Alto",
- "text": "Desative xp_cmdshell. O recurso do SQL Server xp_cmdshell habilita um shell de comando do sistema operacional interno do SQL Server. É um risco potencial em auditorias de segurança.",
- "training": "https://me.sap.com/notes/3019299/E",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "AVS",
+ "severity": "Média",
+ "text": "Verifique se o FastPath está habilitado no ExpressRoute Gateway que está sendo usado para soluções de armazenamento de dados externos",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "AVS",
"severity": "Alto",
- "text": "A criptografia de servidores de banco de dados SAP HANA no Azure usa a tecnologia de criptografia nativa do SAP HANA. Além disso, se você estiver usando o SQL Server no Azure, use a TDE (Criptografia de Dados Transparente) para proteger seus dados e arquivos de log e garantir que seus backups também sejam criptografados.",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "waf": "Segurança"
+ "text": "Se estiver usando cluster estendido, verifique se a solução de recuperação de desastres selecionada é suportada pelo fornecedor",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "SAP",
- "severity": "Média",
- "text": "A criptografia de Armazenamento do Azure está habilitada para todas as contas clássicas e do Gerenciador de Recursos do Azure e não pode ser desabilitada. Como seus dados são criptografados por padrão, você não precisa modificar seu código ou aplicativos para usar a criptografia do Armazenamento do Azure.",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
- "waf": "Segurança"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "AVS",
"severity": "Alto",
- "text": "Usar o Cofre de Chaves do Azure para armazenar seus segredos e credenciais",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Segurança"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "SAP",
- "severity": "Média",
- "text": "É recomendável BLOQUEAR os Recursos do Azure após a implantação bem-sucedida para proteger contra alterações não autorizadas. Você também pode impor restrições e regras LOCK em sua base por assinatura usando políticas personalizadas do Azure (função Personalizada).",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
- "waf": "Segurança"
+ "text": "Se estiver usando cluster estendido, verifique se o SLA fornecido atenderá aos seus requisitos",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "SAP",
- "severity": "Média",
- "text": "Provisione o Cofre de Chaves do Azure com as políticas de exclusão e limpeza suaves habilitadas para permitir a proteção de retenção para objetos excluídos.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Segurança"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "AVS",
+ "severity": "Alto",
+ "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa estão conectados ao hub de conectividade.",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "AVS",
"severity": "Alto",
- "text": "Com base nos requisitos existentes, controles normativos e de conformidade (internos/externos) - Determine quais Políticas do Azure e a função RBAC do Azure são necessárias",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
- "waf": "Segurança"
+ "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa têm o GlobalReach habilitado.",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
"severity": "Alto",
- "text": "Ao habilitar o Microsoft Defender for Endpoint no ambiente SAP, recomende excluir arquivos de dados e de log em servidores DBMS em vez de direcionar todos os servidores. Siga as recomendações do fornecedor do DBMS ao excluir arquivos de destino.",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
- "waf": "Segurança"
+ "text": "Faça com que as configurações de tolerância a desastres do site tenham sido devidamente consideradas e alteradas para sua empresa, se necessário.",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
- "service": "SAP",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+ "service": "Redis",
"severity": "Alto",
- "text": "Delegue uma função personalizada de administrador SAP com acesso just-in-time do Microsoft Defender for Cloud.",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "waf": "Segurança"
+ "text": "Habilite a redundância de zona para o Cache do Azure para Redis. O Cache do Azure para Redis dá suporte a configurações redundantes de zona nas camadas Premium e Enterprise. Um cache redundante de zona pode colocar seus nós em diferentes zonas de disponibilidade do Azure na mesma região. Ele elimina a interrupção do data center ou AZ como um único ponto de falha e aumenta a disponibilidade geral do cache.",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Baixo",
- "text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações de rede seguras (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
- "waf": "Segurança"
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+ "service": "Redis",
+ "severity": "Média",
+ "text": "Configure a persistência de dados para uma instância do Cache do Azure para Redis. Como os dados do cache são armazenados na memória, uma falha rara e não planejada de vários nós pode fazer com que todos os dados sejam descartados. Para evitar a perda completa de dados, a persistência do Redis permite que você tire instantâneos periódicos de dados na memória e os armazene em sua conta de armazenamento.",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
- "service": "SAP",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+ "service": "Redis",
"severity": "Média",
- "text": "O padrão é chaves gerenciadas pela Microsoft para a funcionalidade de criptografia principal e use chaves gerenciadas pelo cliente quando necessário.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Segurança"
+ "text": "Use a conta de armazenamento com redundância geográfica para persistir o Cache do Azure para dados Redis ou zonalmente redundante onde a redundância geográfica não está disponível",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
- "service": "SAP",
- "severity": "Alto",
- "text": "Use um Cofre de Chaves do Azure por aplicativo, por ambiente, por região.",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
- "waf": "Segurança"
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+ "service": "Redis",
+ "severity": "Média",
+ "text": "Configure a replicação geográfica passiva para instâncias do Cache Premium do Azure para Redis. A replicação geográfica é um mecanismo para vincular duas ou mais instâncias do Cache do Azure para Redis, normalmente abrangendo duas regiões do Azure. A replicação geográfica foi projetada principalmente para recuperação de desastres entre regiões. Duas instâncias de cache de camada Premium são conectadas por meio de replicação geográfica de uma forma que fornece leituras e gravações no cache primário e que os dados são replicados para o cache secundário.",
+ "waf": "Fiabilidade"
},
{
- "checklist": "SAP Checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
- "service": "SAP",
- "severity": "Alto",
- "text": "Para controlar e gerenciar chaves de criptografia de disco e segredos para sistemas operacionais Windows e não Windows HANA, use o Cofre de Chaves do Azure. O SAP HANA não tem suporte com o Cofre de Chaves do Azure, portanto, você deve usar métodos alternativos, como chaves SAP ABAP ou SSH.",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
- "waf": "Segurança"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Front Door",
+ "severity": "Média",
+ "text": "Se você usar certificados TLS gerenciados pelo cliente com o Azure Front Door, use a versão do certificado 'Mais recente'. Reduza o risco de interrupções causadas pela renovação manual de certificados",
+ "waf": "Operações"
},
{
- "checklist": "SAP Checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
- "service": "SAP",
- "severity": "Alto",
- "text": "Personalizar funções RBAC (controle de acesso baseado em função) para SAP em assinaturas spoke do Azure para evitar alterações acidentais relacionadas à rede",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+ "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Verifique se você está usando o SKU do Gateway de Aplicativo v2",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
- "service": "SAP",
- "severity": "Alto",
- "text": "Isole DMZs e NVAs do restante do estado SAP, configure o Azure Private Link e gerencie e controle com segurança os recursos do SAP no Azure",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+ "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Load Balancer",
+ "severity": "Média",
+ "text": "Verifique se você está usando o SKU Standard para seus Azure Load Balancers",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Considere usar o software antimalware da Microsoft no Azure para proteger suas máquinas virtuais contra arquivos mal-intencionados, adware e outras ameaças.",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+ "service": "Load Balancer",
+ "severity": "Média",
+ "text": "Verifique se os endereços IP de front-end dos Load Balancers têm redundância de zona (a menos que você precise de front-ends zonais).",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Para obter uma proteção ainda mais poderosa, considere usar o Microsoft Defender for Endpoint.",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+ "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Seus Gateways de Aplicativo v2 devem ser implantados em sub-redes com prefixos IP iguais ou maiores que /24",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "Alto",
- "text": "Isole os servidores de aplicativo e banco de dados SAP da Internet ou da rede local passando todo o tráfego pela rede virtual de hub, que está conectada à rede spoke por emparelhamento de rede virtual. As redes virtuais emparelhadas garantem que a solução SAP no Azure seja isolada da Internet pública.",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "description": "A administração de proxies reversos em geral e WAF em particular está mais próxima do aplicativo do que da rede, portanto, eles pertencem à mesma assinatura que o aplicativo. Centralizar o Gateway de Aplicativo e o WAF na assinatura de conectividade pode ser OK se ele for gerenciado por uma única equipe.",
+ "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Implante o Gateway de Aplicativo do Azure v2 ou NVAs de parceiros usados para proxy de conexões HTTP(S) de entrada na rede virtual da zona de destino e com os aplicativos que eles estão protegendo.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "Baixo",
- "text": "Para aplicativos voltados para a Internet, como o SAP Fiori, certifique-se de distribuir a carga por requisitos de aplicativo, mantendo os níveis de segurança. Para segurança de Camada 7, você pode usar um WAF (Web Application Firewall) de terceiros disponível no Azure Marketplace.",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Use uma rede DDoS ou planos de proteção de IP para todos os endereços IP públicos em zonas de destino do aplicativo.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "Segurança"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+ "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+ "service": "App Gateway",
"severity": "Média",
- "text": "Para habilitar a comunicação segura no Azure Monitor para soluções SAP, você pode optar por usar um certificado raiz ou um certificado de servidor. É altamente recomendável que você use certificados raiz.",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "Segurança"
+ "text": "Configure o dimensionamento automático com uma quantidade mínima de instâncias de duas.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Siga as proteções do Metaprompting para uma IA razoável",
- "waf": "Excelência Operacional"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+ "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+ "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Implantar o Gateway de Aplicativo em Zonas de Disponibilidade",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
- "link": "https://github.com/Azure-Samples/AI-Gateway",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Considere padrões de gateway com APIM ou soluções como AI central para melhor limitação de taxa, balanceamento de carga, autenticação e registro",
- "waf": "Excelência Operacional"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Front Door",
+ "severity": "Média",
+ "text": "Use o Azure Front Door com políticas do WAF para fornecer e ajudar a proteger aplicativos HTTP/S globais que abrangem várias regiões do Azure.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Habilitar o monitoramento para suas instâncias AOAI",
- "waf": "Excelência Operacional"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "Front Door",
+ "severity": "Média",
+ "text": "Ao usar o Front Door e o Gateway de Aplicativo para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Front Door. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Front Door.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/trafficManagerProfiles",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Traffic Manager",
"severity": "Alto",
- "text": "Crie alertas para notificar as equipes sobre eventos, como uma entrada no log de atividades criada por uma ação executada no recurso, como regenerar suas chaves de assinatura ou um limite de métrica, como o número de erros que excedem 10 em uma hora",
- "waf": "Excelência Operacional"
+ "text": "Use o Gerenciador de Tráfego para fornecer aplicativos globais que abrangem protocolos diferentes de HTTP/S.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Monitore o uso do token para evitar interrupções de serviço devido à capacidade",
- "waf": "Excelência Operacional"
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
+ "severity": "Baixo",
+ "text": "Se os usuários precisarem apenas de acesso a aplicativos internos, o Proxy de Aplicativo de ID do Microsoft Entra foi considerado como uma alternativa à AVD (Área de Trabalho Virtual) do Azure?",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
- "service": "Azure OpenAI",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
"severity": "Média",
- "text": "Observe métricas como tokens de inferência processados, monitoramento de tokens de conclusão gerados para limite de taxa",
- "waf": "Excelência Operacional"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
- "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
- "service": "Azure OpenAI",
- "severity": "Baixo",
- "text": "Se o diagnóstico não for suficiente para você, considere usar um gateway como o Gerenciamento de API do Azure na frente do Azure OpenAI para registrar prompts de entrada e respostas de saída, quando permitido",
- "waf": "Excelência Operacional"
+ "text": "Para reduzir o número de portas de firewall abertas para conexões de entrada em sua rede, considere usar o Proxy de Aplicativo de ID do Microsoft Entra para fornecer aos usuários remotos acesso seguro e autenticado a aplicativos internos.",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
- "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "Front Door",
"severity": "Alto",
- "text": "Usar a infraestrutura como código para implantar o serviço OpenAI do Azure, implantações de modelo e todos os recursos relacionados",
- "waf": "Excelência Operacional"
+ "text": "Implante sua política de WAF para o Front Door no modo 'Prevenção' para que o Firewall de Aplicativo Web tome as medidas apropriadas para permitir ou negar o tráfego.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4350d092-d234-4292-a752-8537a551c5bf",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "Front Door",
"severity": "Alto",
- "text": "Usar a autenticação do Microsoft Entra com identidade gerenciada em vez de chave de API",
+ "text": "Evite combinar o Gerenciador de Tráfego do Azure e o Azure Front Door.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "Front Door",
"severity": "Alto",
- "text": "Avalie o desempenho/precisão do sistema com um conjunto de dados dourado conhecido que tenha as entradas e as respostas corretas. Aproveite os recursos do PromptFlow para avaliação.",
- "waf": "Excelência Operacional"
+ "text": "Use o mesmo nome de domínio no Azure Front Door e sua origem. Nomes de host incompatíveis podem causar bugs sutis.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "68889535-e327-4897-b31b-67d67be5962a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Avaliar o uso do modelo de taxa de transferência provisionada ",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+ "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "Front Door",
+ "severity": "Baixo",
+ "text": "Desabilite as investigações de integridade quando houver apenas uma origem em um grupo de origens do Azure Front Door.",
"waf": "Desempenho"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Examinar e implementar a segurança de conteúdo do Azure AI",
- "waf": "Excelência Operacional"
- },
- {
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Defina e avalie a taxa de transferência do sistema com base em tokens e resposta por minuto e alinhe-se aos requisitos",
- "waf": "Desempenho"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "Front Door",
+ "severity": "Média",
+ "text": "Selecione pontos de extremidade de investigação de integridade boa para o Azure Front Door. Considere a criação de pontos de extremidade de integridade que verifiquem todas as dependências do aplicativo.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
- "service": "Azure OpenAI",
- "severity": "Média",
- "text": "Melhore a latência do sistema limitando os tamanhos dos tokens, as opções de streaming",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+ "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "Front Door",
+ "severity": "Baixo",
+ "text": "Use investigações de integridade HEAD com o Azure Front Door para reduzir o tráfego que o Front Door envia para seu aplicativo.",
"waf": "Desempenho"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
- "service": "Azure OpenAI",
- "severity": "Média",
- "text": "Estime as demandas de elasticidade para determinar a segregação de solicitações síncronas e em lote com base na prioridade. Para alta prioridade, use a abordagem síncrona e, para baixa prioridade, o processamento em lote assíncrono com fila é preferível",
- "waf": "Desempenho"
+ "ammp": true,
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+ "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "Load Balancer",
+ "severity": "Alto",
+ "text": "Usar o Gateway NAT do Azure em vez das regras de saída do Load Balancer para melhorar a escalabilidade SNAT",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5bda4332-4f24-4811-9331-82ba51752694",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+ "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "Front Door",
"severity": "Alto",
- "text": "Compare os requisitos de consumo de token com base nas demandas estimadas dos consumidores. Considere usar a ferramenta de benchmarking OpenAI do Azure para ajudá-lo a validar a taxa de transferência se você estiver usando implantações de Unidade de Produtividade Provisionada",
- "waf": "Desempenho"
+ "text": "Use certificados TLS gerenciados com o Azure Front Door. Reduza o custo operacional e o risco de interrupções devido a renovações de certificados.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+ "service": "Front Door",
"severity": "Média",
- "text": "Se você estiver usando PTUs (Unidades de Produtividade Provisionadas), considere implantar uma implantação de token por minuto (TPM) para solicitações de estouro. Use um gateway para rotear solicitações para a implantação do TPM quando os limites de PTU forem atingidos.",
- "waf": "Desempenho"
+ "text": "Defina a configuração do WAF do Azure Front Door como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+ "service": "Front Door",
"severity": "Alto",
- "text": "Escolha o modelo certo para a tarefa certa. Escolha modelos com a compensação certa entre velocidade, qualidade de resposta e complexidade de saída",
- "waf": "Desempenho"
+ "text": "Use o TLS de ponta a ponta com o Azure Front Door. Use o TLS para conexões de seus clientes com o Front Door e do Front Door com sua origem.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
- "link": "https://github.com/Azure/azure-openai-benchmark/",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+ "service": "Front Door",
"severity": "Média",
- "text": "Tenha uma linha de base para o desempenho sem ajuste fino para saber se o ajuste fino melhorou ou não o desempenho do modelo",
- "waf": "Desempenho"
+ "text": "Use o redirecionamento de HTTP para HTTPS com o Azure Front Door. Ofereça suporte a clientes mais antigos redirecionando-os para uma solicitação HTTPS automaticamente.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
- "severity": "Baixo",
- "text": "Implantar várias instâncias de OAI em regiões",
- "waf": "Fiabilidade"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Habilite o WAF do Azure Front Door. Proteja seu aplicativo contra uma variedade de ataques.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
- "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+ "service": "Front Door",
"severity": "Alto",
- "text": "Implemente novas tentativas e verificações de integridade com o padrão de Gateway como APIM",
- "waf": "Fiabilidade"
+ "text": "Ajuste o WAF do Azure Front Door para sua carga de trabalho configurando o WAF no modo de detecção para reduzir e corrigir detecções de falsos positivos.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
- "service": "Azure OpenAI",
- "severity": "Média",
- "text": "Garantir que tenha cotas adequadas de TPM e RPM para a carga de trabalho",
- "waf": "Fiabilidade"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Habilite o recurso de inspeção do corpo da solicitação habilitado na política do WAF do Azure Front Door.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
- "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
- "service": "Azure OpenAI",
- "severity": "Média",
- "text": "Revise as considerações nas diretrizes do kit de ferramentas HAI e aplique essas práticas de interação para a análise",
- "waf": "Excelência Operacional"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Habilite os conjuntos de regras padrão do WAF do Azure Front Door. Os conjuntos de regras padrão detectam e bloqueiam ataques comuns.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+ "service": "Front Door",
+ "severity": "Alto",
+ "text": "Habilite o conjunto de regras de proteção contra bot do WAF do Azure Front Door. As regras de bot detectam bots bons e ruins.",
+ "waf": "Segurança"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+ "service": "Front Door",
"severity": "Média",
- "text": "Implantar modelos ajustados separados entre regiões se o ajuste fino for empregado",
- "waf": "Fiabilidade"
+ "text": "Use a versão mais recente do conjunto de regras do WAF do Azure Front Door. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário de ameaças atual.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
- "link": "https://learn.microsoft.com/azure/backup/backup-overview",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+ "service": "Front Door",
"severity": "Média",
- "text": "Faça backup e replique regularmente dados críticos para garantir a disponibilidade e a capacidade de recuperação dos dados em caso de perda de dados ou falhas do sistema. Aproveite os serviços de backup e recuperação de desastre do Azure para proteger seus dados.",
- "waf": "Fiabilidade"
+ "text": "Adicione a limitação de taxa ao WAF do Azure Front Door. A limitação de taxa bloqueia os clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "As camadas de serviço de pesquisa de IA do Azure devem ser escolhidas para ter um SLA ",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+ "service": "Front Door",
+ "severity": "Média",
+ "text": "Use um limite alto para os limites de taxa do WAF do Azure Front Door. Os limites de limite de taxa altos evitam o bloqueio do tráfego legítimo, ao mesmo tempo em que fornecem proteção contra números extremamente altos de solicitações que podem sobrecarregar sua infraestrutura. ",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
- "link": "https://learn.microsoft.com/purview/purview",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+ "service": "Front Door",
"severity": "Baixo",
- "text": "Classifique os dados e a confidencialidade, rotulando com o Microsoft Purview antes de gerar as inserções e certifique-se de tratar as inserções geradas com a mesma confidencialidade e classificação",
+ "text": "Se você não estiver esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Criptografar dados usados para RAG com criptografia SSE/Disco com BYOK opcional",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+ "service": "Front Door",
+ "severity": "Média",
+ "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Azure Front Door. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
- "link": "https://learn.microsoft.com/azure/search/search-security-overview",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+ "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+ "service": "App Gateway",
"severity": "Alto",
- "text": "Certifique-se de que o TLS seja aplicado para dados em trânsito entre fontes de dados, pesquisa de IA usada para RG (Geração Aumentada por Recuperação) e comunicação LLM",
+ "text": "Habilite o conjunto de regras de proteção contra bot do WAF do Gateway de Aplicativo do Azure. As regras de bot detectam bots bons e ruins.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "App Gateway",
"severity": "Alto",
- "text": "Use o RBAC para gerenciar o acesso aos serviços do OpenAI do Azure. Atribua permissões apropriadas aos usuários e restrinja o acesso com base em suas funções e responsabilidades",
+ "text": "Habilite o recurso de inspeção do corpo da solicitação habilitado na política do WAF do Gateway de Aplicativo do Azure.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
- "service": "Azure OpenAI",
- "severity": "Média",
- "text": "Implemente técnicas de criptografia, mascaramento ou redação de dados para ocultar dados confidenciais ou substituí-los por valores ofuscados em ambientes de não produção ou ao compartilhar dados para fins de teste ou solução de problemas",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+ "service": "App Gateway",
+ "severity": "Alto",
+ "text": "Ajuste o WAF do Gateway de Aplicativo do Azure no modo de detecção para sua carga de trabalho. Reduza as detecções de falsos positivos.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
- "service": "Azure OpenAI",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "App Gateway",
"severity": "Alto",
- "text": "Utilize o Azure Defender para detectar e responder a ameaças de segurança e configurar mecanismos de monitoramento e alerta para identificar atividades suspeitas ou violações. Aproveite o Azure Sentinel para detecção e resposta avançadas a ameaças",
+ "text": "Implante sua política de WAF para Gateway de Aplicativo no modo 'Prevenção'.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
- "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+ "service": "App Gateway",
"severity": "Média",
- "text": "Estabeleça políticas de retenção e descarte de dados para cumprir os regulamentos de conformidade. Implemente métodos de exclusão segura para dados que não são mais necessários e mantenha uma trilha de auditoria das atividades de retenção e descarte de dados",
+ "text": "Adicione a limitação de taxa ao WAF do Gateway de Aplicativo do Azure. A limitação de taxa bloqueia os clientes que enviam acidentalmente ou intencionalmente grandes quantidades de tráfego em um curto período de tempo.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
- "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Implementar proteções imediatas e detecção de aterramento usando a Segurança de conteúdo ",
- "waf": "Excelência Operacional"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Use um limite alto para os limites de taxa do WAF do Gateway de Aplicativo do Azure. Os limites de limite de taxa altos evitam o bloqueio do tráfego legítimo, ao mesmo tempo em que fornecem proteção contra números extremamente altos de solicitações que podem sobrecarregar sua infraestrutura. ",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
- "link": "https://learn.microsoft.com/azure/compliance/",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Garanta a conformidade com os regulamentos de proteção de dados relevantes, como GDPR ou HIPAA, implementando controles de privacidade e obtendo os consentimentos ou permissões necessários para atividades de processamento de dados.",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+ "service": "App Gateway",
+ "severity": "Baixo",
+ "text": "Se você não estiver esperando tráfego de todas as regiões geográficas, use filtros geográficos para bloquear o tráfego de países não esperados.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+ "service": "App Gateway",
"severity": "Média",
- "text": "Eduque seus funcionários sobre as melhores práticas de segurança de dados, a importância de lidar com dados com segurança e os possíveis riscos associados a violações de dados. Incentive-os a seguir os protocolos de segurança de dados diligentemente.",
+ "text": "Especifique o local desconhecido (ZZ) ao filtrar geograficamente o tráfego com o WAF do Gateway de Aplicativo do Azure. Evite bloquear acidentalmente solicitações legítimas quando os endereços IP não puderem ser correspondidos geograficamente.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Mantenha os dados de produção separados dos dados de desenvolvimento e teste. Use apenas dados confidenciais reais na produção e utilize dados anônimos ou sintéticos em ambientes de desenvolvimento e teste.",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Use a versão mais recente do conjunto de regras do WAF do Gateway de Aplicativo do Azure. As atualizações do conjunto de regras são atualizadas regularmente para levar em conta o cenário de ameaças atual.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "App Gateway",
"severity": "Média",
- "text": "Se você tiver níveis variados de confidencialidade de dados, considere criar índices separados para cada nível. Por exemplo, você pode ter um índice para dados gerais e outro para dados confidenciais, cada um regido por diferentes protocolos de acesso",
- "waf": "Segurança"
+ "text": "Adicione configurações de diagnóstico para salvar os logs do WAF do Gateway de Aplicativo do Azure.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "Front Door",
"severity": "Média",
- "text": "Leve a segregação um passo adiante, colocando conjuntos de dados confidenciais em diferentes instâncias do serviço. Cada instância pode ser controlada com seu próprio conjunto específico de políticas RBAC",
- "waf": "Segurança"
+ "text": "Adicione configurações de diagnóstico para salvar os logs do WAF do Azure Front Door.",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Reconheça que incorporações e vetores gerados a partir de informações confidenciais são eles próprios sensíveis. Esses dados devem receber as mesmas medidas de proteção que o material de origem",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Envie logs do WAF do Gateway de Aplicativo do Azure para o Microsoft Sentinel.",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "Front Door",
+ "severity": "Média",
+ "text": "Envie logs do WAF do Azure Front Door para o Microsoft Sentinel.",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Defina a configuração do WAF do Gateway de Aplicativo do Azure como código. Usando o código, você pode adotar mais facilmente a nova versão do conjunto de regras e obter proteção adicional.",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Use as Políticas do WAF em vez da configuração herdada do WAF.",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Filtre o tráfego de entrada nos back-ends para que eles aceitem apenas conexões da sub-rede do Gateway de Aplicativo, por exemplo, com NSGs.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Aplique o RBAC aos armazenamentos de dados com incorporações e vetores e acesso ao escopo com base nos requisitos de acesso da função",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+ "service": "Front Door",
+ "severity": "Média",
+ "text": "Verifique se suas origens recebem apenas o tráfego da instância do Azure Front Door.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+ "service": "App Gateway",
"severity": "Alto",
- "text": "Configurar o ponto de extremidade privado para serviços de IA para restringir o acesso ao serviço em sua rede",
+ "text": "Você deve criptografar o tráfego para os servidores de back-end.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+ "service": "App Gateway",
"severity": "Alto",
- "text": "Imponha um controle estrito de tráfego de entrada e saída com o Firewall do Azure e UDRs e limite os pontos de integração externos",
+ "text": "Você deve usar um Web Application Firewall.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
- "service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Implemente segmentação de rede e controles de acesso para restringir o acesso ao aplicativo LLM apenas a usuários e sistemas autorizados e evitar movimentos laterais",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Redirecionar HTTP para HTTPS",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
- "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+ "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+ "service": "App Gateway",
"severity": "Média",
- "text": "Use ferramentas de compactação imediatas como LLMLingua ou gprtrim",
- "waf": "Otimização de custos"
+ "text": "Use cookies gerenciados por gateway para direcionar o tráfego de uma sessão de usuário para o mesmo servidor para processamento",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+ "service": "App Gateway",
"severity": "Alto",
- "text": "Certifique-se de que as APIs e os endpoints usados pelo aplicativo LLM estejam devidamente protegidos com mecanismos de autenticação e autorização, como identidades gerenciadas, chaves de API ou OAuth, para impedir o acesso não autorizado.",
+ "text": "Habilitar a drenagem de conexão durante atualizações de serviço planejadas para evitar a perda de conexão para membros existentes do pool de back-end",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
- "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+ "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+ "service": "App Gateway",
+ "severity": "Baixo",
+ "text": "Crie páginas de erro personalizadas para exibir uma experiência de usuário personalizada",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+ "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+ "service": "App Gateway",
"severity": "Média",
- "text": "Aplique mecanismos fortes de autenticação do usuário final, como autenticação multifator, para impedir o acesso não autorizado ao aplicativo LLM e aos recursos de rede associados",
+ "text": "Edite solicitações HTTP e cabeçalhos de resposta para facilitar o roteamento e a troca de informações entre o cliente e o servidor",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "App Gateway",
"severity": "Média",
- "text": "Implemente ferramentas de monitoramento de rede para detectar e analisar o tráfego de rede em busca de atividades suspeitas ou maliciosas. Habilite o registro para capturar eventos de rede e facilitar a análise forense em caso de incidentes de segurança",
+ "text": "Configure o Front Door para otimizar o roteamento de tráfego da Web global e o desempenho e a confiabilidade do usuário final de nível superior por meio de failover global rápido",
+ "waf": "Desempenho"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Usar o balanceamento de carga da camada de transporte",
+ "waf": "Desempenho"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+ "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+ "service": "App Gateway",
+ "severity": "Média",
+ "text": "Configurar o roteamento com base no host ou no nome de domínio para vários aplicativos Web em um único gateway",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.CognitiveServices/accounts",
- "checklist": "Azure OpenAI Review",
- "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
- "service": "Azure OpenAI",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+ "service": "App Gateway",
"severity": "Média",
- "text": "Realize auditorias de segurança e testes de penetração para identificar e resolver quaisquer pontos fracos ou vulnerabilidades de segurança de rede na infraestrutura de rede do aplicativo LLM",
+ "text": "Centralize o gerenciamento de certificados SSL para reduzir a sobrecarga de criptografia e descriptografia de um farm de servidores de back-end",
+ "waf": "Segurança"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+ "service": "App Gateway",
+ "severity": "Baixo",
+ "text": "Usar o Gateway de Aplicativo para obter suporte nativo para protocolos WebSocket e HTTP/2",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "guid": "a85b86ad-884f-48e3-9273-4b875ba18f10",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/system-message#define-additional-safety-and-behavioral-guardrails",
"service": "Azure OpenAI",
- "severity": "Baixo",
- "text": "Os Serviços de IA do Azure são marcados corretamente para melhor gerenciamento",
+ "severity": "Alto",
+ "text": "Siga as proteções do Metaprompting para uma IA razoável",
"waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "guid": "d4391898-cd28-48be-b6b1-7cb8245451e1",
+ "link": "https://github.com/Azure-Samples/AI-Gateway",
"service": "Azure OpenAI",
- "severity": "Baixo",
- "text": "As contas do Serviço de IA do Azure seguem as convenções de nomenclatura organizacional",
+ "severity": "Alto",
+ "text": "Considere padrões de gateway com APIM ou soluções como AI central para melhor limitação de taxa, balanceamento de carga, autenticação e registro",
"waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "guid": "aed3453a-ec72-4392-97a1-52d6cc5e4029",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/azure-openai-insights-monitoring-ai-with-confidence/ba-p/4026850",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Os logs de diagnóstico nos recursos de serviços de IA do Azure devem ser habilitados",
+ "text": "Habilitar o monitoramento para suas instâncias AOAI",
"waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "guid": "697cb391-ed16-4b2d-886f-0a0241addde6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring#set-up-alerts",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Recomenda-se que o acesso à chave (autenticação local) seja desabilitado por segurança. Depois de desabilitar o acesso baseado em chave, o Microsoft Entra ID se torna o único método de acesso, o que permite manter o princípio de privilégio mínimo e o controle granular. ",
- "waf": "Segurança"
+ "text": "Crie alertas para notificar as equipes sobre eventos, como uma entrada no log de atividades criada por uma ação executada no recurso, como regenerar suas chaves de assinatura ou um limite de métrica, como o número de erros que excedem 10 em uma hora",
+ "waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "guid": "8a477cde-b486-41bc-9bc1-0ae66e25d4d5",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Armazene e gerencie chaves com segurança usando o Azure Key Vault. Evite codificar ou inserir chaves confidenciais no código do aplicativo LLM e recuperá-las com segurança do Azure Key Vault usando identidades gerenciadas",
- "waf": "Segurança"
+ "text": "Monitore o uso do token para evitar interrupções de serviço devido à capacidade",
+ "waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "guid": "a3aec2c4-e243-46b0-936c-b45e17960eee",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/monitoring",
"service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Gire e expire regularmente as chaves armazenadas no Azure Key Vault para minimizar o risco de acesso não autorizado.",
- "waf": "Segurança"
+ "severity": "Média",
+ "text": "Observe métricas como tokens de inferência processados, monitoramento de tokens de conclusão gerados para limite de taxa",
+ "waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "adfe27be-e297-401a-a352-baaab79b088d",
- "link": "https://github.com/openai/tiktoken",
+ "guid": "fbdf4cc2-eec4-4d76-8c31-d25ffbb46a39",
+ "link": "https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-an-enterprise-ready-azure-openai-solution-with-azure-api/ba-p/3907562",
"service": "Azure OpenAI",
- "severity": "Alto",
- "text": "Use tiktoken para entender os tamanhos de token para otimizações de token no modo de conversação",
- "waf": "Otimização de custos"
+ "severity": "Baixo",
+ "text": "Se o diagnóstico não for suficiente para você, considere usar um gateway como o Gerenciamento de API do Azure na frente do Azure OpenAI para registrar prompts de entrada e respostas de saída, quando permitido",
+ "waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
- "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "guid": "3af30ed3-2947-498b-8178-a2c5a46ceb54",
+ "link": "https://github.com/Azure-Samples/openai-enterprise-iac",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Siga práticas de codificação segura para evitar vulnerabilidades comuns, como ataques de injeção, cross-site scripting (XSS) ou configurações incorretas de segurança",
- "waf": "Segurança"
+ "text": "Usar a infraestrutura como código para implantar o serviço OpenAI do Azure, implantações de modelo e todos os recursos relacionados",
+ "waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
- "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "guid": "4350d092-d234-4292-a752-8537a551c5bf",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Configure um processo para atualizar e corrigir regularmente as bibliotecas LLM e outros componentes do sistema",
+ "text": "Usar a autenticação do Microsoft Entra com identidade gerenciada em vez de chave de API",
"waf": "Segurança"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "e29711b1-352b-4eee-879b-588defc4972c",
- "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "guid": "4e4f1854-287d-45cd-a126-cc031af5b1fc",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-bulk-test-evaluate-flow?view=azureml-api-2",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Aderir aos termos de uso, políticas e diretrizes do Azure OpenAI ou de outros LLMs e casos de uso permitidos",
+ "text": "Avalie o desempenho/precisão do sistema com um conjunto de dados dourado conhecido que tenha as entradas e as respostas corretas. Aproveite os recursos do PromptFlow para avaliação.",
"waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "guid": "68889535-e327-4897-b31b-67d67be5962a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---performance-efficiency",
"service": "Azure OpenAI",
- "severity": "Média",
- "text": "Entender a diferença no custo de modelos básicos e modelos ajustados e tamanhos de etapa de token",
- "waf": "Otimização de custos"
+ "severity": "Alto",
+ "text": "Avaliar o uso do modelo de taxa de transferência provisionada ",
+ "waf": "Desempenho"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "guid": "cd288bed-6b17-4cb8-8454-51e1aed3453a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/overview",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Solicitações em lote, sempre que possível, para minimizar a sobrecarga por chamada, o que pode reduzir os custos gerais. Certifique-se de otimizar o tamanho do lote",
- "waf": "Otimização de custos"
+ "text": "Examinar e implementar a segurança de conteúdo do Azure AI",
+ "waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "guid": "1193846d-697c-4b39-8ed1-6b2d186f0a02",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#system-level-throughput",
"service": "Azure OpenAI",
- "severity": "Média",
- "text": "Configure um sistema de rastreamento de custos que monitore o uso do modelo e use essas informações para ajudar a informar as escolhas do modelo e solicitar tamanhos",
- "waf": "Otimização de custos"
+ "severity": "Alto",
+ "text": "Defina e avalie a taxa de transferência do sistema com base em tokens e resposta por minuto e alinhe-se aos requisitos",
+ "waf": "Desempenho"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "166cd072-af9b-4141-a898-a535e737897e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "guid": "41addde6-8a47-47cd-bb48-61bc3bc10ae6",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#improve-performance",
"service": "Azure OpenAI",
"severity": "Média",
- "text": "Defina um limite máximo para o número de tokens por resposta do modelo. Otimize o tamanho para garantir que seja grande o suficiente para uma resposta válida",
- "waf": "Otimização de custos"
+ "text": "Melhore a latência do sistema limitando os tamanhos dos tokens, as opções de streaming",
+ "waf": "Desempenho"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
- "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "guid": "6e25d4d5-a3ae-4c2c-9e24-36b0336cb45e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
"service": "Azure OpenAI",
"severity": "Média",
- "text": "Examine as diretrizes fornecidas sobre como configurar a pesquisa de IA para confiabilidade",
- "waf": "Excelência Operacional"
+ "text": "Estime as demandas de elasticidade para determinar a segregação de solicitações síncronas e em lote com base na prioridade. Para alta prioridade, use a abordagem síncrona e, para baixa prioridade, o processamento em lote assíncrono com fila é preferível",
+ "waf": "Desempenho"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
- "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "guid": "5bda4332-4f24-4811-9331-82ba51752694",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
"service": "Azure OpenAI",
- "severity": "Média",
- "text": "Planejar e gerenciar o armazenamento de vetores do AI Search",
- "waf": "Excelência Operacional"
+ "severity": "Alto",
+ "text": "Compare os requisitos de consumo de token com base nas demandas estimadas dos consumidores. Considere usar a ferramenta de benchmarking OpenAI do Azure para ajudá-lo a validar a taxa de transferência se você estiver usando implantações de Unidade de Produtividade Provisionada",
+ "waf": "Desempenho"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "guid": "4008ae7d-7e47-4432-96d8-bdcf55bce619",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
"service": "Azure OpenAI",
"severity": "Média",
- "text": "Aplique as práticas do LLMOps para automatizar o gerenciamento do ciclo de vida de seus aplicativos GenAI",
- "waf": "Excelência Operacional"
+ "text": "Se você estiver usando PTUs (Unidades de Produtividade Provisionadas), considere implantar uma implantação de token por minuto (TPM) para solicitações de estouro. Use um gateway para rotear solicitações para a implantação do TPM quando os limites de PTU forem atingidos.",
+ "waf": "Desempenho"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "guid": "e8a13f98-8794-424d-9267-86d60b96c97b",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/models",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Avalie o uso de modelos de faturamento - PAYG vs PTU",
- "waf": "Otimização de custos"
+ "text": "Escolha o modelo certo para a tarefa certa. Escolha modelos com a compensação certa entre velocidade, qualidade de resposta e complexidade de saída",
+ "waf": "Desempenho"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
- "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "guid": "e9951904-8384-45c9-a6cb-2912156a1147",
+ "link": "https://github.com/Azure/azure-openai-benchmark/",
"service": "Azure OpenAI",
"severity": "Média",
- "text": "Avaliar a qualidade de prompts e aplicativos ao alternar entre versões de modelo",
- "waf": "Excelência Operacional"
+ "text": "Tenha uma linha de base para o desempenho sem ajuste fino para saber se o ajuste fino melhorou ou não o desempenho do modelo",
+ "waf": "Desempenho"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "3418db61-2712-4650-9bb4-7a393a080327",
- "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "guid": "5e39f541-accc-4d97-a376-bcdb3750ab2a",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
"service": "Azure OpenAI",
- "severity": "Média",
- "text": "Avalie, monitore e refine seus aplicativos GenAI para recursos como fundamentação, relevância, precisão, coerência, fluência,",
- "waf": "Excelência Operacional"
+ "severity": "Baixo",
+ "text": "Implantar várias instâncias de OAI em regiões",
+ "waf": "Fiabilidade"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "guid": "b039da6d-55d7-4c89-8adb-107d5325af62",
+ "link": "https://learn.microsoft.com/azure/architecture/ai-ml/architecture/baseline-openai-e2e-chat#azure-openai---reliability",
"service": "Azure OpenAI",
- "severity": "Média",
- "text": "Avaliar os resultados do Azure AI Search com base em diferentes parâmetros de pesquisa",
- "waf": "Excelência Operacional"
+ "severity": "Alto",
+ "text": "Implemente novas tentativas e verificações de integridade com o padrão de Gateway como APIM",
+ "waf": "Fiabilidade"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "2744293b-b628-4537-a551-19b08e8f5854",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "guid": "5ca44e46-85e2-4223-ace8-bb12308ca5f1",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#introduction-to-quota",
"service": "Azure OpenAI",
"severity": "Média",
- "text": "Olhe para os modelos de ajuste fino como forma de aumentar a precisão somente quando você tiver tentado outras abordagens básicas, como engenharia rápida e RAG com seus dados",
- "waf": "Excelência Operacional"
+ "text": "Garantir que tenha cotas adequadas de TPM e RPM para a carga de trabalho",
+ "waf": "Fiabilidade"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "guid": "ec723923-7a15-42d6-ac5e-402925387e5c",
+ "link": "https://www.microsoft.com/research/project/guidelines-for-human-ai-interaction/",
"service": "Azure OpenAI",
"severity": "Média",
- "text": "Use técnicas de engenharia rápida para melhorar a precisão das respostas do LLM",
+ "text": "Revise as considerações nas diretrizes do kit de ferramentas HAI e aplique essas práticas de interação para a análise",
"waf": "Excelência Operacional"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "e737897e-71ca-47da-acfa-962a1594946d",
- "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "guid": "7f154e3a-a369-4282-ae7e-316183687a04",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/business-continuity-disaster-recovery",
"service": "Azure OpenAI",
"severity": "Média",
- "text": "Equipe vermelha de seus aplicativos GenAI",
- "waf": "Segurança"
+ "text": "Implantar modelos ajustados separados entre regiões se o ajuste fino for empregado",
+ "waf": "Fiabilidade"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
- "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "guid": "77a1f893-5bda-4433-84f2-4811633182ba",
+ "link": "https://learn.microsoft.com/azure/backup/backup-overview",
"service": "Azure OpenAI",
"severity": "Média",
- "text": "Forneça aos usuários finais opções de pontuação para respostas LLM e acompanhe essas pontuações. ",
- "waf": "Excelência Operacional"
+ "text": "Faça backup e replique regularmente dados críticos para garantir a disponibilidade e a capacidade de recuperação dos dados em caso de perda de dados ou falhas do sistema. Aproveite os serviços de backup e recuperação de desastre do Azure para proteger seus dados.",
+ "waf": "Fiabilidade"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
- "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "guid": "95b96ad8-844c-4e3b-8b38-b876ba2cf204",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
"service": "Azure OpenAI",
"severity": "Alto",
- "text": "Considere as práticas de gerenciamento de cotas",
- "waf": "Otimização de custos"
+ "text": "As camadas de serviço de pesquisa de IA do Azure devem ser escolhidas para ter um SLA ",
+ "waf": "Fiabilidade"
},
{
"arm-service": "Microsoft.CognitiveServices/accounts",
"checklist": "Azure OpenAI Review",
- "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
- "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "guid": "99013a5d-3ce4-474d-acbd-8682a6abca2a",
+ "link": "https://learn.microsoft.com/purview/purview",
"service": "Azure OpenAI",
- "severity": "Média",
- "text": "Use soluções de balanceador de carga, como gateway baseado em APIM, para balancear carga e capacidade entre serviços e regiões",
- "waf": "Excelência Operacional"
+ "severity": "Baixo",
+ "text": "Classifique os dados e a confidencialidade, rotulando com o Microsoft Purview antes de gerar as inserções e certifique-se de tratar as inserções geradas com a mesma confidencialidade e classificação",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "4fda1dbf-3dd9-45d4-ac7c-891dca1f6d56",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/use-your-data-securely",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Selecione o plano de hospedagem de aplicativo lógico certo com base em seus requisitos de negócios e SLO",
- "waf": "Fiabilidade"
+ "text": "Criptografar dados usados para RAG com criptografia SSE/Disco com BYOK opcional",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "59ae558b-937d-4498-9e11-12dbd7ba012f",
+ "link": "https://learn.microsoft.com/azure/search/search-security-overview",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Proteja aplicativos lógicos contra falhas de região com redundância de zona e zonas de disponibilidade",
- "waf": "Fiabilidade"
+ "text": "Certifique-se de que o TLS seja aplicado para dados em trânsito entre fontes de dados, pesquisa de IA usada para RG (Geração Aumentada por Recuperação) e comunicação LLM",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7b94ef6e-047d-42ea-8992-b1cd6e2054b2",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
- "waf": "Fiabilidade"
+ "text": "Use o RBAC para gerenciar o acesso aos serviços do OpenAI do Azure. Atribua permissões apropriadas aos usuários e restrinja o acesso com base em suas funções e responsabilidades",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
- "severity": "Alto",
- "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9769e4a6-91e8-4838-ac93-6667e13c0056",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/data-encryption-best-practices",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Implemente técnicas de criptografia, mascaramento ou redação de dados para ocultar dados confidenciais ou substituí-los por valores ofuscados em ambientes de não produção ou ao compartilhar dados para fins de teste ou solução de problemas",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
- "severity": "Média",
- "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código de Aplicativo Lógico",
- "waf": "Operações"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Services",
- "severity": "Baixo",
- "text": "Consulte a arquitetura de aplicativo Web com redundância de zona altamente disponível da linha de base para obter as práticas recomendadas",
- "waf": "Fiabilidade"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Services",
- "severity": "Média",
- "text": "Use as camadas Premium e Standard. Esses níveis oferecem suporte a slots de preparo e backups automatizados.",
- "waf": "Fiabilidade"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "74b1e945-b459-4837-be7a-d6c6d3b375a5",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente (requer a camada Premium v2 ou v3)",
- "waf": "Fiabilidade"
+ "text": "Utilize o Azure Defender para detectar e responder a ameaças de segurança e configurar mecanismos de monitoramento e alerta para identificar atividades suspeitas ou violações. Aproveite o Azure Sentinel para detecção e resposta avançadas a ameaças",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c7acbe48-abe5-44cd-99f2-e87768468c55",
+ "link": "https://techcommunity.microsoft.com/t5/azure-storage-blog/managing-long-term-log-retention-or-any-business-data/ba-p/2494791",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Implementar verificações de integridade",
- "waf": "Fiabilidade"
+ "text": "Estabeleça políticas de retenção e descarte de dados para cumprir os regulamentos de conformidade. Implemente métodos de exclusão segura para dados que não são mais necessários e mantenha uma trilha de auditoria das atividades de retenção e descarte de dados",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a9c27d9c-42bb-46bd-8c69-99a246f3389a",
+ "link": "https://learn.microsoft.com/azure/ai-services/content-safety/concepts/jailbreak-detection",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Consulte as práticas recomendadas de backup e restauração para o Serviço de Aplicativo do Azure",
- "waf": "Fiabilidade"
+ "text": "Implementar proteções imediatas e detecção de aterramento usando a Segurança de conteúdo ",
+ "waf": "Excelência Operacional"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a775c6ee-95b9-46ad-a844-ce3b2b38b876",
+ "link": "https://learn.microsoft.com/azure/compliance/",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Implementar práticas recomendadas de confiabilidade do Serviço de Aplicativo do Azure",
- "waf": "Fiabilidade"
+ "text": "Garanta a conformidade com os regulamentos de proteção de dados relevantes, como GDPR ou HIPAA, implementando controles de privacidade e obtendo os consentimentos ou permissões necessários para atividades de processamento de dados.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
- "service": "App Services",
- "severity": "Baixo",
- "text": "Familiarizar-se com como mover um aplicativo do Serviço de Aplicativo para outra região durante um desastre",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ba2cf204-9901-43a5-b3ce-474dccbd8682",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Eduque seus funcionários sobre as melhores práticas de segurança de dados, a importância de lidar com dados com segurança e os possíveis riscos associados a violações de dados. Incentive-os a seguir os protocolos de segurança de dados diligentemente.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "eae01e6e-842e-452f-9721-d928c1b1cd52",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Familiarizar-se com o suporte de confiabilidade no Serviço de Aplicativo do Azure",
- "waf": "Fiabilidade"
+ "text": "Mantenha os dados de produção separados dos dados de desenvolvimento e teste. Use apenas dados confidenciais reais na produção e utilize dados anônimos ou sintéticos em ambientes de desenvolvimento e teste.",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1e54a29a-9de3-499c-bd7b-28dc93555620",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Verifique se \"Sempre Ativo\" está habilitado para Aplicativos de Função em execução em um plano de serviço de aplicativo",
- "waf": "Fiabilidade"
+ "text": "Se você tiver níveis variados de confidencialidade de dados, considere criar índices separados para cada nível. Por exemplo, você pode ter um índice para dados gerais e outro para dados confidenciais, cada um regido por diferentes protocolos de acesso",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2bfe4564-b0d8-434a-948b-263e6dd60512",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Monitorar instâncias do Serviço de Aplicativo usando verificações de integridade",
- "waf": "Fiabilidade"
+ "text": "Leve a segregação um passo adiante, colocando conjuntos de dados confidenciais em diferentes instâncias do serviço. Cada instância pode ser controlada com seu próprio conjunto específico de políticas RBAC",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
- "service": "App Services",
- "severity": "Média",
- "text": "Monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site usando testes de disponibilidade do Application Insights",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "a36498f6-dbad-438e-ad53-cc7ce1d7aaab",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Reconheça que incorporações e vetores gerados a partir de informações confidenciais são eles próprios sensíveis. Esses dados devem receber as mesmas medidas de proteção que o material de origem",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
- "service": "App Services",
- "severity": "Baixo",
- "text": "Usar o teste Application Insights Standard para monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3571449a-b805-43d8-af89-dc7b33be2a1a",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Aplique o RBAC aos armazenamentos de dados com incorporações e vetores e acesso ao escopo com base nos requisitos de acesso da função",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Use o Cofre de Chaves do Azure para armazenar quaisquer segredos de que o aplicativo precisa. O Cofre de Chaves fornece um ambiente seguro e auditado para armazenar segredos e está bem integrado ao Serviço de Aplicativo por meio do SDK do Cofre de Chaves ou das Referências do Cofre de Chaves do Serviço de Aplicativo.",
- "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "27f7b9e9-1be1-4f38-aef3-9812bd463cbb",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-openai-private-endpoints-connecting-across-vnet-s/ba-p/3913325",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Usar o Cofre de Chaves para armazenar segredos",
+ "text": "Configurar o ponto de extremidade privado para serviços de IA para restringir o acesso ao serviço em sua rede",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Use uma Identidade Gerenciada para se conectar ao Cofre de Chaves usando o SDK do Cofre de Chaves ou por meio das Referências do Cofre de Chaves do Serviço de Aplicativo.",
- "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "ac8ac199-ebb9-41a3-9d90-cae2cc881370",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Usar a Identidade Gerenciada para se conectar ao Cofre de Chaves",
+ "text": "Imponha um controle estrito de tráfego de entrada e saída com o Firewall do Azure e UDRs e limite os pontos de integração externos",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Armazene o certificado TLS do Serviço de Aplicativo no Cofre de Chaves.",
- "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6f7c0cba-fe51-4464-add4-57e927138b82",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Use o Cofre de Chaves para armazenar o certificado TLS.",
+ "text": "Implemente segmentação de rede e controles de acesso para restringir o acesso ao aplicativo LLM apenas a usuários e sistemas autorizados e evitar movimentos laterais",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Os sistemas que processam informações confidenciais devem ser isolados. Para fazer isso, use Planos do Serviço de Aplicativo ou Ambientes do Serviço de Aplicativo separados e considere o uso de assinaturas ou grupos de gerenciamento diferentes.",
- "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
- "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "7f42c78e-78cb-46a2-8ad1-90916e6a8d8f",
+ "link": "https://www.microsoft.com/research/blog/llmlingua-innovating-llm-efficiency-with-prompt-compression/",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Isolar sistemas que processam informações confidenciais",
+ "text": "Use ferramentas de compactação imediatas como LLMLingua ou gprtrim",
+ "waf": "Otimização de custos"
+ },
+ {
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1102cac6-eae0-41e6-b842-e52f4721d928",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/managed-identity",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Certifique-se de que as APIs e os endpoints usados pelo aplicativo LLM estejam devidamente protegidos com mecanismos de autenticação e autorização, como identidades gerenciadas, chaves de API ou OAuth, para impedir o acesso não autorizado.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Os discos locais no Serviço de Aplicativo não são criptografados e os dados confidenciais não devem ser armazenados neles. (Por exemplo: D:\\\\Local e %TMP%).",
- "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "c1b1cd52-1e54-4a29-a9de-399cfd7b28dc",
+ "link": "https://techcommunity.microsoft.com/t5/azure-architecture-blog/security-best-practices-for-genai-applications-openai-in-azure/ba-p/4027885",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Não armazene dados confidenciais no disco local",
+ "text": "Aplique mecanismos fortes de autenticação do usuário final, como autenticação multifator, para impedir o acesso não autorizado ao aplicativo LLM e aos recursos de rede associados",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Para aplicativos Web autenticados, use um Provedor de Identidade bem estabelecido, como o Azure AD ou o Azure AD B2C. Aproveite a estrutura de aplicativo de sua escolha para se integrar a esse provedor ou use o recurso de Autenticação/Autorização do Serviço de Aplicativo.",
- "guid": "919ca0b2-c121-459e-814b-933df574eccc",
- "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "93555620-2bfe-4456-9b0d-834a348b263e",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Usar um provedor de identidade estabelecido para autenticação",
+ "text": "Implemente ferramentas de monitoramento de rede para detectar e analisar o tráfego de rede em busca de atividades suspeitas ou maliciosas. Habilite o registro para capturar eventos de rede e facilitar a análise forense em caso de incidentes de segurança",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Implante código no Serviço de Aplicativo a partir de um ambiente controlado e confiável, como um pipeline de implantação de DevOps bem gerenciado e seguro. Isso evita que o código que não foi controlado por versão e verificado para ser implantado a partir de um host mal-intencionado.",
- "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
- "service": "App Services",
- "severity": "Alto",
- "text": "Implantar a partir de um ambiente confiável",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6dd60512-a364-498f-9dba-d38ead53cc7c",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Realize auditorias de segurança e testes de penetração para identificar e resolver quaisquer pontos fracos ou vulnerabilidades de segurança de rede na infraestrutura de rede do aplicativo LLM",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Desative a autenticação básica para FTP/FTPS e WebDeploy/SCM. Isso desabilita o acesso a esses serviços e impõe o uso de pontos de extremidade protegidos do Azure AD para implantação. Observe que o site do SCM também pode ser aberto usando credenciais do Azure AD.",
- "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
- "service": "App Services",
- "severity": "Alto",
- "text": "Desabilitar a autenticação básica",
- "waf": "Segurança"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e1d7aaab-3571-4449-ab80-53d89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/tag-resources?tabs=json",
+ "service": "Azure OpenAI",
+ "severity": "Baixo",
+ "text": "Os Serviços de IA do Azure são marcados corretamente para melhor gerenciamento",
+ "waf": "Excelência Operacional"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Sempre que possível, use a Identidade Gerenciada para se conectar aos recursos protegidos do Azure AD. Se isso não for possível, armazene segredos no Cofre de Chaves e conecte-se ao Cofre de Chaves usando uma Identidade Gerenciada.",
- "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
- "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
- "service": "App Services",
- "severity": "Alto",
- "text": "Usar a Identidade Gerenciada para se conectar a recursos",
- "waf": "Segurança"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations",
+ "service": "Azure OpenAI",
+ "severity": "Baixo",
+ "text": "As contas do Serviço de IA do Azure seguem as convenções de nomenclatura organizacional",
+ "waf": "Excelência Operacional"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Onde estiver usando imagens armazenadas no Registro de Contêiner do Azure, extraia-as usando uma Identidade Gerenciada.",
- "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://learn.microsoft.com/azure/ai-services/diagnostic-logging",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Extrair contêineres usando uma identidade gerenciada",
- "waf": "Segurança"
+ "text": "Os logs de diagnóstico nos recursos de serviços de IA do Azure devem ser habilitados",
+ "waf": "Excelência Operacional"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Ao definir as configurações de diagnóstico do Serviço de Aplicativo, você pode enviar toda a telemetria para o Log Analytics como o destino central para registro em log e monitoramento. Isso permite que você monitore a atividade de tempo de execução do Serviço de Aplicativo, como logs HTTP, logs de aplicativos, logs de plataforma, ...",
- "guid": "47768314-c115-4775-a2ea-55b46ad48408",
- "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
- "service": "App Services",
- "severity": "Média",
- "text": "Enviar logs de tempo de execução do Serviço de Aplicativo para o Log Analytics",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/ai-services/authentication",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Recomenda-se que o acesso à chave (autenticação local) seja desabilitado por segurança. Depois de desabilitar o acesso baseado em chave, o Microsoft Entra ID se torna o único método de acesso, o que permite manter o princípio de privilégio mínimo e o controle granular. ",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Configure uma configuração de diagnóstico para enviar o log de atividades para o Log Analytics como o destino central para registro e monitoramento. Isso permite que você monitore a atividade do plano de controle no próprio recurso do Serviço de Aplicativo.",
- "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
- "service": "App Services",
- "severity": "Média",
- "text": "Enviar logs de atividade do Serviço de Aplicativo para o Log Analytics",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "6b57cfc6-5546-41e1-a3e3-453a3c863964",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Armazene e gerencie chaves com segurança usando o Azure Key Vault. Evite codificar ou inserir chaves confidenciais no código do aplicativo LLM e recuperá-las com segurança do Azure Key Vault usando identidades gerenciadas",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Controle o acesso à rede de saída usando uma combinação de integração regional de VNet, grupos de segurança de rede e UDR's. O tráfego deve ser roteado para um NVA, como o Firewall do Azure. Certifique-se de monitorar os logs do Firewall.",
- "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
- "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
- "service": "App Services",
- "severity": "Média",
- "text": "O acesso à rede de saída deve ser controlado",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "8b652d6c-15f5-4129-9539-8e6ded227dd1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Gire e expire regularmente as chaves armazenadas no Azure Key Vault para minimizar o risco de acesso não autorizado.",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Você pode fornecer um IP de saída estável usando a integração de rede virtual e um gateway NAT de rede virtual ou um NVA como o Firewall do Azure. Isso permite que a parte receptora permita uma lista com base no IP, caso seja necessário. Observe que, para comunicações com os Serviços do Azure, geralmente não há necessidade de depender do endereço IP e mecânicas como Pontos de Extremidade de Serviço devem ser usadas. (Além disso, o uso de pontos de extremidade privados na extremidade de recebimento evita que o SNAT aconteça e fornece um intervalo de IP de saída estável.)",
- "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
- "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
- "service": "App Services",
- "severity": "Baixo",
- "text": "Garantir um IP estável para comunicações de saída para endereços de Internet",
- "waf": "Segurança"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "adfe27be-e297-401a-a352-baaab79b088d",
+ "link": "https://github.com/openai/tiktoken",
+ "service": "Azure OpenAI",
+ "severity": "Alto",
+ "text": "Use tiktoken para entender os tamanhos de token para otimizações de token no modo de conversação",
+ "waf": "Otimização de custos"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Controle o acesso à rede de entrada usando uma combinação de Restrições de Acesso do Serviço de Aplicativo, Pontos de Extremidade de Serviço ou Pontos de Extremidade Privados. Diferentes restrições de acesso podem ser necessárias e configuradas para o próprio aplicativo Web e o site do SCM.",
- "guid": "0725769e-e669-41a4-a34a-c932223ece80",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "42b06c21-d799-49a6-96f4-389a7f42c78e",
+ "link": "https://learn.microsoft.com/azure/security/develop/secure-dev-overview",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "O acesso à rede de entrada deve ser controlado",
+ "text": "Siga práticas de codificação segura para evitar vulnerabilidades comuns, como ataques de injeção, cross-site scripting (XSS) ou configurações incorretas de segurança",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Proteja-se contra tráfego de entrada mal-intencionado usando um Firewall de Aplicativo Web, como o Gateway de Aplicativo ou o Azure Front Door. Certifique-se de monitorar os logs do WAF.",
- "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
- "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "78c06a73-a22a-4495-9e6a-8dc4a20e27c3",
+ "link": "https://learn.microsoft.com/azure/devops/repos/security/github-advanced-security-dependency-scanning?view=azure-devops",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Usar um WAF na frente do Serviço de Aplicativo",
+ "text": "Configure um processo para atualizar e corrigir regularmente as bibliotecas LLM e outros componentes do sistema",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Certifique-se de que o WAF não pode ser ignorado bloqueando o acesso apenas ao WAF. Use uma combinação de Restrições de Acesso, Pontos de Extremidade de Serviço e Pontos de Extremidade Privados.",
- "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e29711b1-352b-4eee-879b-588defc4972c",
+ "link": "https://learn.microsoft.com/legal/cognitive-services/openai/code-of-conduct",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Evite que o WAF seja ignorado",
- "waf": "Segurança"
+ "text": "Aderir aos termos de uso, políticas e diretrizes do Azure OpenAI ou de outros LLMs e casos de uso permitidos",
+ "waf": "Excelência Operacional"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Defina a política TLS mínima como 1.2 na configuração do Serviço de Aplicativo.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
- "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d3cd21bf-7703-46e5-b6b4-bed3d503547c",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs#base-series-and-codex-series-fine-tuned-models",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Definir a política TLS mínima como 1.2",
- "waf": "Segurança"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Configure o Serviço de Aplicativo para usar somente HTTPS. Isso faz com que o Serviço de Aplicativo redirecione de HTTP para HTTPS. Considere fortemente o uso de HTTP Strict Transport Security (HSTS) em seu código ou a partir de seu WAF, que informa aos navegadores que o site só deve ser acessado usando HTTPS.",
- "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
- "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
- "service": "App Services",
- "severity": "Alto",
- "text": "Usar somente HTTPS",
- "waf": "Segurança"
+ "text": "Entender a diferença no custo de modelos básicos e modelos ajustados e tamanhos de etapa de token",
+ "waf": "Otimização de custos"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Não use curingas em sua configuração do CORS, pois isso permite que todas as origens acessem o serviço (derrotando assim o propósito do CORS). Especificamente, permita apenas as origens que você espera poder acessar o serviço.",
- "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "1347dc56-028a-471f-be1c-e15dd3f0d5e7",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/latency#batching",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Curingas não devem ser usados para CORS",
- "waf": "Segurança"
+ "text": "Solicitações em lote, sempre que possível, para minimizar a sobrecarga por chamada, o que pode reduzir os custos gerais. Certifique-se de otimizar o tamanho do lote",
+ "waf": "Otimização de custos"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "A depuração remota não deve ser ativada na produção, pois isso abre portas adicionais no serviço, o que aumenta a superfície de ataque. Observe que o serviço ativa a depuração remota automaticamente após 48 horas.",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
- "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
- "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
- "service": "App Services",
- "severity": "Alto",
- "text": "Desativar a depuração remota",
- "waf": "Segurança"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "72d41e36-11cc-457b-9a4b-1410d43958a8",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/manage-costs",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Configure um sistema de rastreamento de custos que monitore o uso do modelo e use essas informações para ajudar a informar as escolhas do modelo e solicitar tamanhos",
+ "waf": "Otimização de custos"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Habilite o Defender para o Serviço de Aplicativo. Isso (entre outras ameaças) detecta comunicações com endereços IP mal-intencionados conhecidos. Analise as recomendações do Defender for App Service como parte de suas operações.",
- "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "166cd072-af9b-4141-a898-a535e737897e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/quota?tabs=rest#understanding-rate-limits",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Habilitar o Defender for Cloud - Defender for App Service",
- "waf": "Segurança"
+ "text": "Defina um limite máximo para o número de tokens por resposta do modelo. Otimize o tamanho para garantir que seja grande o suficiente para uma resposta válida",
+ "waf": "Otimização de custos"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "O Azure fornece proteção contra DDoS Basic em sua rede, que pode ser aprimorada com recursos inteligentes de DDoS Standard que aprendem sobre padrões normais de tráfego e podem detectar comportamentos incomuns. O DDoS Standard se aplica a uma Rede Virtual, portanto, ele deve ser configurado para o recurso de rede na frente do aplicativo, como o Application Gateway ou um NVA.",
- "guid": "223ece80-b123-4071-a541-6415833ea3ad",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "71ca7da8-cfa9-462a-8594-946da97dc3a2",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Habilitar o padrão de proteção DDOS na rede virtual WAF",
- "waf": "Segurança"
+ "text": "Examine as diretrizes fornecidas sobre como configurar a pesquisa de IA para confiabilidade",
+ "waf": "Excelência Operacional"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Ao usar imagens armazenadas no Registro de Contêiner do Azure, extraia-as por uma rede virtual do Registro de Contêiner do Azure usando seu ponto de extremidade privado e a configuração do aplicativo 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
- "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
- "service": "App Services",
- "severity": "Média",
- "text": "Extrair contêineres por uma rede virtual",
- "waf": "Segurança"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Realizar um teste de penetração na aplicação web seguindo as regras de teste de penetração de engajamento.",
- "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3266b225-86f4-4a16-92bd-ddea8a487cde",
+ "link": "https://learn.microsoft.com/azure/search/vector-search-index-size?tabs=portal-vector-quota",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Realizar um teste de penetração",
- "waf": "Segurança"
+ "text": "Planejar e gerenciar o armazenamento de vetores do AI Search",
+ "waf": "Excelência Operacional"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Implante código confiável que foi validado e verificado em busca de vulnerabilidades de acordo com as práticas de DevSecOps.",
- "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "b4861bc3-bc14-4aeb-9e66-e8d9a3aec218",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/how-to-end-to-end-llmops-with-prompt-flow?view=azureml-api-2",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Implantar código validado",
- "waf": "Segurança"
+ "text": "Aplique as práticas do LLMOps para automatizar o gerenciamento do ciclo de vida de seus aplicativos GenAI",
+ "waf": "Excelência Operacional"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Use as versões mais recentes de plataformas, linguagens de programação, protocolos e estruturas suportadas.",
- "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
- "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
- "service": "App Services",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "aa80932c-8ec9-4d1b-a770-26e5e6beba9e",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/how-to/provisioned-throughput-onboarding#understanding-the-provisioned-throughput-purchase-model",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Use plataformas, linguagens, protocolos e frameworks atualizados",
- "waf": "Segurança"
+ "text": "Avalie o uso de modelos de faturamento - PAYG vs PTU",
+ "waf": "Otimização de custos"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
- "service": "Entra",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e6436b07-36db-455f-9796-03334bdf9cc2",
+ "link": "https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/how-to-control-azure-openai-models/ba-p/4146793",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Use um locatário do Entra para gerenciar seus recursos do Azure, a menos que você tenha um requisito regulatório ou comercial claro para multilocatários.",
- "waf": "Operações"
- },
- {
- "checklist": "Azure Landing Zone Review",
- "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Entra",
- "severity": "Baixo",
- "text": "Use a abordagem de Automação Multilocatário para gerenciar seus locatários de ID do Microsoft Entra.",
- "waf": "Operações"
+ "text": "Avaliar a qualidade de prompts e aplicativos ao alternar entre versões de modelo",
+ "waf": "Excelência Operacional"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "Entra",
- "severity": "Alto",
- "text": "Use o Azure Lighthouse para gerenciamento de vários locatários com as mesmas IDs.",
- "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
- "waf": "Operações"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "3418db61-2712-4650-9bb4-7a393a080327",
+ "link": "https://learn.microsoft.com/azure/machine-learning/prompt-flow/concept-model-monitoring-generative-ai-evaluation-metrics?view=azureml-api-2",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Avalie, monitore e refine seus aplicativos GenAI para recursos como fundamentação, relevância, precisão, coerência, fluência,",
+ "waf": "Excelência Operacional"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Entra",
- "severity": "Alto",
- "text": "Se você conceder a um parceiro acesso para administrar seu locatário, use o Azure Lighthouse.",
- "waf": "Custar"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "294798b1-578b-4219-a46c-eb5443513592",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Avaliar os resultados do Azure AI Search com base em diferentes parâmetros de pesquisa",
+ "waf": "Excelência Operacional"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "348ef254-c27d-442e-abba-c7571559ab91",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
- "service": "Entra",
- "severity": "Alto",
- "text": "Aplique um modelo RBAC que se alinhe ao seu modelo operacional de nuvem. Escopo e Atribuição entre Grupos de Gerenciamento e Assinaturas.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "2744293b-b628-4537-a551-19b08e8f5854",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/fine-tuning-considerations",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Olhe para os modelos de ajuste fino como forma de aumentar a precisão somente quando você tiver tentado outras abordagens básicas, como engenharia rápida e RAG com seus dados",
+ "waf": "Excelência Operacional"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
- "service": "Entra",
- "severity": "Alto",
- "text": "Use apenas o tipo de autenticação Conta corporativa ou de estudante para todos os tipos de conta. Evite usar a conta da Microsoft",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "287d9cec-166c-4d07-8af9-b141a898a535",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/advanced-prompt-engineering?pivots=programming-language-chat-completions",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Use técnicas de engenharia rápida para melhorar a precisão das respostas do LLM",
+ "waf": "Excelência Operacional"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "Entra",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "e737897e-71ca-47da-acfa-962a1594946d",
+ "link": "https://learn.microsoft.com/azure/ai-services/openai/concepts/red-teaming",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Use apenas grupos para atribuir permissões. Adicione grupos locais ao grupo Somente ID do Entra se um sistema de gerenciamento de grupo já estiver em vigor.",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "text": "Equipe vermelha de seus aplicativos GenAI",
"waf": "Segurança"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
- "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
- "service": "Entra",
- "severity": "Alto",
- "text": "Imponha políticas de Acesso Condicional da ID do Microsoft Entra para qualquer usuário com direitos a ambientes do Azure.",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "edb117e6-76aa-4f66-aca4-8e5a95f2223e",
+ "link": "https://www.microsoft.com/haxtoolkit/guideline/encourage-granular-feedback/",
+ "service": "Azure OpenAI",
+ "severity": "Média",
+ "text": "Forneça aos usuários finais opções de pontuação para respostas LLM e acompanhe essas pontuações. ",
+ "waf": "Excelência Operacional"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
- "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
- "service": "Entra",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "d5f3547c-c346-4d81-9028-a71ffe1b9b5d",
+ "link": "https://techcommunity.microsoft.com/t5/fasttrack-for-azure/optimizing-azure-openai-a-guide-to-limits-quotas-and-best/ba-p/4076268",
+ "service": "Azure OpenAI",
"severity": "Alto",
- "text": "Imponha a autenticação multifator para qualquer usuário com direitos aos ambientes do Azure.",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
- "waf": "Segurança"
- },
- {
- "checklist": "Azure Landing Zone Review",
- "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "Entra",
- "severity": "Média",
- "text": "Imponha o Microsoft Entra ID Privileged Identity Management (PIM) para estabelecer acesso permanente zero e privilégios mínimos.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Segurança"
+ "text": "Considere as práticas de gerenciamento de cotas",
+ "waf": "Otimização de custos"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
- "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
- "service": "Entra",
+ "arm-service": "Microsoft.CognitiveServices/accounts",
+ "checklist": "Azure OpenAI Review",
+ "guid": "9de0d5d7-31d4-41e3-911c-817bfafbc410",
+ "link": "https://github.com/Azure/aoai-apim/blob/main/README.md",
+ "service": "Azure OpenAI",
"severity": "Média",
- "text": "Se estiver planejando alternar dos Serviços de Domínio Active Directory para os serviços de domínio Entra, avalie a compatibilidade de todas as cargas de trabalho.",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "Segurança"
+ "text": "Use soluções de balanceador de carga, como gateway baseado em APIM, para balancear carga e capacidade entre serviços e regiões",
+ "waf": "Excelência Operacional"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
- "service": "Entra",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
"severity": "Média",
- "text": "Integre os logs de ID do Microsoft Entra com o Azure Monitor central da plataforma. O Azure Monitor permite uma única fonte de verdade sobre dados de log e monitoramento no Azure, oferecendo às organizações opções nativas de nuvem para atender aos requisitos de coleta e retenção de logs.",
- "waf": "Segurança"
+ "text": "Aproveite o servidor flexível",
+ "waf": "Fiabilidade"
},
{
- "ammp": true,
- "checklist": "Azure Landing Zone Review",
- "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
- "service": "Entra",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
"severity": "Alto",
- "text": "Implemente um acesso de emergência ou contas de emergência para evitar o bloqueio de conta em todo o locatário.",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "Segurança"
- },
- {
- "checklist": "Azure Landing Zone Review",
- "guid": "35037e68-9349-4c15-b371-228514f4cdff",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "Entra",
- "severity": "Média",
- "text": "Não use contas sincronizadas locais para atribuições de função de ID do Microsoft Entra, a menos que você tenha um cenário que exija isso especificamente.",
- "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
- "waf": "Segurança"
+ "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente",
+ "waf": "Fiabilidade"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Entra",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
"severity": "Média",
- "text": "Ao usar o Proxy de Aplicativo de ID do Microsoft Entra para fornecer acesso de usuários remotos a aplicativos, gerencie-o como um recurso da plataforma, pois você só pode ter uma instância por locatário.",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
- "waf": "Segurança"
+ "text": "Aproveite a replicação de dados para cenários de DR entre regiões",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
- "service": "VNet",
- "severity": "Média",
- "text": "Use uma topologia de rede hub-and-spoke para cenários de rede que exigem flexibilidade máxima.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "service": "Azure Monitor",
+ "text": "Regras de coleta de dados no Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
- "service": "VNet",
- "severity": "Alto",
- "text": "Implante serviços de rede compartilhados, incluindo gateways do ExpressRoute, gateways de VPN e Firewall do Azure ou NVAs de parceiros na rede virtual do hub central. Se necessário, implante também serviços DNS.",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "45901365-d38e-443f-abcb-d868266abca2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Azure Backup",
+ "text": "Verificar instâncias de backup com a fonte de dados subjacente não encontrada",
"waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "VNet",
- "severity": "Alto",
- "text": "Use um plano de proteção de IP ou rede DDoS para todos os endereços IP públicos nas zonas de destino do aplicativo.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "VM",
+ "text": "Excluir ou arquivar serviços não associados (discos, nics, endereços IP etc.)",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
- "severity": "Média",
- "text": "Ao implantar tecnologias de rede de parceiros ou NVAs, siga as diretrizes do fornecedor do parceiro.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Azure Backup",
+ "text": "Considere um bom equilíbrio entre recuperação de local, armazenamento e backup para aplicativos não essenciais",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
- "service": "ExpressRoute",
- "severity": "Baixo",
- "text": "Se você precisar de trânsito entre o ExpressRoute e os gateways de VPN em cenários hub e spoke, use o Servidor de Rota do Azure.",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "service": "Azure Monitor",
+ "text": "Verifique os gastos e as oportunidades de economia entre os 40 diferentes espaços de trabalho de análise de log - use retenção e coleta de dados diferentes para espaços de trabalho não prod - crie limite diário para reconhecimento e dimensionamento de camadas - Se você definir um limite diário, além de criar um alerta quando o limite for atingido, certifique-se de também criar uma regra de alerta para ser notificado quando alguma porcentagem for atingida (90%, por exemplo). - considerar a transformação do espaço de trabalho, se possível - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualHubs",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
- "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
- "service": "ARS",
- "severity": "Baixo",
- "text": "Se estiver usando o Servidor de Roteamento, use um prefixo /27 para a sub-rede do Servidor de Roteamento.",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Azure Monitor",
+ "text": "Impor uma política de log de limpeza e automação (se necessário, os logs podem ser movidos para armazenamento frio)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
- "service": "VNet",
- "severity": "Média",
- "text": "Para arquiteturas de rede com várias topologias hub-and-spoke em regiões do Azure, use emparelhamentos de rede virtual global entre as VNets do hub para conectar as regiões entre si.",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
+ "text": "Verifique se os discos são realmente necessários, se não: excluir. Se forem necessários, encontre níveis de armazenamento mais baixos ou use backup -",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
- "service": "VNet",
- "severity": "Média",
- "text": "Use o Azure Monitor para Redes para monitorar o estado de ponta a ponta das redes no Azure.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
- "waf": "Operações"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
+ "text": "Considere mover o armazenamento não utilizado para o nível inferior, com regra personalizada - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure ",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
- "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
- "severity": "Média",
- "text": "Se você tiver mais de 400 redes spoke em uma região, implante um hub adicional para ignorar os limites de emparelhamento VNet (500) e o número máximo de prefixos que podem ser anunciados por meio do ExpressRoute (1000).",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
+ "text": "Verifique se o Advisor está configurado para o dimensionamento correto da VM ",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
- "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
- "severity": "Média",
- "text": "Limite o número de rotas por tabela de rotas a 400.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "description": "verifique pesquisando as Licenças de Categoria de Medidor na Análise de Custos",
+ "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "service": "VM",
+ "text": "executar o script em todas as VMs do Windows https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server- considere implementar uma diretiva se as VMs do Windows forem criadas com frequência",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
- "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
- "service": "VNet",
- "severity": "Alto",
- "text": "Use a configuração 'Permitir tráfego para rede virtual remota' ao configurar emparelhamentos VNet.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "VM",
+ "text": " isso também pode ser colocado no AHUB se você já tiver licenças https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Quando você estiver usando o ExpressRoute Direct, configure o MACsec para criptografar o tráfego no nível da camada dois entre os roteadores da organização e o MSEE. O diagrama mostra essa criptografia no fluxo.",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "VM",
+ "text": "Consolidar famílias de VM reservadas com opção de flexibilidade (não mais do que 4-5 famílias)",
+ "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Para cenários em que o MACsec não é uma opção (por exemplo, não usando o ExpressRoute Direct), use um gateway de VPN para estabelecer túneis IPsec no emparelhamento privado do ExpressRoute.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "service": "VM",
+ "text": "Utilize instâncias reservadas do Azure: esse recurso permite reservar VMs por um período de 1 ou 3 anos, proporcionando uma economia significativa em comparação com os preços do PAYG.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Verifique se nenhum espaço de endereço IP sobreposto entre regiões do Azure e locais é usado.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+ "service": "VM",
+ "text": "Somente discos maiores podem ser reservados => 1 TiB -",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
- "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
- "severity": "Média",
- "text": "Use endereços IP dos intervalos de alocação de endereços para Internets privadas (RFC 1918).",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "service": "VM",
+ "text": "Após a otimização do dimensionamento correto",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
- "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
- "severity": "Alto",
- "text": "Certifique-se de que o espaço de endereço IP não seja desperdiçado, não crie redes virtuais desnecessariamente grandes (por exemplo, /16).",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.Sql/servers",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Azure SQL",
+ "text": "Verifique se aplicável e aplique a política/alteração https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
- "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
- "service": "VNet",
- "severity": "Alto",
- "text": "Não use intervalos de endereços IP sobrepostos para sites de produção e recuperação de desastres.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "VM",
+ "text": "O desconto da peça de licença VM + (ahub + 3YRI) é de cerca de 70% de desconto",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
- "service": "DNS",
- "severity": "Média",
- "text": "Para ambientes em que a resolução de nomes no Azure é tudo o que é necessário, use o DNS Privado do Azure para resolução com uma zona delegada para resolução de nomes (como 'azure.contoso.com').",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "Operações"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "VM",
+ "text": "Considere o uso de um VMSS para corresponder à demanda em vez de dimensionamento simples",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
- "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
- "service": "DNS",
- "severity": "Média",
- "text": "Para ambientes em que a resolução de nomes no Azure e no local é necessária e não há nenhum serviço DNS corporativo existente, como o Active Directory, use o Resolvedor Privado de DNS do Azure para rotear solicitações de DNS para o Azure ou para servidores DNS locais.",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "AKS",
+ "text": "Use o autoscaler AKS para corresponder ao uso de clusters (verifique se os requisitos dos pods correspondem ao dimensionador)",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
- "service": "DNS",
- "severity": "Baixo",
- "text": "Cargas de trabalho especiais que exigem e implantam seu próprio DNS (como o Red Hat OpenShift) devem usar sua solução de DNS preferida.",
- "waf": "Operações"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Azure Backup",
+ "text": "Mover pontos de recuperação para o vault-archive, quando aplicável (Validar)",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "614658d3-558f-4d77-849b-821112df27ee",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
- "service": "DNS",
- "severity": "Alto",
- "text": "Habilite o registro automático para o DNS do Azure para gerenciar automaticamente o ciclo de vida dos registros DNS para as máquinas virtuais implantadas em uma rede virtual.",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "Operações"
+ "arm-service": "Microsoft.Databricks/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+ "service": "Databricks",
+ "text": "Considere o uso de VMs spot com fallback sempre que possível. Considere o autotermination de clusters.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "Azure Landing Zone Review",
- "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
- "service": "Bastion",
- "severity": "Média",
- "text": "Use o Azure Bastion para se conectar com segurança à sua rede.",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+ "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+ "service": "Azure Functions",
+ "text": "Funções - Reutilizar conexões",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
- "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
- "service": "Bastion",
- "severity": "Média",
- "text": "Use o Azure Bastion em uma sub-rede /26 ou maior.",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+ "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "service": "Azure Functions",
+ "text": "Funções - Armazenar dados em cache localmente",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "WAF",
- "severity": "Média",
- "text": "Use as políticas do Azure Front Door e do WAF para fornecer proteção global entre regiões do Azure para conexões HTTP/S de entrada para uma zona de destino.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Azure Functions",
+ "text": "Funções - Partidas a frio - Use a funcionalidade 'Executar do pacote'. Dessa forma, o código é baixado como um único arquivo zip. Isso pode, por exemplo, resultar em melhorias significativas com as funções Javascript, que possuem muitos módulos de nó. Use ferramentas específicas de linguagem para reduzir o tamanho do pacote, por exemplo, aplicativos Javascript que agitam árvores.",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "severity": "Baixo",
- "text": "Ao usar o Azure Front Door e o Gateway de Aplicativo do Azure para ajudar a proteger aplicativos HTTP/S, use políticas WAF no Azure Front Door. Bloqueie o Gateway de Aplicativo do Azure para receber tráfego somente do Azure Front Door.",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "Azure Functions",
+ "text": "Funções - Mantenha suas funções aquecidas",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "severity": "Alto",
- "text": "Quando WAFs e outros proxies reversos forem necessários para conexões HTTP/S de entrada, implante-os em uma rede virtual de zona de destino e junto com os aplicativos que eles estão protegendo e expondo à Internet.",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Azure Functions",
+ "text": "Ao usar o dimensionamento automático com funções diferentes, pode haver um que conduza todo o dimensionamento automático para todos os recursos - considere movê-lo para um plano de consumo separado (e considere um plano mais alto para a CPU)",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
- "severity": "Alto",
- "text": "Use os planos de Rede ou Proteção de IP do Azure contra DDoS para ajudar a proteger os pontos de extremidade de endereços IP públicos nas redes virtuais.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+ "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+ "service": "Azure Functions",
+ "text": "Os aplicativos de função em um determinado plano são todos dimensionados juntos, portanto, quaisquer problemas com o dimensionamento podem afetar todos os aplicativos no plano.",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
- "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
- "service": "VNet",
- "severity": "Alto",
- "text": "Planeje como gerenciar a configuração e a estratégia de tráfego de saída da rede antes da próxima alteração significativa. Em 30 de setembro de 2025, o acesso de saída padrão para novas implantações será desativado e somente configurações de acesso explícito serão permitidas.",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+ "service": "Azure Functions",
+ "text": "Sou cobrado por 'tempo de espera'? Essa pergunta geralmente é feita no contexto de uma função C# que faz uma operação assíncrona e aguarda o resultado, por exemplo, aguardar Task.Delay(1000) ou aguardar cliente. GetAsync('http://google.com'). A resposta é sim - o segundo cálculo de GB é baseado na hora de início e término da função e no uso de memória durante esse período. O que realmente acontece ao longo desse tempo em termos de atividade da CPU não é levado em consideração no cálculo. Uma exceção a essa regra é se você estiver usando funções duráveis. Você não é cobrado pelo tempo gasto em espera em funções de orquestrador.aplique técnicas de modelagem de demanda sempre que possível (ambientes de desenvolvimento?) https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
- "severity": "Alto",
- "text": "Adicione configurações de diagnóstico para salvar logs relacionados a DDoS para todos os endereços IP públicos protegidos (IP DDoS ou Proteção de Rede).",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Front Door",
+ "text": "Frontdoor - Desativar a página inicial padrãoNas configurações do aplicativo do seu aplicativo, defina AzureWebJobsDisableHomepage como true. Isso retornará um 204 (Sem Conteúdo) para o PoP para que apenas os dados de cabeçalho sejam retornados.",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
- "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
- "service": "Policy",
- "severity": "Alto",
- "text": "Verifique se há uma atribuição de política para negar endereços IP públicos diretamente vinculados a máquinas virtuais. Use exclusões se IPs públicos forem necessários em VMs específicas.",
- "waf": "Segurança"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Front Door",
+ "text": "Frontdoor - Rota para algo que não retorna nada. Configure uma Função, Proxy de Função ou adicione uma rota em seu WebApp que retorne 200 (OK) e envie conteúdo nulo ou mínimo. A vantagem disso é que você poderá fazer logout quando for chamado.",
+ "waf": "Custar"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+ "service": "Storage",
+ "text": "Considere níveis de arquivamento para dados menos usados",
+ "waf": "Custar"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "VM",
+ "text": "Verifique os tamanhos de disco em que o tamanho não corresponde à camada (ou seja, um disco de 513 GiB pagará um P30 (1TiB) e considere o redimensionamento",
+ "waf": "Custar"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "Storage",
+ "text": "Considere usar SSD padrão em vez de Premium ou Ultra sempre que possível",
+ "waf": "Custar"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "Storage",
+ "text": "Para contas de armazenamento, verifique se a camada escolhida não está somando encargos de transação (pode ser mais barato passar para a próxima camada)",
+ "waf": "Custar"
+ },
+ {
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "Site Recovery",
+ "text": "Para ASR, considere o uso de discos SSD padrão se o RPO/RTO e a taxa de transferência de replicação permitirem",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Use o ExpressRoute como a conexão principal com o Azure. Use VPNs como fonte de conectividade de backup.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+ "service": "Storage",
+ "text": "Contas de armazenamento: verifique o hot tier e/ou o GRS necessário",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "description": "Você pode usar o prefixo AS-path e pesos de conexão para influenciar o tráfego do Azure para o local e toda a gama de atributos BGP em seus próprios roteadores para influenciar o tráfego do local para o Azure.",
- "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Ao usar vários circuitos do ExpressRoute ou vários locais locais, use atributos BGP para otimizar o roteamento.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "VM",
+ "text": "Discos - valide o uso de discos SSD Premium em todos os lugares: por exemplo, não-prod pode trocar para SSD padrão ou SSD Premium sob demanda ",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
- "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Selecione o SKU correto para os gateways ExpressRoute/VPN com base nos requisitos de largura de banda e desempenho.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "Synapse",
+ "text": "Crie orçamentos para gerenciar custos e crie alertas que notifiquem automaticamente as partes interessadas sobre anomalias de gastos e riscos de gastos excessivos.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
- "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
- "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Verifique se você está usando circuitos do ExpressRoute de dados ilimitados somente se atingir a largura de banda que justifica seu custo.",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "Synapse",
+ "text": "Exporte dados de custo para uma conta de armazenamento para análise de dados adicionais.",
"waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
- "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Aproveite o SKU local do ExpressRoute para reduzir o custo de seus circuitos, se o local de emparelhamento de circuito der suporte às regiões do Azure para o SKU Local.",
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Synapse",
+ "text": "Controle os custos de um pool SQL dedicado pausando o recurso quando ele não estiver em uso.",
"waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
- "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Implante um gateway do ExpressRoute com redundância de zona nas regiões do Azure com suporte.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+ "service": "Synapse",
+ "text": "Habilite o recurso de pausa automática do Apache Spark sem servidor e defina seu valor de tempo limite de acordo.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Para cenários que exigem largura de banda superior a 10 Gbps ou portas dedicadas de 10/100 Gbps, use o ExpressRoute Direct.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Synapse",
+ "text": "Crie várias definições de pool do Apache Spark de vários tamanhos.",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
- "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Quando a baixa latência for necessária ou a taxa de transferência do local para o Azure precisar ser maior que 10 Gbps, habilite o FastPath para ignorar o gateway do ExpressRoute do caminho de dados.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "service": "Synapse",
+ "text": "Adquira unidades de confirmação (SCU) do Azure Synapse por um ano com um plano de pré-compra para economizar nos custos do Azure Synapse Analytics.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
- "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
- "service": "VPN",
- "severity": "Média",
- "text": "Use gateways de VPN com redundância de zona para conectar branches ou locais remotos ao Azure (quando disponível).",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "VM",
+ "text": "Usar VMs spot para trabalhos interruptíveis: são VMs que podem ser licitadas e compradas a um preço com desconto, fornecendo uma solução econômica para cargas de trabalho não críticas.",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "Azure Landing Zone Review",
- "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
- "service": "VPN",
- "severity": "Média",
- "text": "Use dispositivos VPN redundantes locais (ativo/ativo ou ativo/passivo).",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "VM",
+ "text": "Dimensionamento correto de todas as VMs",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Se estiver usando o ExpressRoute Direct, considere usar circuitos locais do ExpressRoute para as regiões locais do Azure para economizar custos.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "VM",
+ "text": "Trocar VM dimensionada com tamanhos normalizados e mais recentes",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Quando o isolamento de tráfego ou a largura de banda dedicada for necessária, como para separar ambientes de produção e não produção, use circuitos diferentes do ExpressRoute. Ele ajudará você a garantir domínios de roteamento isolados e aliviar os riscos de vizinhos barulhentos.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Segurança"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "VMs de dimensionamento correto - comece com o monitoramento do uso abaixo de 5% e, em seguida, trabalhe até 40%",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Monitore a disponibilidade e a utilização do ExpressRoute usando o Express Route Insights interno.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Operações"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "A conteinerização de um aplicativo pode melhorar a densidade da VM e economizar dinheiro no dimensionamento",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "Custar"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
- "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Use o Monitor da Conexão para monitoramento de conectividade em toda a rede, especialmente entre o local e o Azure.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Operações"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
+ "severity": "Alto",
+ "text": "Selecione o plano de hospedagem de função certo com base em seus requisitos de negócios e SLO",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
- "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Use circuitos do ExpressRoute de diferentes locais de emparelhamento para redundância.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
+ "severity": "Alto",
+ "text": "Aproveitar zonas de disponibilidade quando aplicável regionalmente (não disponível para a camada de consumo)",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Azure Functions",
"severity": "Média",
- "text": "Use a VPN site a site como failover do ExpressRoute, se estiver usando apenas um único circuito do ExpressRoute.",
+ "text": "Considere uma estratégia de DR entre regiões para cargas de trabalho críticas",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
- "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Azure Functions",
"severity": "Alto",
- "text": "Se você estiver usando uma tabela de rotas no GatewaySubnet, certifique-se de que as rotas de gateway sejam propagadas.",
+ "text": "Se estiver implantando em um ambiente isolado, use ou migre para o ASE (Ambiente do Serviço de Aplicativo) v3",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "d581a947-69a2-4783-942e-9df3664324c8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Azure Functions",
"severity": "Alto",
- "text": "Se estiver usando o ExpressRoute, o roteamento local deverá ser dinâmico: no caso de uma falha de conexão, ele deverá convergir para a conexão restante do circuito. A carga deve ser compartilhada entre ambas as conexões, idealmente como ativa/ativa, embora ativa/passiva também seja suportada.",
+ "text": "Verifique se 'Sempre Ativado' está habilitado para todos os Aplicativos de Função em execução no Plano do Serviço de Aplicativo",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Azure Functions",
"severity": "Média",
- "text": "Verifique se os dois links físicos do circuito do ExpressRoute estão conectados a dois dispositivos de borda distintos em sua rede.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "text": "Emparelhe um aplicativo de função com sua própria conta de armazenamento. Tente não reutilizar contas de armazenamento para aplicativos de função, a menos que eles estejam firmemente acoplados",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
- "service": "ExpressRoute",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "Azure Functions",
"severity": "Média",
- "text": "Certifique-se de que a Detecção de Encaminhamento Bidirecional (BFD) esteja habilitada e configurada em dispositivos de roteamento de borda do cliente ou provedor.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Fiabilidade"
+ "text": "Aproveite o Azure DevOps ou o GitHub para simplificar o CI/CD e proteger seu código do Aplicativo de Função",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "ExpressRoute",
- "severity": "Alto",
- "text": "Conecte o Gateway do ExpressRoute a dois ou mais circuitos de diferentes locais de emparelhamento para maior resiliência.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Services",
+ "severity": "Baixo",
+ "text": "Consulte a arquitetura de aplicativo Web com redundância de zona altamente disponível da linha de base para obter as práticas recomendadas",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "Média",
- "text": "Configure logs de diagnóstico e alertas para o gateway de rede virtual do ExpressRoute.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Operações"
+ "text": "Use as camadas Premium e Standard. Esses níveis oferecem suporte a slots de preparo e backups automatizados.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
- "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Não use circuitos do ExpressRoute para comunicação VNet para VNet.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "Desempenho"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Aproveite as zonas de disponibilidade quando aplicável regionalmente (requer a camada Premium v2 ou v3)",
+ "waf": "Fiabilidade"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "service": "N/A",
- "severity": "Baixo",
- "text": "Não envie o tráfego do Azure para locais híbridos para inspeção. Em vez disso, siga o princípio \"o tráfego no Azure permanece no Azure\" para que a comunicação entre os recursos no Azure ocorra por meio da rede de backbone da Microsoft.",
- "waf": "Desempenho"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
+ "severity": "Média",
+ "text": "Implementar verificações de integridade",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
- "link": "https://learn.microsoft.com/azure/firewall/overview",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+ "service": "App Services",
"severity": "Alto",
- "text": "Use o Firewall do Azure para controlar o tráfego de saída do Azure para a Internet, conexões de entrada não HTTP/S e filtragem de tráfego Leste/Oeste (se a organização exigir).",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Segurança"
+ "text": "Consulte as práticas recomendadas de backup e restauração para o Serviço de Aplicativo do Azure",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
- "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
- "service": "Firewall",
- "severity": "Média",
- "text": "Crie uma política global de Firewall do Azure para controlar a postura de segurança em todo o ambiente de rede global e atribua-a a todas as instâncias do Firewall do Azure. Permita que políticas granulares atendam aos requisitos de regiões específicas delegando políticas de firewall incrementais às equipes de segurança locais por meio do controle de acesso baseado em função do Azure.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Segurança"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Implementar práticas recomendadas de confiabilidade do Serviço de Aplicativo do Azure",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
- "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+ "service": "App Services",
"severity": "Baixo",
- "text": "Configure provedores de segurança SaaS de parceiros compatíveis no Firewall Manager se a organização quiser usar essas soluções para ajudar a proteger as conexões de saída.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Segurança"
+ "text": "Familiarizar-se com como mover um aplicativo do Serviço de Aplicativo para outra região durante um desastre",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
- "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
- "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+ "service": "App Services",
"severity": "Alto",
- "text": "Use regras de aplicativo para filtrar o tráfego de saída no nome do host de destino para protocolos com suporte. Use regras de rede baseadas em FQDN e Firewall do Azure com proxy DNS para filtrar o tráfego de saída para a Internet em outros protocolos.",
- "waf": "Segurança"
+ "text": "Familiarizar-se com o suporte de confiabilidade no Serviço de Aplicativo do Azure",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
- "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Use o Firewall do Azure Premium para habilitar recursos de segurança adicionais.",
- "waf": "Segurança"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "App Services",
+ "severity": "Média",
+ "text": "Verifique se \"Sempre Ativo\" está habilitado para Aplicativos de Função em execução em um plano de serviço de aplicativo",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
- "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Configure o modo de Inteligência contra Ameaças do Firewall do Azure como Alerta e Negação para proteção adicional.",
- "waf": "Segurança"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
+ "severity": "Média",
+ "text": "Monitorar instâncias do Serviço de Aplicativo usando verificações de integridade",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
- "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Configure o modo IDPS do Firewall do Azure como Negar para proteção adicional.",
- "waf": "Segurança"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+ "service": "App Services",
+ "severity": "Média",
+ "text": "Monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site usando testes de disponibilidade do Application Insights",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
- "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Para sub-redes em VNets não conectadas à WAN Virtual, anexe uma tabela de rotas para que o tráfego da Internet seja redirecionado para o Firewall do Azure ou uma Solução de Virtualização de Rede.",
- "waf": "Segurança"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+ "service": "App Services",
+ "severity": "Baixo",
+ "text": "Usar o teste Application Insights Standard para monitorar a disponibilidade e a capacidade de resposta do aplicativo Web ou site",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
- "service": "Firewall",
- "severity": "Média",
- "text": "Adicione configurações de diagnóstico para salvar logs, usando a tabela de destino Específico do Recurso, para todas as implantações do Firewall do Azure.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Operações"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Use o Cofre de Chaves do Azure para armazenar quaisquer segredos de que o aplicativo precisa. O Cofre de Chaves fornece um ambiente seguro e auditado para armazenar segredos e está bem integrado ao Serviço de Aplicativo por meio do SDK do Cofre de Chaves ou das Referências do Cofre de Chaves do Serviço de Aplicativo.",
+ "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Usar o Cofre de Chaves para armazenar segredos",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
- "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
- "service": "Firewall",
- "severity": "Importante",
- "text": "Migre das regras clássicas do Firewall do Azure (se houver) para a Política de Firewall.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "Operações"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Use uma Identidade Gerenciada para se conectar ao Cofre de Chaves usando o SDK do Cofre de Chaves ou por meio das Referências do Cofre de Chaves do Serviço de Aplicativo.",
+ "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Usar a Identidade Gerenciada para se conectar ao Cofre de Chaves",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
- "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Armazene o certificado TLS do Serviço de Aplicativo no Cofre de Chaves.",
+ "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+ "service": "App Services",
"severity": "Alto",
- "text": "Use um prefixo /26 para suas sub-redes do Firewall do Azure.",
+ "text": "Use o Cofre de Chaves para armazenar o certificado TLS.",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
- "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Os sistemas que processam informações confidenciais devem ser isolados. Para fazer isso, use Planos do Serviço de Aplicativo ou Ambientes do Serviço de Aplicativo separados e considere o uso de assinaturas ou grupos de gerenciamento diferentes.",
+ "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "Média",
- "text": "Organize as regras dentro da política de firewall em Grupos de Coleção de Regras e Coleções de Regras e com base em sua frequência de uso.",
- "waf": "Desempenho"
+ "text": "Isolar sistemas que processam informações confidenciais",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
- "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Os discos locais no Serviço de Aplicativo não são criptografados e os dados confidenciais não devem ser armazenados neles. (Por exemplo: D:\\\\Local e %TMP%).",
+ "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+ "service": "App Services",
"severity": "Média",
- "text": "Use grupos de IP ou prefixos de IP para reduzir o número de regras de tabela de IP.",
- "waf": "Desempenho"
+ "text": "Não armazene dados confidenciais no disco local",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
- "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Para aplicativos Web autenticados, use um Provedor de Identidade bem estabelecido, como o Azure AD ou o Azure AD B2C. Aproveite a estrutura de aplicativo de sua escolha para se integrar a esse provedor ou use o recurso de Autenticação/Autorização do Serviço de Aplicativo.",
+ "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+ "service": "App Services",
"severity": "Média",
- "text": "Não use curingas como um IP de origem para DNATS, como * ou any, você deve especificar IPs de origem para DNATs de entrada.",
- "waf": "Desempenho"
+ "text": "Usar um provedor de identidade estabelecido para autenticação",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
- "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
- "service": "Firewall",
- "severity": "Média",
- "text": "Evite o esgotamento da porta SNAT monitorando o uso da porta SNAT, avaliando as configurações do NAT Gateway e garantindo um failover contínuo. Se a contagem de portas se aproximar do limite, é um sinal de que o esgotamento do SNAT pode ser iminente.",
- "waf": "Desempenho"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Implante código no Serviço de Aplicativo a partir de um ambiente controlado e confiável, como um pipeline de implantação de DevOps bem gerenciado e seguro. Isso evita que o código que não foi controlado por versão e verificado para ser implantado a partir de um host mal-intencionado.",
+ "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Implantar a partir de um ambiente confiável",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "346840b8-1064-496e-8396-4b1340172d52",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Desative a autenticação básica para FTP/FTPS e WebDeploy/SCM. Isso desabilita o acesso a esses serviços e impõe o uso de pontos de extremidade protegidos do Azure AD para implantação. Observe que o site do SCM também pode ser aberto usando credenciais do Azure AD.",
+ "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+ "service": "App Services",
"severity": "Alto",
- "text": "Se você estiver usando o Firewall do Azure Premium, habilite a Inspeção TLS.",
- "waf": "Desempenho"
+ "text": "Desabilitar a autenticação básica",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
- "service": "Firewall",
- "severity": "Baixo",
- "text": "Use categorias da Web para permitir ou negar o acesso de saída a tópicos específicos.",
- "waf": "Desempenho"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Sempre que possível, use a Identidade Gerenciada para se conectar aos recursos protegidos do Azure AD. Se isso não for possível, armazene segredos no Cofre de Chaves e conecte-se ao Cofre de Chaves usando uma Identidade Gerenciada.",
+ "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Usar a Identidade Gerenciada para se conectar a recursos",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
- "service": "Firewall",
- "severity": "Média",
- "text": "Como parte da inspeção TLS, planeje o recebimento de tráfego dos Gateways de Aplicativo do Azure para inspeção.",
- "waf": "Desempenho"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Onde estiver usando imagens armazenadas no Registro de Contêiner do Azure, extraia-as usando uma Identidade Gerenciada.",
+ "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Extrair contêineres usando uma identidade gerenciada",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
- "link": "https://learn.microsoft.com/azure/firewall/dns-details",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Ao definir as configurações de diagnóstico do Serviço de Aplicativo, você pode enviar toda a telemetria para o Log Analytics como o destino central para registro em log e monitoramento. Isso permite que você monitore a atividade de tempo de execução do Serviço de Aplicativo, como logs HTTP, logs de aplicativos, logs de plataforma, ...",
+ "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+ "service": "App Services",
"severity": "Média",
- "text": "Habilite a configuração de proxy DNS do Firewall do Azure.",
+ "text": "Enviar logs de tempo de execução do Serviço de Aplicativo para o Log Analytics",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
- "service": "Firewall",
- "severity": "Alto",
- "text": "Integre o Firewall do Azure ao Azure Monitor e habilite o log de diagnóstico para armazenar e analisar logs de firewall.",
- "waf": "Operações"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Configure uma configuração de diagnóstico para enviar o log de atividades para o Log Analytics como o destino central para registro e monitoramento. Isso permite que você monitore a atividade do plano de controle no próprio recurso do Serviço de Aplicativo.",
+ "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "service": "App Services",
+ "severity": "Média",
+ "text": "Enviar logs de atividade do Serviço de Aplicativo para o Log Analytics",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
- "service": "Firewall",
- "severity": "Baixo",
- "text": "Implementar backups para suas regras de firewall",
- "waf": "Operações"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Controle o acesso à rede de saída usando uma combinação de integração regional de VNet, grupos de segurança de rede e UDR's. O tráfego deve ser roteado para um NVA, como o Firewall do Azure. Certifique-se de monitorar os logs do Firewall.",
+ "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+ "service": "App Services",
+ "severity": "Média",
+ "text": "O acesso à rede de saída deve ser controlado",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Landing Zone Review",
- "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "App Gateway",
- "severity": "Alto",
- "text": "Não interrompa a comunicação do painel de controle para serviços de PaaS do Azure injetados em redes virtuais, como com uma rota 0.0.0.0/0 ou uma regra NSG que bloqueia o tráfego do painel de controle.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Você pode fornecer um IP de saída estável usando a integração de rede virtual e um gateway NAT de rede virtual ou um NVA como o Firewall do Azure. Isso permite que a parte receptora permita uma lista com base no IP, caso seja necessário. Observe que, para comunicações com os Serviços do Azure, geralmente não há necessidade de depender do endereço IP e mecânicas como Pontos de Extremidade de Serviço devem ser usadas. (Além disso, o uso de pontos de extremidade privados na extremidade de recebimento evita que o SNAT aconteça e fornece um intervalo de IP de saída estável.)",
+ "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+ "service": "App Services",
+ "severity": "Baixo",
+ "text": "Garantir um IP estável para comunicações de saída para endereços de Internet",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
- "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
- "service": "ExpressRoute",
- "severity": "Média",
- "text": "Acesse os serviços de PaaS do Azure localmente por meio de pontos de extremidade privados e emparelhamento privado do ExpressRoute. Esse método evita o trânsito pela Internet pública.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Controle o acesso à rede de entrada usando uma combinação de Restrições de Acesso do Serviço de Aplicativo, Pontos de Extremidade de Serviço ou Pontos de Extremidade Privados. Diferentes restrições de acesso podem ser necessárias e configuradas para o próprio aplicativo Web e o site do SCM.",
+ "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "O acesso à rede de entrada deve ser controlado",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
- "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
- "service": "VNet",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Proteja-se contra tráfego de entrada mal-intencionado usando um Firewall de Aplicativo Web, como o Gateway de Aplicativo ou o Azure Front Door. Certifique-se de monitorar os logs do WAF.",
+ "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+ "service": "App Services",
"severity": "Alto",
- "text": "Não habilite pontos de extremidade de serviço de rede virtual por padrão em todas as sub-redes.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "text": "Usar um WAF na frente do Serviço de Aplicativo",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
- "link": "azure/private-link/inspect-traffic-with-azure-firewall",
- "service": "Firewall",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Certifique-se de que o WAF não pode ser ignorado bloqueando o acesso apenas ao WAF. Use uma combinação de Restrições de Acesso, Pontos de Extremidade de Serviço e Pontos de Extremidade Privados.",
+ "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Evite que o WAF seja ignorado",
+ "waf": "Segurança"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Defina a política TLS mínima como 1.2 na configuração do Serviço de Aplicativo.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+ "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+ "service": "App Services",
"severity": "Média",
- "text": "Filtre o tráfego de saída para os serviços de PaaS do Azure usando FQDNs em vez de endereços IP no Firewall do Azure ou em uma NVA para evitar a exfiltração de dados. Se estiver usando o Link Privado, você poderá bloquear todos os FQDNs, caso contrário, permita apenas os serviços de PaaS necessários.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "text": "Definir a política TLS mínima como 1.2",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Configure o Serviço de Aplicativo para usar somente HTTPS. Isso faz com que o Serviço de Aplicativo redirecione de HTTP para HTTPS. Considere fortemente o uso de HTTP Strict Transport Security (HSTS) em seu código ou a partir de seu WAF, que informa aos navegadores que o site só deve ser acessado usando HTTPS.",
+ "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+ "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+ "service": "App Services",
"severity": "Alto",
- "text": "Utilize pelo menos um prefixo /27 para as sub-redes do Gateway.",
+ "text": "Usar somente HTTPS",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
- "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
- "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
- "service": "NSG",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Não use curingas em sua configuração do CORS, pois isso permite que todas as origens acessem o serviço (derrotando assim o propósito do CORS). Especificamente, permita apenas as origens que você espera poder acessar o serviço.",
+ "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+ "service": "App Services",
"severity": "Alto",
- "text": "Não confie nas regras padrão de entrada do NSG usando a marca de serviço VirtualNetwork para limitar a conectividade.",
+ "text": "Curingas não devem ser usados para CORS",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
- "service": "NSG",
- "severity": "Média",
- "text": "Use NSGs para ajudar a proteger o tráfego entre sub-redes, bem como o tráfego leste/oeste na plataforma (tráfego entre zonas de destino).",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "A depuração remota não deve ser ativada na produção, pois isso abre portas adicionais no serviço, o que aumenta a superfície de ataque. Observe que o serviço ativa a depuração remota automaticamente após 48 horas.",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+ "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Desativar a depuração remota",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "NSG",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Habilite o Defender para o Serviço de Aplicativo. Isso (entre outras ameaças) detecta comunicações com endereços IP mal-intencionados conhecidos. Analise as recomendações do Defender for App Service como parte de suas operações.",
+ "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+ "service": "App Services",
"severity": "Média",
- "text": "Use NSGs e grupos de segurança de aplicativos para microssegmentar o tráfego dentro da zona de destino e evite usar uma NVA central para filtrar fluxos de tráfego.",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "text": "Habilitar o Defender for Cloud - Defender for App Service",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
- "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
- "service": "NSG",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "O Azure fornece proteção contra DDoS Basic em sua rede, que pode ser aprimorada com recursos inteligentes de DDoS Standard que aprendem sobre padrões normais de tráfego e podem detectar comportamentos incomuns. O DDoS Standard se aplica a uma Rede Virtual, portanto, ele deve ser configurado para o recurso de rede na frente do aplicativo, como o Application Gateway ou um NVA.",
+ "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "App Services",
"severity": "Média",
- "text": "Habilite os Logs de Fluxo de VNet e alimente-os na Análise de Tráfego para obter insights sobre fluxos de tráfego internos e externos.",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "text": "Habilitar o padrão de proteção DDOS na rede virtual WAF",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
- "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "NSG",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Ao usar imagens armazenadas no Registro de Contêiner do Azure, extraia-as por uma rede virtual do Registro de Contêiner do Azure usando seu ponto de extremidade privado e a configuração do aplicativo 'WEBSITE_PULL_IMAGE_OVER_VNET'.",
+ "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+ "service": "App Services",
"severity": "Média",
- "text": "Não implemente mais de 900 regras de NSG por NSG, devido ao limite de 1000 regras.",
- "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "waf": "Fiabilidade"
+ "text": "Extrair contêineres por uma rede virtual",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
- "service": "VWAN",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Realizar um teste de penetração na aplicação web seguindo as regras de teste de penetração de engajamento.",
+ "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "service": "App Services",
"severity": "Média",
- "text": "Use a WAN Virtual se o cenário estiver explicitamente descrito na lista de designs de roteamento da WAN Virtual.",
- "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
- "waf": "Operações"
+ "text": "Realizar um teste de penetração",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
- "service": "VWAN",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Implante código confiável que foi validado e verificado em busca de vulnerabilidades de acordo com as práticas de DevSecOps.",
+ "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+ "service": "App Services",
"severity": "Média",
- "text": "Use um hub de WAN Virtual por região do Azure para conectar várias zonas de destino entre regiões do Azure por meio de uma WAN Virtual do Azure global comum.",
- "waf": "Desempenho"
+ "text": "Implantar código validado",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
- "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
- "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
- "service": "VWAN",
- "severity": "Média",
- "text": "Para proteção e filtragem de tráfego de saída da Internet, implante o Firewall do Azure em hubs seguros.",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Use as versões mais recentes de plataformas, linguagens de programação, protocolos e estruturas suportadas.",
+ "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+ "service": "App Services",
+ "severity": "Alto",
+ "text": "Use plataformas, linguagens, protocolos e frameworks atualizados",
"waf": "Segurança"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
- "service": "VWAN",
- "severity": "Média",
- "text": "Verifique se a arquitetura de rede da WAN virtual está alinhada a um cenário de arquitetura identificado.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se necessário para cargas de trabalho do AKS Windows, os contêineres HostProcess podem ser usados",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
- "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
- "service": "VWAN",
- "severity": "Média",
- "text": "Use o Azure Monitor Insights para WAN Virtual para monitorar a topologia de ponta a ponta da WAN Virtual, o status e as principais métricas.",
- "waf": "Operações"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Usar o KEDA se estiver executando cargas de trabalho orientadas a eventos",
+ "waf": "Desempenho"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
- "service": "VWAN",
- "severity": "Média",
- "text": "Não desabilite o tráfego branch a branch na WAN Virtual, a menos que esses fluxos devam ser bloqueados explicitamente.",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Use o Dapr para facilitar o desenvolvimento de microsserviços",
+ "waf": "Operações"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
- "service": "VWAN",
- "severity": "Média",
- "text": "Use AS-Path como preferência de roteamento de hub, pois é mais flexível que ExpressRoute ou VPN.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Use a oferta AKS apoiada por SLA",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
- "service": "VWAN",
- "severity": "Média",
- "text": "Configure a propagação baseada em rótulos na WAN Virtual, caso contrário, a conectividade entre hubs virtuais será prejudicada.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Usar orçamentos de interrupção em seu pod e definições de implantação",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "9c75dfef-573c-461c-a698-68598595581a",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
- "service": "VWAN",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
"severity": "Alto",
- "text": "Atribua pelo menos um prefixo /23 a hubs virtuais para garantir que haja espaço IP suficiente disponível.",
+ "text": "Se estiver usando um registro privado, configure a replicação de região para armazenar imagens em várias regiões",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "Alto",
- "text": "Aproveite o Azure Policy estrategicamente, defina controles para seu ambiente, usando Iniciativas de Política para agrupar políticas relacionadas.",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Use um aplicativo externo, como kubecost, para alocar custos para diferentes usuários",
+ "waf": "Custar"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Usar o modo de redução para excluir/desalocar nós",
+ "waf": "Custar"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Quando necessário, use a GPU de partioning de várias instâncias em clusters AKS",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "Média",
- "text": "Mapeie os requisitos regulatórios e de conformidade para definições do Azure Policy e atribuições de função do Azure.",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se estiver executando um cluster de desenvolvimento/teste, use NodePool Start/Stop",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
"severity": "Média",
- "text": "Estabeleça definições do Azure Policy no grupo de gerenciamento raiz intermediário para que elas possam ser atribuídas em escopos herdados.",
+ "text": "Usar a Política do Azure para Kubernetes para garantir a conformidade do cluster",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "Alto",
- "text": "Gerencie atribuições de política no nível apropriado mais alto com exclusões nos níveis inferiores, se necessário.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Separe os aplicativos do plano de controle com pools de nós de usuário/sistema",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "43334f24-9116-4341-a2ba-527526944008",
- "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
- "service": "Policy",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
"severity": "Baixo",
- "text": "Use o Azure Policy para controlar quais serviços os usuários podem provisionar no nível da assinatura/grupo de gerenciamento.",
+ "text": "Adicione mancha ao seu nodepool do sistema para torná-lo dedicado",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "Alto",
- "text": "Use políticas internas sempre que possível para minimizar a sobrecarga operacional.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Usar um registro privado para suas imagens, como o ACR",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "description": "Atribuir a função Colaborador de Política de Recursos a escopos específicos permite delegar o gerenciamento de políticas a equipes relevantes. Por exemplo, uma equipe central de TI pode supervisionar as políticas no nível do grupo de gerenciamento, enquanto as equipes de aplicativos lidam com as políticas de suas assinaturas, permitindo a governança distribuída com adesão aos padrões organizacionais.",
- "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
- "service": "Policy",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
"severity": "Média",
- "text": "Atribua a função interna de Colaborador de Política de Recursos em um escopo específico para habilitar a governança no nível do aplicativo.",
+ "text": "Analise suas imagens em busca de vulnerabilidades",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "19048384-5c98-46cb-8913-156a12476e49",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "Média",
- "text": "Limite o número de atribuições do Azure Policy feitas no escopo do grupo de gerenciamento raiz para evitar o gerenciamento por meio de exclusões em escopos herdados.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Definir requisitos de separação de aplicativos (namespace/nodepool/cluster)",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
- "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
- "service": "Policy",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
"severity": "Média",
- "text": "Se houver requisitos de soberania de dados, as Políticas do Azure deverão ser implantadas para aplicá-los.",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "text": "Armazene seus segredos no Cofre de Chaves do Azure com o driver do CSI Secrets Store",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
- "service": "Policy",
- "severity": "Média",
- "text": "Para a Zona de Destino Soberana, implante a linha de base da política de soberania e atribua no nível correto do grupo de gerenciamento.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Se estiver usando entidades de serviço para o cluster, atualize as credenciais periodicamente (como trimestralmente)",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
- "service": "Policy",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
"severity": "Média",
- "text": "Para Zona de Aterrissagem Soberana, documente os objetivos de Controle Soberano para mapeamento de políticas.",
+ "text": "Se necessário, adicione criptografia etcd do Serviço de Gerenciamento de Chaves",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
- "service": "Policy",
- "severity": "Média",
- "text": "Para a Zona de Aterrissagem Soberana, certifique-se de que o processo esteja em vigor para o gerenciamento de 'Objetivos de Controle Soberano para mapeamento de políticas'.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se necessário, considere o uso de computação confidencial para AKS",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
"severity": "Média",
- "text": "Use um workspace de logs de monitor único para gerenciar plataformas centralmente, exceto quando o RBAC (controle de acesso baseado em função) do Azure, os requisitos de soberania de dados ou as políticas de retenção de dados exigirem workspaces separados.",
- "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "waf": "Operações"
+ "text": "Considere o uso do Defender for Containers",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Monitor",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
"severity": "Alto",
- "text": "Exporte logs para o Armazenamento do Azure se os requisitos de retenção de log excederem doze anos. Use o armazenamento imutável com uma política de gravação única e leitura múltipla para tornar os dados não apagáveis e não modificáveis por um intervalo especificado pelo usuário.",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "Operações"
- },
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
- "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
- "service": "VM",
- "severity": "Média",
- "text": "Monitore o descompasso de configuração da VM (máquina virtual) no nível do sistema operacional usando o Azure Policy. Habilitar os recursos de auditoria da Configuração de Computador do Gerenciamento Automatizado do Azure por meio da política ajuda as cargas de trabalho da equipe de aplicativos a consumir imediatamente os recursos de recursos com pouco esforço.",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "Operações"
+ "text": "Usar identidades gerenciadas em vez de entidades de serviço",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
"severity": "Média",
- "text": "Use o Azure Update Manager como um mecanismo de aplicação de patch para VMs Windows e Linux no Azure.",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
- "waf": "Operações"
+ "text": "Integrar autenticação com AAD (usando a integração gerenciada)",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
"severity": "Média",
- "text": "Use o Gerenciador de Atualizações do Azure como um mecanismo de aplicação de patch para VMs do Windows e do Linux fora do Azure usando o Azure Arc.",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
- "waf": "Operações"
+ "text": "Limitar o acesso ao admin kubeconfig (get-credentials --admin)",
+ "waf": "Segurança"
},
{
- "arm-service": "microsoft.network/networkWatchers",
- "checklist": "Azure Landing Zone Review",
- "guid": "90483845-c986-4cb2-a131-56a12476e49f",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Network Watcher",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
"severity": "Média",
- "text": "Use o Observador de Rede para monitorar proativamente os fluxos de tráfego.",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "Operações"
+ "text": "Integrar autorização com AAD RBAC",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Monitor",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Usar namespaces para restringir o privilégio RBAC no Kubernetes",
+ "waf": "Segurança"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
"severity": "Média",
- "text": "Use os Logs do Azure Monitor para obter insights e relatórios.",
- "waf": "Operações"
+ "text": "Para o Gerenciamento de Acesso à Identidade de Pod, use a Identidade de Carga de Trabalho do Azure AD (visualização)",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
- "service": "Monitor",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
"severity": "Média",
- "text": "Use alertas do Azure Monitor para a geração de alertas operacionais.",
- "waf": "Operações"
+ "text": "Para logins não interativos do AKS, use kubelogin (visualização)",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "Monitor",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
"severity": "Média",
- "text": "Ao usar o Acompanhamento de Alterações e Inventário por meio de Contas de Automação do Azure, verifique se você selecionou regiões com suporte para vincular seu workspace do Log Analytics e contas de automação.",
- "waf": "Operações"
+ "text": "Desativar contas locais do AKS",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Backup",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "service": "AKS",
"severity": "Baixo",
- "text": "Ao usar o Backup do Azure, use os tipos de backup corretos (GRS, ZRS E LRS) para o backup, pois a configuração padrão é GRS.",
- "waf": "Fiabilidade"
+ "text": "Configurar, se necessário, o acesso ao cluster just-in-time",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "VM",
- "severity": "Média",
- "text": "Use as políticas de convidado do Azure para implantar automaticamente as configurações de software por meio de extensões de VM e impor uma configuração de VM de linha de base compatível.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Configurar, se necessário, o acesso condicional do AAD para AKS",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "description": "Use os recursos de configuração de convidado do Azure Policy para auditar e corrigir as configurações do computador (por exemplo, sistema operacional, aplicativo, ambiente) para garantir que os recursos estejam alinhados com as configurações esperadas e que o Gerenciamento de Atualizações possa impor o gerenciamento de patches para VMs.",
- "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "VM",
- "severity": "Média",
- "text": "Monitore o descompasso de configuração de segurança da VM por meio do Azure Policy.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se necessário para cargas de trabalho do Windows AKS, configure o gMSA ",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "service": "AKS",
"severity": "Média",
- "text": "Use o Azure Site Recovery para cenários de recuperação de desastre de Máquinas Virtuais do Azure para o Azure. Isso permite replicar cargas de trabalho entre regiões.",
- "waf": "Operações"
+ "text": "Para um controle mais fino, considere usar uma Identidade Kubelet gerenciada",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "Backup",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "service": "AKS",
"severity": "Média",
- "text": "Use recursos de backup nativos do Azure ou uma solução de backup de terceiros compatível com o Azure.",
- "waf": "Operações"
+ "text": "Se estiver usando AGIC, não compartilhe um AppGW entre clusters",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "WAF",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
"severity": "Alto",
- "text": "Adicione configurações de diagnóstico para salvar logs do WAF de serviços de entrega de aplicativos, como o Azure Front Door e o Gateway de Aplicativo do Azure. Revise regularmente os logs para verificar se há ataques e detecções de falsos positivos.",
- "waf": "Operações"
+ "text": "Não use AKS HTTP Routing Add-On, use em vez disso a entrada NGINX gerenciada com o complemento de roteamento de aplicativo.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "WAF",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "service": "AKS",
"severity": "Média",
- "text": "Envie logs do WAF de seus serviços de entrega de aplicativos, como o Azure Front Door e o Gateway de Aplicativo do Azure, para o Microsoft Sentinel. Detecte ataques e integre a telemetria do WAF ao seu ambiente geral do Azure.",
- "waf": "Operações"
+ "text": "Para cargas de trabalho do Windows, use a Rede Acelerada",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "5017f154-e3ab-4369-9829-e7e316183687",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "Key Vault",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
"severity": "Alto",
- "text": "Use o Azure Key Vault para armazenar seus segredos e credenciais.",
- "waf": "Segurança"
+ "text": "Use o ALB padrão (em oposição ao básico)",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
- "guid": "a0477a20-9945-4bda-9333-4f2491163418",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
- "service": "Key Vault",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "service": "AKS",
"severity": "Média",
- "text": "Use diferentes Azure Key Vaults para diferentes aplicativos e regiões para evitar limites de escala de transação e restringir o acesso a segredos.",
+ "text": "Se estiver usando o CNI do Azure, considere usar sub-redes diferentes para NodePools",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "service": "AKS",
"severity": "Média",
- "text": "Provisione o Azure Key Vault com as políticas de exclusão reversível e limpeza habilitadas para permitir a proteção de retenção para objetos excluídos.",
+ "text": "Usar Pontos de Extremidade Privados (preferencial) ou Pontos de Extremidade de Serviço de Rede Virtual para acessar serviços de PaaS do cluster",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Média",
- "text": "Siga um modelo de privilégios mínimos limitando a autorização para excluir permanentemente chaves, segredos e certificados a funções personalizadas especializadas de ID do Microsoft Entra.",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Escolha o melhor plug-in de rede CNI para seus requisitos (Azure CNI recomendado)",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Média",
- "text": "Automatize o processo de gerenciamento e renovação de certificados com autoridades de certificação públicas para facilitar a administração.",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Se estiver usando o Azure CNI, dimensione sua sub-rede de acordo considerando o número máximo de pods por nó",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "913156a1-2476-4e49-b541-acdce979377b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Média",
- "text": "Estabeleça um processo automatizado para rotação de chaves e certificados.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Se estiver usando o Azure CNI, verifique o máximo de pods/nó (padrão 30)",
+ "waf": "Desempenho"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "Para aplicativos internos, as organizações geralmente abrem toda a sub-rede AKS em seus firewalls. Isso abre o acesso de rede para os nós também e, potencialmente, para os pods também (se estiver usando o Azure CNI). Se os IPs do LoadBalancer estiverem em uma sub-rede diferente, somente este precisará estar disponível para os clientes do aplicativo. Outra razão é que, se os endereços IP na sub-rede AKS são um recurso escasso, consumir seus endereços IP para serviços reduzirá a escalabilidade máxima do cluster.",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se estiver usando serviços LoadBalancer de IP privado, use uma sub-rede dedicada (não a sub-rede AKS)",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Média",
- "text": "Habilite o firewall e o ponto de extremidade de serviço de rede virtual ou o ponto de extremidade privado no cofre para controlar o acesso ao cofre de chaves.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Dimensione o intervalo de endereços IP do serviço de acordo (isso limitará a escalabilidade do cluster)",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se necessário, adicione seu próprio plugin CNI",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
- "service": "Key Vault",
- "severity": "Média",
- "text": "Use o workspace do Log Analytics do Azure Monitor central da plataforma para auditar o uso de chave, certificado e segredo em cada instância do Key Vault.",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se necessário, configure o IP público por nó no AKS",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "service": "AKS",
"severity": "Média",
- "text": "Delegue a instanciação e o acesso privilegiado do Key Vault e use o Azure Policy para impor uma configuração consistente e compatível.",
- "waf": "Segurança"
+ "text": "Usar um controlador de entrada para expor aplicativos baseados na Web em vez de expô-los com serviços do tipo LoadBalancer",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "Média",
- "text": "Use um Azure Key Vault por aplicativo por ambiente por região.",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Usar o Gateway NAT do Azure como outboundType para dimensionar o tráfego de saída",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "service": "AKS",
"severity": "Média",
- "text": "Se você quiser trazer suas próprias chaves, isso pode não ser compatível com todos os serviços considerados. Implemente mitigação relevante para que as inconsistências não prejudiquem os resultados desejados. Escolha pares de regiões apropriados e regiões de recuperação de desastre que minimizem a latência.",
- "waf": "Segurança"
+ "text": "Usar alocações dinâmicas de IPs para evitar o esgotamento de IP do CNI do Azure",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
- "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
- "service": "Key Vault",
- "severity": "Média",
- "text": "Para a Zona de Destino Soberana, use o HSM gerenciado do Azure Key Vault para armazenar seus segredos e credenciais.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Filtre o tráfego de saída com AzFW/NVA se seus requisitos de segurança exigirem",
"waf": "Segurança"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
- "service": "Entra",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "service": "AKS",
"severity": "Média",
- "text": "Use os recursos de relatório de ID do Microsoft Entra para gerar relatórios de auditoria de controle de acesso.",
+ "text": "Se estiver usando um ponto de extremidade de API público, restrinja os endereços IP que podem acessá-lo",
"waf": "Segurança"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "09945bda-4333-44f2-9911-634182ba5275",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
- "service": "Defender",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "service": "AKS",
"severity": "Alto",
- "text": "Habilite o Gerenciamento de Postura de Segurança de Nuvem do Defender para todas as assinaturas.",
+ "text": "Use clusters privados se seus requisitos exigirem",
"waf": "Segurança"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
- "service": "Defender",
- "severity": "Alto",
- "text": "Habilite um Plano de Proteção de Carga de Trabalho de Nuvem do Defender para Servidores em todas as assinaturas.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Para os nós AKS do Windows 2019 e 2022, as Diretivas de Rede Calico podem ser usadas ",
"waf": "Segurança"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
- "service": "Defender",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "Alto",
- "text": "Habilite os Planos de Proteção de Carga de Trabalho de Nuvem do Defender para Recursos do Azure em todas as assinaturas.",
+ "text": "Habilitar uma opção de Política de Rede do Kubernetes (Calico/Azure)",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
- "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
- "service": "VM",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "Alto",
- "text": "Habilite o Endpoint Protection em servidores IaaS.",
+ "text": "Usar diretivas de rede do Kubernetes para aumentar a segurança intra-cluster",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
- "link": "https://learn.microsoft.com/azure/security-center/",
- "service": "VM",
- "severity": "Média",
- "text": "Monitore o descompasso de aplicação de patch do sistema operacional base por meio dos Logs do Azure Monitor e do Defender para Nuvem.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Usar um WAF para cargas de trabalho da Web (UIs ou APIs)",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "service": "AKS",
"severity": "Média",
- "text": "Conecte as configurações de recursos padrão a um workspace centralizado do Log Analytics do Azure Monitor.",
+ "text": "Usar DDoS Standard na Rede Virtual AKS",
"waf": "Segurança"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
- "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
- "service": "Entra",
- "severity": "Média",
- "text": "Para Zona de Destino Soberana, habilite os logs de transparência no locatário da ID do Entra.",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se necessário, adicione o proxy HTTP da empresa",
"waf": "Segurança"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
- "service": "Entra",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "service": "AKS",
"severity": "Média",
- "text": "Para Zona de Destino Soberana, habilite o Sistema de Proteção de Dados do cliente no locatário da ID do Entra.",
+ "text": "Considere o uso de uma malha de serviço para gerenciamento avançado de comunicação de microsserviços",
"waf": "Segurança"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Landing Zone Review",
- "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Storage",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "service": "AKS",
"severity": "Alto",
- "text": "Habilite a transferência segura para contas de armazenamento.",
- "waf": "Segurança"
+ "text": "Configurar alertas nas métricas mais críticas (consulte Insights de contêiner para obter recomendações)",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Landing Zone Review",
- "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
- "service": "Storage",
- "severity": "Alto",
- "text": "Habilite a exclusão reversível do contêiner para a conta de armazenamento para recuperar um contêiner excluído e seu conteúdo.",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Verifique regularmente o Azure Advisor para obter recomendações sobre o seu cluster",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
- "service": "Key Vault",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Habilitar a rotação automática do certificado AKS",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "service": "AKS",
"severity": "Alto",
- "text": "Use segredos do Key Vault para evitar codificar informações confidenciais, como credenciais (máquinas virtuais, senhas de usuário), certificados ou chaves.",
+ "text": "Tenha um processo regular para atualizar sua versão do kubernetes periodicamente (trimestralmente, por exemplo), ou use o recurso de atualização automática do AKS",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "service": "AKS",
"severity": "Alto",
- "text": "Verifique se os controladores de domínio ADDS estão implantados na assinatura de identidade no Azure nativo",
- "waf": "Segurança"
+ "text": "Use kured para atualizações de nó do Linux caso você não esteja usando a atualização de imagem de nó",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "75089c20-990d-4927-b105-885576f76fc2",
- "service": "AVS",
- "severity": "Média",
- "text": "Verifique se os sites e serviços do ADDS estão configurados para manter as solicitações de autenticação de recursos baseados no Azure (incluindo a Solução VMware do Azure) locais para o Azure",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Tenha um processo regular para atualizar as imagens do nó do cluster periodicamente (semanalmente, por exemplo)",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
- "service": "AVS",
- "severity": "Alto",
- "text": "Verifique se o vCenter está conectado ao ADDS para habilitar a autenticação com base em 'contas de usuário nomeadas'",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Considere gitops para implantar aplicativos ou configuração de cluster em vários clusters",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
- "service": "AVS",
- "severity": "Média",
- "text": "Verifique se a conexão do vCenter com o ADDS está usando um protocolo seguro (LDAPS)",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Considere o uso do comando AKS invoke em clusters privados",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
- "service": "AVS",
- "severity": "Média",
- "text": "A conta do CloudAdmin no vCenter IdP é usada apenas como uma conta de emergência (break-glass)",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Para eventos planejados, considere o uso do Dreno Automático de Nó",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
+ "service": "AKS",
"severity": "Alto",
- "text": "Certifique-se de que o NSX-Manager esteja integrado a um provedor de identidade externo (LDAPS)",
- "waf": "Segurança"
+ "text": "Desenvolver práticas próprias de governança para garantir que nenhuma alteração seja realizada pelos operadores no nó RG (também conhecido como 'infra RG')",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
- "service": "AVS",
- "severity": "Média",
- "text": "Foi criado um modelo RBAC para uso no VMware vSphere",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Use o nome personalizado do Node RG (também conhecido como 'Infra RG')",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
+ "service": "AKS",
"severity": "Média",
- "text": "As permissões RBAC devem ser concedidas em grupos ADDS e não em usuários específicos",
- "waf": "Segurança"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
- "service": "AVS",
- "severity": "Alto",
- "text": "As permissões RBAC no recurso Solução VMware do Azure no Azure são 'bloqueadas' apenas para um conjunto limitado de proprietários",
- "waf": "Segurança"
+ "text": "Não use APIs do Kubernetes preteridas em seus manifestos do YAML",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
- "service": "AVS",
- "severity": "Alto",
- "text": "Certifique-se de que todas as funções personalizadas tenham escopo com autorizações permitidas do CloudAdmin",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Manchar os nós do Windows",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
- "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
- "service": "AVS",
- "severity": "Alto",
- "text": "O modelo de conectividade correto da Solução VMware do Azure está selecionado para o caso de uso do cliente em mãos?",
- "waf": "Desempenho"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Mantenha o nível de patch dos contêineres do Windows sincronizado com o nível do patch do host",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
- "service": "AVS",
- "severity": "Alto",
- "text": "Garantir que as conexões de Rota Expressa ou VPN do local para o Azure sejam monitoradas usando o 'monitor de conexão'",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "Por meio de Configurações de Diagnóstico no nível do cluster",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Envie logs mestre (também conhecidos como logs de API) para o Azure Monitor ou sua solução de gerenciamento de logs preferida",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
- "service": "AVS",
- "severity": "Média",
- "text": "Verifique se um monitor de conexão foi criado a partir de um recurso nativo do Azure para uma máquina virtual da Solução VMware do Azure para monitorar a conexão de Rota Expressa de back-end da Solução VMware do Azure",
- "waf": "Operações"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se necessário, use instantâneos do nodePool",
+ "waf": "Custar"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
- "service": "AVS",
- "severity": "Média",
- "text": "Verifique se um monitor de conexão é criado a partir de um recurso local para uma máquina virtual da Solução VMware do Azure para monitorar a conectividade de ponta 2",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Considere pools de nós spot para cargas de trabalho não sensíveis ao tempo",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
- "service": "AVS",
- "severity": "Alto",
- "text": "Quando o servidor de rotas for usado, certifique-se de que não mais de 1000 rotas sejam propagadas do servidor de rotas para o gateway ExR para o local (limite ARS).",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Considere o nó virtual AKS para intermitência rápida",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
"severity": "Alto",
- "text": "O Gerenciamento de Identidades Privilegiadas é implementado para funções que gerenciam o recurso da Solução VMware do Azure no Portal do Azure (não são permitidas permissões permanentes)",
- "waf": "Segurança"
+ "text": "Monitore suas métricas de cluster com o Container Insights (ou outras ferramentas como o Prometheus)",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
"severity": "Alto",
- "text": "Os relatórios de auditoria do Gerenciamento de Identidades Privilegiadas devem ser implementados para as funções PIM da Solução VMware do Azure",
- "waf": "Segurança"
+ "text": "Armazene e analise seus logs de cluster com o Container Insights (ou outras ferramentas como Telegraf/ElasticSearch)",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Monitorar a utilização da CPU e da memória dos nós",
+ "waf": "Operações"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "Média",
- "text": "Se o uso do Gerenciamento de Identidades Privilegiadas estiver sendo usado, certifique-se de que uma conta válida habilitada para ID do Entra seja criada com um registro SMTP válido para notificações de substituição automática do Host da Solução VMware do Azure. (permissões permanentes necessárias)",
- "waf": "Segurança"
+ "text": "Se estiver usando o Azure CNI, monitore a % de IPs de pod consumidos por nó",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
- "service": "AVS",
- "severity": "Alto",
- "text": "Limitar o uso da conta do CloudAdmin apenas ao acesso de emergência",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "A E/S no disco do sistema operacional é um recurso crítico. Se o sistema operacional nos nós for limitado na E/S, isso pode levar a um comportamento imprevisível, geralmente terminando no nó sendo declarado NotReady",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Monitorar a profundidade da fila de disco do sistema operacional nos nós",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
"severity": "Média",
- "text": "Criar funções RBAC personalizadas no vCenter para implementar um modelo de privilégios mínimos dentro do vCenter",
- "waf": "Segurança"
+ "text": "Se não estiver usando filtragem de saída com AzFW/NVA, monitore as portas SNAT ALB alocadas padrão",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+ "service": "AKS",
"severity": "Média",
- "text": "É um processo definido para alternar regularmente as credenciais cloudadmin (vCenter) e admin (NSX)",
- "waf": "Segurança"
+ "text": "Assine as notificações de integridade de recursos para seu cluster AKS",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"severity": "Alto",
- "text": "Usar um provedor de identidade centralizado a ser usado para cargas de trabalho (VMs) em execução na Solução VMware do Azure",
- "waf": "Segurança"
+ "text": "Configurar solicitações e limites nas especificações do pod",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
"severity": "Média",
- "text": "A filtragem de tráfego Leste-Oeste é implementada no NSX-T",
- "waf": "Segurança"
+ "text": "Impor cotas de recursos para namespaces",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "AKS",
"severity": "Alto",
- "text": "As cargas de trabalho na Solução VMware do Azure não são diretamente expostas à Internet. O tráfego é filtrado e inspecionado pelo Gateway de Aplicativo do Azure, pelo Firewall do Azure ou por soluções de terceiros",
- "waf": "Segurança"
+ "text": "Verifique se sua assinatura tem cota suficiente para expandir seus nodepools",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
- "service": "AVS",
- "severity": "Alto",
- "text": "A auditoria e o registro em log são implementados para solicitações de entrada da Internet para cargas de trabalho baseadas na Solução VMware do Azure e na Solução VMware do Azure",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Usar o Autoscaler de Cluster",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
- "service": "AVS",
- "severity": "Média",
- "text": "O monitoramento de sessão é implementado para conexões de saída da Internet a partir da Solução VMware do Azure ou cargas de trabalho baseadas na Solução VMware do Azure para identificar atividades suspeitas/mal-intencionadas",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Personalizar a configuração do nó para pools de nós AKS",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "334fdf91-c234-4182-a652-75269440b4be",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
"severity": "Média",
- "text": "A proteção padrão contra DDoS está habilitada na sub-rede do Gateway ExR/VPN no Azure",
- "waf": "Segurança"
+ "text": "Use o Autoscaler do Pod Horizontal quando necessário",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
- "service": "AVS",
- "severity": "Média",
- "text": "Usar uma estação de trabalho de acesso privilegiado (PAW) dedicada para gerenciar a Solução VMware do Azure, o vCenter, o gerenciador NSX e o gerenciador HCX",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "Nós maiores trarão maior desempenho e recursos, como discos efêmeros e rede acelerada, mas aumentarão o raio de explosão e diminuirão a granularidade de dimensionamento",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Considere um tamanho de nó apropriado, não muito grande ou muito pequeno",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
- "service": "AVS",
- "severity": "Média",
- "text": "Habilitar a Detecção Avançada de Ameaças (Microsoft Defender for Cloud, também conhecido como ASC) para cargas de trabalho em execução na Solução VMware do Azure",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Se mais de 5000 nós forem necessários para escalabilidade, considere o uso de um cluster AKS adicional",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
- "service": "AVS",
- "severity": "Média",
- "text": "Usar o Azure ARC for Servers para controlar corretamente as cargas de trabalho em execução na Solução VMware do Azure usando tecnologias nativas do Azure (o Azure ARC for Azure VMware Solution ainda não está disponível)",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Considere assinar o EventGrid Events para automação AKS",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+ "service": "AKS",
"severity": "Baixo",
- "text": "Garanta que as cargas de trabalho na Solução VMware do Azure usem criptografia de dados suficiente durante o tempo de execução (como criptografia de disco convidado e SQL TDE). (a criptografia vSAN em repouso é padrão)",
- "waf": "Segurança"
+ "text": "Para operações de longa duração em um cluster AKS, considere o encerramento do evento",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+ "service": "AKS",
"severity": "Baixo",
- "text": "Quando a criptografia no convidado é usada, armazene chaves de criptografia no cofre de chaves do Azure quando possível",
- "waf": "Segurança"
+ "text": "Se necessário, considere usar hosts dedicados do Azure para nós AKS",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5ac94222-3e13-4810-9230-81a941741583",
- "service": "AVS",
- "severity": "Média",
- "text": "Considere usar o suporte estendido de atualização de segurança para cargas de trabalho em execução na Solução VMware do Azure (a Solução VMware do Azure é qualificada para ESU)",
- "waf": "Segurança"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
+ "severity": "Alto",
+ "text": "Usar discos efêmeros do sistema operacional",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
- "service": "AVS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "AKS",
"severity": "Alto",
- "text": "Certifique-se de que o método de redundância de dados vSAN apropriado seja usado (especificação RAID)",
- "waf": "Fiabilidade"
+ "text": "Para discos não efêmeros, use IOPS altos e discos maiores do sistema operacional para os nós ao executar muitos pods/nó, pois requer alto desempenho para executar vários pods e gerará logs enormes com limites de rotação de log AKS padrão",
+ "waf": "Desempenho"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+ "service": "AKS",
+ "severity": "Baixo",
+ "text": "Para a opção de armazenamento de hiperdesempenho, use Ultra Disks no AKS",
+ "waf": "Desempenho"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Evite manter o estado no cluster e armazene dados fora (AzStorage, AzSQL, Cosmos, etc)",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d88408f3-7273-44c8-96ba-280214590146",
- "service": "AVS",
- "severity": "Alto",
- "text": "Certifique-se de que a política de falha na tolerância esteja em vigor para atender às suas necessidades de armazenamento vSAN",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Se estiver usando o AzFiles Standard, considere o AzFiles Premium e/ou ANF por motivos de desempenho",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
- "service": "AVS",
- "severity": "Alto",
- "text": "Certifique-se de ter solicitado cota suficiente, garantindo que você tenha considerado o crescimento e o requisito de recuperação de desastres",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+ "service": "AKS",
+ "severity": "Média",
+ "text": "Se estiver usando Discos e AZs do Azure, considere ter nodepools dentro de uma zona para disco LRS com VolumeBindingMode:WaitForFirstConsumer para provisionar armazenamento na zona direita ou use o disco ZRS para nodepools abrangendo várias zonas",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
"severity": "Média",
- "text": "Certifique-se de que as restrições de acesso ao ESXi sejam compreendidas, há limites de acesso que podem afetar as soluções de terceiros 3rd.",
- "waf": "Operações"
+ "text": "Use o token revogável de longa duração, armazene seu token em cache e adquira o token silenciosamente usando a Microsoft Identity Library",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
"severity": "Média",
- "text": "Certifique-se de ter uma política em torno da densidade e eficiência do host ESXi, tendo em mente o prazo de espera para solicitar novos nós",
- "waf": "Operações"
+ "text": "Certifique-se de que os fluxos de usuário de entrada sejam armazenados em backup e resilientes. Certifique-se de que o código que você usa para entrar em seus usuários é de backup e recuperável. Interfaces resilientes com processos externos",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
"severity": "Média",
- "text": "Garantir que um bom processo de gerenciamento de custos esteja em vigor para a Solução VMware do Azure - o Gerenciamento de Custos do Azure pode ser usado",
- "waf": "Custar"
+ "text": "Os ativos de marca personalizados devem ser hospedados em uma CDN",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
"severity": "Baixo",
- "text": "As instâncias reservadas do Azure são usadas para otimizar o custo de uso da Solução VMware do Azure",
- "waf": "Custar"
+ "text": "Ter vários provedores de identidade (ou seja, fazer login com suas contas da Microsoft, Google, Facebook)",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "Média",
- "text": "Considere o uso do Azure Private-Link ao usar outros Serviços Nativos do Azure",
- "waf": "Segurança"
+ "text": "Siga as regras de VM para alta disponibilidade no nível da VM (discos premium, dois ou mais em uma região, em zonas de disponibilidade diferentes)",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
- "service": "AVS",
- "severity": "Alto",
- "text": "Verifique se todos os recursos necessários residem na(s) mesma(s) zona(s) de disponibilidade do Azure",
- "waf": "Desempenho"
+ "checklist": "Identity Review Checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "Média",
+ "text": "Não replique! A replicação pode criar problemas com a sincronização de diretórios",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
"severity": "Média",
- "text": "Habilitar cargas de trabalho de VM convidada do Microsoft Defender for Cloud for Azure VMware Solution",
- "waf": "Segurança"
+ "text": "Ter ativo-ativo para várias regiões",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
- "service": "AVS",
+ "checklist": "Identity Review Checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"severity": "Média",
- "text": "Usar servidores habilitados para Arc do Azure para gerenciar suas cargas de trabalho de VM convidada da Solução VMware do Azure",
- "waf": "Segurança"
+ "text": "Adicionar carimbos de serviço de Domínio do Azure AD a regiões e locais adicionais",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
- "service": "AVS",
- "severity": "Alto",
- "text": "Habilitar o log de diagnóstico e de métrica na solução VMware do Azure",
- "waf": "Operações"
+ "checklist": "Identity Review Checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
+ "severity": "Média",
+ "text": "Usar conjuntos de réplicas para DR",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d7941d4a-7b6f-458f-8714-2f8f8c059ad4",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies",
+ "service": "APIM",
"severity": "Média",
- "text": "Implantar os agentes do Log Analytics nas cargas de trabalho da VM convidada da Solução VMware do Azure",
+ "text": "Implementar uma política de tratamento de erros em nível global",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0b0c0765-ff37-4369-90bd-3eb23ce71b08",
+ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order",
+ "service": "APIM",
"severity": "Média",
- "text": "Verifique se você tem uma política e uma solução de backup documentadas e implementadas para cargas de trabalho de VM da Solução VMware do Azure",
+ "text": "Certifique-se de que todas as políticas de APIs incluam um elemento .",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a5c45b03-93b6-42fe-b16b-8fccb6a79902",
+ "link": "https://learn.microsoft.com/azure/api-management/policy-fragments",
+ "service": "APIM",
"severity": "Média",
- "text": "Usar o Microsoft Defender for Cloud para monitoramento de conformidade de cargas de trabalho em execução no Azure VMware Solution",
- "waf": "Segurança"
+ "text": "Usar fragmentos de política para evitar a repetição das mesmas definições de políticas em várias APIs",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c3818a95-6ff3-4474-88dc-e809b46dad6a",
+ "link": "https://learn.microsoft.com/azure/api-management/monetization-support",
+ "service": "APIM",
"severity": "Média",
- "text": "São as linhas de base de conformidade aplicáveis adicionadas ao Microsoft Defender for Cloud",
- "waf": "Segurança"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
- "service": "AVS",
- "severity": "Alto",
- "text": "A residência de dados foi avaliada ao selecionar regiões do Azure a serem usadas para a implantação da Solução VMware do Azure",
- "waf": "Segurança"
+ "text": "Se você estiver planejando monetizar suas APIs, consulte o artigo 'suporte à monetização' para obter as práticas recomendadas",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "a7d0840a-c8c4-4e83-adec-5ca578eb4049",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs",
+ "service": "APIM",
"severity": "Alto",
- "text": "As implicações do processamento de dados (modelo de prestador de serviços / consumidor de serviços) são claras e documentadas",
- "waf": "Segurança"
+ "text": "Habilitar Configurações de Diagnóstico para exportar logs para o Azure Monitor",
+ "waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "547c1747-dc56-4068-a714-435cd19dd244",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8691fa38-45ed-4299-a247-fecd98d35deb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights",
+ "service": "APIM",
"severity": "Média",
- "text": "Considere o uso de CMK (Customer Managed Key) para vSAN somente se necessário por motivo(s) de conformidade.",
- "waf": "Segurança"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
- "service": "AVS",
- "severity": "Alto",
- "text": "Criar painéis para habilitar os principais insights de monitoramento da Solução VMware do Azure",
+ "text": "Habilite o Application Insights para telemetria mais detalhada",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "55fd27bb-76ac-4a91-bc37-049e885be6b7",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor",
+ "service": "APIM",
"severity": "Alto",
- "text": "Criar alertas de aviso para limites críticos para alertas automáticos sobre o desempenho da solução VMware do Azure (CPU >80%, memória média >80%, vSAN >70%)",
+ "text": "Configurar alertas sobre as métricas mais críticas",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "39460bdb-156f-4dc2-a87f-1e8c11ab0998",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault",
+ "service": "APIM",
"severity": "Alto",
- "text": "Certifique-se de que o alerta crítico seja criado para monitorar se o consumo de vSAN está abaixo de 75%, pois esse é um limite de suporte do VMware",
- "waf": "Operações"
+ "text": "Certifique-se de que os certificados SSL personalizados sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "e9217997-5f6c-479d-8576-8f2adf706ec8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access",
+ "service": "APIM",
"severity": "Alto",
- "text": "Verifique se os alertas estão configurados para alertas e notificações de Integridade do Serviço do Azure",
- "waf": "Operações"
+ "text": "Proteger solicitações de entrada para APIs (plano de dados) com o Azure AD",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5e5f64ba-c90e-480e-8888-398d96cf0bfb",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad",
+ "service": "APIM",
"severity": "Média",
- "text": "Configurar o log da Solução VMware do Azure para ser enviado a uma conta de Armazenamento do Azure ou ao Azure EventHub para processamento",
- "waf": "Operações"
+ "text": "Usar o Microsoft Entra ID para autenticar usuários no Portal do Desenvolvedor",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Se for necessário um insight profundo no VMware vSphere: o vRealize Operations e/ou o vRealize Network Insights são usados na solução?",
- "waf": "Operações"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8e574ce-280f-49c8-b2ef-68279b081cf3",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Criar grupos apropriados para controlar a visibilidade dos produtos",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
- "service": "AVS",
- "severity": "Alto",
- "text": "Verifique se a política de armazenamento vSAN para VMs NÃO é a política de armazenamento padrão, pois essa política aplica provisionamento espesso",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "06862505-2d9a-4874-9491-2837b00a3475",
+ "link": "https://learn.microsoft.com/azure/api-management/backends",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Use o recurso Back-ends para eliminar configurações redundantes de back-end de API",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "03b125d5-b69b-4739-b7fd-84b86da4933e",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal",
+ "service": "APIM",
"severity": "Média",
- "text": "Verifique se as bibliotecas de conteúdo do vSphere não são colocadas no vSAN, pois o vSAN é um recurso finito",
+ "text": "Usar Valores Nomeados para armazenar valores comuns que podem ser usados em políticas",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "beae759e-4ddb-4326-bf26-47f87d3454b6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region",
+ "service": "APIM",
"severity": "Média",
- "text": "Certifique-se de que os repositórios de dados da solução de backup sejam armazenados fora do armazenamento vSAN. No nativo do Azure ou em um armazenamento de dados com backup de pool de discos",
- "waf": "Operações"
+ "text": "Para DR, aproveite o nível premium com implantações dimensionadas em duas ou mais regiões para um SLA de 99,99%",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "9c8d1664-dd9a-49d4-bd83-950af0af4044",
+ "link": "https://learn.microsoft.com/azure/api-management/high-availability",
+ "service": "APIM",
"severity": "Média",
- "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam gerenciadas de forma híbrida usando o Azure Arc for Servers (a Solução VMware do Arc for Azure está em visualização)",
- "waf": "Operações"
+ "text": "Implante pelo menos uma unidade em duas ou mais zonas de disponibilidade para um SLA aumentado de 99,99%",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
- "service": "AVS",
- "severity": "Média",
- "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam monitoradas usando o Azure Log Analytics e o Azure Monitor",
- "waf": "Operações"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8d2db6e8-85c6-4118-a52c-ae76a4f27934",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Verifique se há uma rotina de backup automatizada",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "43e60b94-7bca-43a2-aadf-efb04d63a485",
+ "link": "https://learn.microsoft.com/azure/api-management/retry-policy",
+ "service": "APIM",
"severity": "Média",
- "text": "Incluir cargas de trabalho em execução na Solução VMware do Azure nas ferramentas de gerenciamento de atualizações existentes ou no Gerenciamento de Atualizações do Azure",
- "waf": "Operações"
+ "text": "Use Políticas para adicionar uma URL de back-end de failover e cache para reduzir chamadas com falha.",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
- "service": "AVS",
- "severity": "Média",
- "text": "Usar a Política do Azure para integrar cargas de trabalho da Solução VMware do Azure nas soluções de Gerenciamento, Monitoramento e Segurança do Azure",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "8210699f-8d43-45c2-8f19-57e54134bd8f",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs",
+ "service": "APIM",
+ "severity": "Baixo",
+ "text": "Se você precisar registrar em níveis de alto desempenho, considere a política de Hubs de Eventos",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "121bfc39-fa7b-4096-b93b-ab56c1bc0bed",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling",
+ "service": "APIM",
"severity": "Média",
- "text": "Garantir que as cargas de trabalho em execução na Solução VMware do Azure sejam integradas ao Microsoft Defender for Cloud",
- "waf": "Segurança"
+ "text": "Aplicar políticas de limitação para controlar o número de solicitações por segundo",
+ "training": "https://learn.microsoft.com/training/modules/protect-apis-on-api-management/",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "bb5f356b-3daf-47a2-a9ee-867a8100bbd5",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-autoscale",
+ "service": "APIM",
"severity": "Média",
- "text": "Certifique-se de que os backups não sejam armazenados no vSAN, pois o vSAN é um recurso finito",
- "waf": "Fiabilidade"
+ "text": "Configurar o dimensionamento automático para dimensionar o número de instâncias quando a carga aumenta",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "84b94abb-59b6-4b9d-8587-3413669468e8",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-provision-self-hosted-gateway",
+ "service": "APIM",
"severity": "Média",
- "text": "Todas as soluções de DR foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [SRM/JetStream/Zerto/Veeam/...]",
- "waf": "Fiabilidade"
+ "text": "Implante gateways auto-hospedados onde o Azure não tem uma região próxima às APIs de back-end.",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1fe8db45-a017-4888-8c4d-4422583cfae0",
+ "link": "https://learn.microsoft.com/azure/api-management/upgrade-and-scale#upgrade-and-scale",
+ "service": "APIM",
"severity": "Média",
- "text": "Usar o Azure Site Recovery quando a tecnologia de Recuperação de Desastres for IaaS nativa do Azure",
+ "text": "Use a camada premium para cargas de trabalho de produção.",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
- "service": "AVS",
- "severity": "Alto",
- "text": "Use planos de recuperação automatizados com qualquer uma das soluções de desastre, evite ao máximo tarefas manuais",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "1b8d68a4-66cd-44d5-ba94-3ee94440e8d6",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region#-route-api-calls-to-regional-backend-services",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "No modelo de várias regiões, use Políticas para rotear as solicitações para back-ends regionais com base na disponibilidade ou latência.",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8255461e-2aee-4345-9aec-8339248b262d",
- "service": "AVS",
- "severity": "Média",
- "text": "Usar o par de regiões geopolíticas como o ambiente secundário de recuperação de desastres",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "46f07d33-ef9a-44e8-8f98-67c097c5d8cd",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Esteja atento aos limites da APIM",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "10f58602-f0f9-4d77-972a-956f6e0f2600",
+ "link": "https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview",
+ "service": "APIM",
"severity": "Alto",
- "text": "Use 2 espaços de endereço diferentes entre as regiões, por exemplo: 10.0.0.0/16 e 192.168.0.0/16 para as diferentes regiões",
+ "text": "Certifique-se de que as implantações de gateway auto-hospedado sejam resilientes.",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "7519e385-a88b-4d34-966b-6269d686e890",
+ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management",
+ "service": "APIM",
"severity": "Média",
- "text": "O ExpressRoute Global Reach será usado para conectividade entre as Nuvens Privadas da Solução VMware do Azure primária e secundária ou o roteamento é feito por meio de dispositivos virtuais de rede?",
- "waf": "Fiabilidade"
+ "text": "Usar o Azure Front Door na frente do APIM para implantação em várias regiões",
+ "waf": "Desempenho"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "cd45c90e-7690-4753-930b-bf290c69c074",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration",
+ "service": "APIM",
"severity": "Média",
- "text": "Todas as soluções de backup foram consideradas e uma solução que é melhor para o seu negócio foi decidida? [ MABS/CommVault/Metallic.io/Veeam/ . ]",
- "waf": "Fiabilidade"
+ "text": "Implantar o serviço em uma rede virtual (VNet)",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "02661582-b3d1-48d1-9d7b-c6a918a0ca33",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support",
+ "service": "APIM",
"severity": "Média",
- "text": "Implante sua solução de backup na mesma região que sua nuvem privada da Solução VMware do Azure",
- "waf": "Fiabilidade"
+ "text": "Implante NSG (grupos de segurança de rede) em suas sub-redes para restringir ou monitorar o tráfego de/para APIM.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "67437a28-2721-4a2c-becd-caa54c8237a5",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link",
+ "service": "APIM",
"severity": "Média",
- "text": "Implante sua solução de backup fora do vSan, em componentes nativos do Azure",
- "waf": "Fiabilidade"
+ "text": "Implante pontos de extremidade privados para filtrar o tráfego de entrada quando o APIM não for implantado em uma rede virtual.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Existe um processo para solicitar uma restauração dos componentes VMware gerenciados pela Plataforma Azure?",
- "waf": "Fiabilidade"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "d698adbd-3288-44cb-b10a-9b572da395ae",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#disable-public-network-access",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Desabilitar o acesso à rede pública",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Para implantações manuais, todas as configurações e implantações devem ser documentadas",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "0674d750-0c6f-4ac0-8717-ceec04d0bdbd",
+ "link": "https://learn.microsoft.com/azure/api-management/automation-manage-api-management",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Simplifique o gerenciamento com scripts de automação do PowerShell",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Para implantações manuais, considere implementar bloqueios de recursos para evitar ações acidentais em sua nuvem privada de solução VMware do Azure",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "c385bfcd-49fd-4786-81ba-cedbb4c57345",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Configure APIM via Infrastructure-as-code. Analise as práticas recomendadas de DevOps do Cloud Adaption Framework APIM Landing Zone Accelerator",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Para implantações automatizadas, implante uma nuvem privada mínima e dimensione conforme necessário",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "6c3a27c0-197f-426c-9ffa-86fed51d9ab6",
+ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Promover o uso da extensão API do Visual Studio Code para um desenvolvimento de API mais rápido",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Para implantações automatizadas, solicite ou reserve cota antes de iniciar a implantação",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "354f1c03-8112-4965-85ad-c0074bddf231",
+ "link": "https://learn.microsoft.com/azure/api-management/devops-api-development-templates",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Implemente DevOps e CI/CD em seu fluxo de trabalho",
"waf": "Operações"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Para implantação automatizada, verifique se os bloqueios de recursos relevantes são criados por meio da automação ou da Política do Azure para uma governança adequada",
- "waf": "Operações"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "b6439493-426a-45f3-9697-cf65baee208d",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates-for-clients",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "APIs seguras usando autenticação de certificado de cliente",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Implemente nomes humanos compreensíveis para chaves de autorização ExR para permitir a fácil identificação da finalidade/uso das chaves",
- "waf": "Operações"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2a67d143-1033-4c0a-8732-680896478f08",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-mutual-certificates",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Serviços de back-end seguros usando autenticação de certificado de cliente",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "255461e2-aee3-4553-afc8-339248b262d6",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Usar o Cofre de chaves para armazenar segredos e chaves de autorização quando Princípios de Serviço separados são usados para implantar a Solução VMware do Azure e a Rota Expressa",
- "waf": "Operações"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "074435f5-4a46-41ac-b521-d6114cb5d845",
+ "link": "https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Consulte o artigo \"Recomendações para mitigar as 10 principais ameaças da segurança da API OWASP\" e verifique o que é aplicável às suas APIs",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Defina dependências de recursos para serializar ações no IaC quando muitos recursos precisarem ser implantados no/na Solução VMware do Azure, pois a Solução VMware do Azure oferece suporte apenas a um número limitado de operações paralelas.",
- "waf": "Operações"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "5507c4b8-a7f8-41d6-9661-418c987100c9",
+ "link": "https://learn.microsoft.com/azure/api-management/authorizations-overview",
+ "service": "APIM",
+ "severity": "Média",
+ "text": "Usar o recurso Autorizações para simplificar o gerenciamento do token OAuth 2.0 para suas APIs de back-end",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
- "service": "AVS",
- "severity": "Baixo",
- "text": "Ao executar a configuração automatizada de segmentos NSX-T com um único gateway de Camada 1, use as APIs do Portal do Azure em vez das APIs do NSX-Manager",
- "waf": "Operações"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "2deee033-b906-4bc2-9f26-c8d3699fe091",
+ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Use a versão mais recente do TLS ao criptografar informações em trânsito. Desative protocolos e cifras desatualizados e desnecessários quando possível.",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
- "service": "AVS",
- "severity": "Média",
- "text": "Ao pretender usar a expansão automatizada, certifique-se de aplicar cota suficiente da Solução VMware do Azure para as assinaturas que executam a Solução VMware do Azure",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "f8af3d94-1d2b-4070-846f-849197524258",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Certifique-se de que os segredos (valores nomeados) sejam armazenados em um Cofre de Chaves do Azure para que possam ser acessados e atualizados com segurança",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
- "service": "AVS",
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "791abd8b-7706-4e31-9569-afefde724be3",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities",
+ "service": "APIM",
"severity": "Média",
- "text": "Ao pretender usar o scale-in automatizado, certifique-se de levar em consideração os requisitos da política de armazenamento antes de executar essa ação",
- "waf": "Desempenho"
+ "text": "Use identidades gerenciadas para autenticar em outros recursos do Azure sempre que possível",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
- "service": "AVS",
- "severity": "Média",
- "text": "As operações de dimensionamento sempre precisam ser serializadas em um único SDDC, pois apenas uma operação de escala pode ser executada por vez (mesmo quando vários clusters são usados)",
- "waf": "Desempenho"
+ "arm-service": "Microsoft.ApiManagement/service",
+ "checklist": "Azure API Management Review",
+ "guid": "220c4ca6-6688-476b-b2b5-425a78e6fb87",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall",
+ "service": "APIM",
+ "severity": "Alto",
+ "text": "Usar o WAF (Web Application Firewall) implantando o Application Gateway na frente do APIM",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "severity": "Alto",
+ "text": "Permitir que 2 réplicas tenham 99,9% de disponibilidade para operações de leitura",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
"severity": "Média",
- "text": "Considerar e validar operações de dimensionamento em soluções de terceiros 3rd usadas na arquitetura (suportadas ou não)",
- "waf": "Desempenho"
+ "text": "Permitir que 3 réplicas tenham 99,9% de disponibilidade para operações de leitura/gravação",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+ "service": "Cognitive Search",
+ "severity": "Alto",
+ "text": "Aproveite as zonas de disponibilidade habilitando réplicas de leitura e/ou gravação",
+ "waf": "Fiabilidade"
+ },
+ {
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+ "service": "Cognitive Search",
"severity": "Média",
- "text": "Definir e impor limites máximos de entrada/saída de escala para seu ambiente nas automações",
- "waf": "Desempenho"
+ "text": "Para redução regional, crie manualmente serviços em 2 ou mais regiões para a Pesquisa, pois não fornece um método automatizado de replicação de índices de pesquisa entre regiões geográficas",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+ "service": "Cognitive Search",
"severity": "Média",
- "text": "Implementar regras de monitoramento para monitorar operações de dimensionamento automatizadas e monitorar o sucesso e a falha para habilitar respostas apropriadas (automatizadas)",
- "waf": "Operações"
+ "text": "Para sincronizar dados em vários serviços: Use indexadores para atualizar conteúdo em vários serviços ou Use APIs REST para enviar atualizações de conteúdo em vários serviços",
+ "waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
- "severity": "Alto",
- "text": "Ao usar o MON, esteja ciente dos limites de VMs configuradas simulataneamente (MON Limit for HCX [400 - standard, 1000 - Larger appliance])",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+ "service": "Cognitive Search",
+ "severity": "Média",
+ "text": "Usar o Gerenciador de Tráfego do Azure para coordenar solicitações",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+ "service": "Cognitive Search",
"severity": "Alto",
- "text": "Ao usar o MON, você não pode habilitar o MON em mais de 100 extensões de rede",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "text": "Backup e restauração de um índice de pesquisa cognitiva do Azure. Use este código de exemplo para fazer backup da definição de índice e instantâneo em uma série de arquivos Json",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
- "service": "AVS",
- "severity": "Média",
- "text": "Se estiver usando uma conexão VPN para migrações, ajuste o tamanho da MTU de acordo.",
- "waf": "Desempenho"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "O Hub de Eventos do Azure fornece criptografia de dados em repouso. Se você usar sua própria chave, os dados ainda serão criptografados usando a chave gerenciada pela Microsoft, mas, além disso, a chave gerenciada pela Microsoft será criptografada usando a chave gerenciada pelo cliente. ",
+ "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+ "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+ "service": "Event Hubs",
+ "severity": "Baixo",
+ "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e614658d-d457-4e92-9139-b821102cad6e",
- "service": "AVS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Os namespaces dos Hubs de Eventos do Azure permitem que os clientes enviem e recebam dados com TLS 1.0 e superior. Para impor medidas de segurança mais rígidas, você pode configurar o namespace dos Hubs de Eventos para exigir que os clientes enviem e recebam dados com uma versão mais recente do TLS. Se um namespace de Hubs de Eventos exigir uma versão mínima do TLS, todas as solicitações feitas com uma versão mais antiga falharão. ",
+ "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+ "service": "Event Hubs",
"severity": "Média",
- "text": "Para regiões de baixa conectividade conectadas ao Azure (500Mbps ou menos), considere implantar o dispositivo de otimização de WAN HCX",
- "waf": "Desempenho"
+ "text": "Impor uma versão mínima necessária do TLS (Transport Layer Security) para solicitações ",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
- "service": "AVS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Quando você cria um namespace de Hubs de Eventos, uma regra de política chamada RootManageSharedAccessKey é criada automaticamente para o namespace. Essa política tem permissões de gerenciamento para todo o namespace. É recomendável que você trate essa regra como uma conta raiz administrativa e não a use em seu aplicativo. Recomenda-se o uso do AAD como um provedor de autenticação com RBAC. ",
+ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+ "service": "Event Hubs",
"severity": "Média",
- "text": "Certifique-se de que as migrações sejam iniciadas a partir do dispositivo local e NÃO do dispositivo em nuvem (NÃO execute uma migração reversa)",
- "waf": "Fiabilidade"
+ "text": "Evite usar conta root quando não for necessário",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AVS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "As identidades gerenciadas para recursos do Azure podem autorizar o acesso a recursos dos Hubs de Eventos usando credenciais do Azure AD de aplicativos em execução em VMs (Máquinas Virtuais) do Azure, aplicativos de Função, Conjuntos de Dimensionamento de Máquina Virtual e outros serviços. Usando identidades gerenciadas para recursos do Azure junto com a autenticação do Azure AD, você pode evitar o armazenamento de credenciais com seus aplicativos executados na nuvem. ",
+ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+ "service": "Event Hubs",
"severity": "Média",
- "text": "Quando o Azure Netapp Files for usado para estender o armazenamento para a Solução VMware do Azure, considere usá-lo como um armazenamento de dados VMware em vez de anexá-lo diretamente a uma VM.",
- "waf": "Fiabilidade"
+ "text": "Quando possível, seu aplicativo deve estar usando uma identidade gerenciada para autenticar no Hub de Eventos do Azure. Caso contrário, considere ter a credencial de armazenamento (SAS, credencial da entidade de serviço) no Cofre de Chaves do Azure ou em um serviço equivalente",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "AVS",
- "severity": "Média",
- "text": "Verifique se um ExpressRoute Gateway dedicado está sendo usado para soluções de armazenamento de dados externos",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Ao criar permissões, forneça controle refinado sobre o acesso de um cliente ao Hub de Eventos do Azure. As permissões no Hub de Eventos do Azure podem e devem ter o escopo definido para o nível de recurso individual, por exemplo, grupo de consumidores, entidade de hub de eventos, namespaces de hub de eventos, etc.",
+ "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+ "service": "Event Hubs",
+ "severity": "Alto",
+ "text": "Usar RBAC do plano de dados de privilégios mínimos",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "AVS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Os logs de recursos do Hub de Eventos do Azure incluem logs operacionais, logs de rede virtual e logs de Kafka. Os logs de auditoria de tempo de execução capturam informações de diagnóstico agregadas para todas as operações de acesso ao plano de dados (como eventos de envio ou recebimento) nos Hubs de Eventos.",
+ "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+ "service": "Event Hubs",
"severity": "Média",
- "text": "Verifique se o FastPath está habilitado no ExpressRoute Gateway que está sendo usado para soluções de armazenamento de dados externos",
- "waf": "Fiabilidade"
+ "text": "Habilite o registro em log para investigação de segurança. Use o Azure Monitor para capturar métricas e logs como logs de recursos, logs de auditoria de tempo de execução e logs Kafka",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "AVS",
- "severity": "Alto",
- "text": "Se estiver usando cluster estendido, verifique se a solução de recuperação de desastres selecionada é suportada pelo fornecedor",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Por padrão, o Hub de Eventos do Azure tem um endereço IP público e pode ser acessado pela Internet. Os pontos de extremidade privados permitem que o tráfego entre sua rede virtual e o Hub de Eventos do Azure percorra a rede de backbone da Microsoft. Além disso, você deve desabilitar os pontos de extremidade públicos se eles não forem usados. ",
+ "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+ "service": "Event Hubs",
+ "severity": "Média",
+ "text": "Considere o uso de pontos de extremidade privados para acessar o Hub de Eventos do Azure e desabilitar o acesso à rede pública quando aplicável.",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "AVS",
- "severity": "Alto",
- "text": "Se estiver usando cluster estendido, verifique se o SLA fornecido atenderá aos seus requisitos",
- "waf": "Fiabilidade"
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Com o firewall IP, você pode restringir ainda mais o ponto de extremidade público a apenas um conjunto de endereços IPv4 ou intervalos de endereços IPv4 na notação CIDR (Roteamento entre Domínios Sem Classe). ",
+ "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+ "service": "Event Hubs",
+ "severity": "Média",
+ "text": "Considere permitir apenas o acesso ao namespace do Hub de Eventos do Azure a partir de endereços IP ou intervalos específicos",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "Segurança"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "AVS",
- "severity": "Alto",
- "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa estão conectados ao hub de conectividade.",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+ "service": "Event Hubs",
+ "severity": "Média",
+ "text": "Aproveite o Manual de Resilência do FTA",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "AVS",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": " Isso será ativado automaticamente para um novo namespace de EH criado a partir do portal com SKUs Premium, Dedicado ou Standard em uma região habilitada para região. Os metadados do EH e os próprios dados do evento são replicados entre zonas",
+ "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+ "service": "Event Hubs",
"severity": "Alto",
- "text": "Se estiver usando cluster estendido, verifique se ambos os circuitos da Rota Expressa têm o GlobalReach habilitado.",
+ "text": "Aproveite as zonas de disponibilidade, se aplicável regionalmente",
"waf": "Fiabilidade"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
- "severity": "Alto",
- "text": "Faça com que as configurações de tolerância a desastres do site tenham sido devidamente consideradas e alteradas para sua empresa, se necessário.",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+ "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+ "service": "Event Hubs",
+ "severity": "Média",
+ "text": "Use os SKUs Premium ou Dedicado para desempenho previsível",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
- "service": "Redis",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "O recurso interno de recuperação de desastres geográficos, quando habilitado, garante que toda a configuração de um namespace (Hubs de Eventos, Grupos de Consumidores e configurações) seja replicada continuamente de um namespace primário para um namespace secundário e permite uma movimentação de failover única do primário para o secundário a qualquer momento. O recurso Ativo/Passivo foi projetado para facilitar a recuperação e o abandono de uma região do Azure com falha sem precisar alterar as configurações do aplicativo",
+ "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+ "service": "Event Hubs",
"severity": "Alto",
- "text": "Habilite a redundância de zona para o Cache do Azure para Redis. O Cache do Azure para Redis dá suporte a configurações redundantes de zona nas camadas Premium e Enterprise. Um cache redundante de zona pode colocar seus nós em diferentes zonas de disponibilidade do Azure na mesma região. Ele elimina a interrupção do data center ou AZ como um único ponto de falha e aumenta a disponibilidade geral do cache.",
- "waf": "Fiabilidade"
- },
- {
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
- "service": "Redis",
- "severity": "Média",
- "text": "Configure a persistência de dados para uma instância do Cache do Azure para Redis. Como os dados do cache são armazenados na memória, uma falha rara e não planejada de vários nós pode fazer com que todos os dados sejam descartados. Para evitar a perda completa de dados, a persistência do Redis permite que você tire instantâneos periódicos de dados na memória e os armazene em sua conta de armazenamento.",
+ "text": "Planejar a recuperação de desastres geográficos usando a configuração passiva ativa",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
- "service": "Redis",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Deve ser usado para configurações de DR em que uma interrupção ou perda de dados de eventos na região derrubada não pode ser tolerada. Para esses casos, siga as diretrizes de replicação e não use o recurso interno de recuperação de desastres geográficos (ativo/passivo). Com Ativo/Ativo, mantenha vários Hubs de Eventos em diferentes regiões e namespaces, e os eventos serão replicados entre os hubs",
+ "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+ "service": "Event Hubs",
"severity": "Média",
- "text": "Use a conta de armazenamento com redundância geográfica para persistir o Cache do Azure para dados Redis ou zonalmente redundante onde a redundância geográfica não está disponível",
+ "text": "Para aplicativos críticos para os negócios, use a configuração ativa",
"waf": "Fiabilidade"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
- "service": "Redis",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+ "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+ "service": "Event Hubs",
"severity": "Média",
- "text": "Configure a replicação geográfica passiva para instâncias do Cache Premium do Azure para Redis. A replicação geográfica é um mecanismo para vincular duas ou mais instâncias do Cache do Azure para Redis, normalmente abrangendo duas regiões do Azure. A replicação geográfica foi projetada principalmente para recuperação de desastres entre regiões. Duas instâncias de cache de camada Premium são conectadas por meio de replicação geográfica de uma forma que fornece leituras e gravações no cache primário e que os dados são replicados para o cache secundário.",
+ "text": "Projetar Hubs de Eventos Resilientes",
"waf": "Fiabilidade"
}
],
"metadata": {
"name": "WAF checklist",
- "timestamp": "August 05, 2024"
+ "timestamp": "August 08, 2024"
},
"severities": [
{
@@ -9018,7 +9018,7 @@
},
{
"description": "Recomendação compreendida, mas não necessária pelos requisitos atuais",
- "name": "Não é necessário"
+ "name": "Risco aceito"
},
{
"description": "Não aplicável ao projeto atual",
diff --git a/checklists/waf_checklist.zh-Hant.json b/checklists/waf_checklist.zh-Hant.json
index 7c2c24e92..692a96cf1 100644
--- a/checklists/waf_checklist.zh-Hant.json
+++ b/checklists/waf_checklist.zh-Hant.json
@@ -1,1231 +1,1023 @@
{
"items": [
{
- "checklist": "Identity Review Checklist",
- "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
- "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
- "service": "Entra",
- "severity": "中等",
- "text": "使用長期可撤銷令牌,緩存令牌並使用 Microsoft 標識庫以靜默方式獲取令牌",
- "waf": "可靠性"
- },
- {
- "checklist": "Identity Review Checklist",
- "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
- "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
- "service": "AAD B2C",
- "severity": "中等",
- "text": "請確保登錄使用者流已備份並具有復原能力。請確保用於登錄使用者的代碼已備份且可恢復。與外部進程的彈性介面",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保在本機 Azure 的標識訂閱中部署了 ADDS 域控制器",
+ "waf": "安全"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
- "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
- "service": "AAD B2C",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "75089c20-990d-4927-b105-885576f76fc2",
+ "service": "AVS",
"severity": "中等",
- "text": "自訂品牌資產應託管在CDN上",
- "waf": "性能"
+ "text": "確保將 ADDS 網站和服務配置為將來自基於 Azure 的資源(包括 Azure VMware 解決方案)的身份驗證請求保留到 Azure 本地",
+ "waf": "安全"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
- "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
- "service": "AAD B2C",
- "severity": "低",
- "text": "擁有多個標識提供者(即使用您的 Microsoft、Google、Facebook 帳戶登錄)",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保 vCenter 已連接到 ADDS,以啟用基於「指定用戶帳戶」的身份驗證",
+ "waf": "安全"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
+ "service": "AVS",
"severity": "中等",
- "text": "遵循 VM 規則,實現 VM 級別的高可用性(高級磁碟,一個區域中的兩個或更多磁碟,位於不同的可用性區域)",
- "waf": "可靠性"
+ "text": "確保從 vCenter 到 ADDS 的連接使用安全協定 (LDAPS)",
+ "waf": "安全"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
+ "service": "AVS",
"severity": "中等",
- "text": "不要複製!複製可能會產生目錄同步問題",
- "waf": "可靠性"
+ "text": "vCenter IdP 中的 CloudAdmin 帳戶僅用作緊急帳戶 (break-glass)",
+ "waf": "安全"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
- "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
- "service": "Windows AD",
- "severity": "中等",
- "text": "對多區域具有主動-主動",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保 NSX-Manager 與外部身份提供程式 (LDAPS) 集成",
+ "waf": "安全"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
+ "service": "AVS",
"severity": "中等",
- "text": "將 Azure AD 域服務標記添加到其他區域和位置",
- "waf": "可靠性"
+ "text": "是否已創建 RBAC 模型以在 VMware vSphere 中使用",
+ "waf": "安全"
},
{
- "checklist": "Identity Review Checklist",
- "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
- "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
- "service": "Entra",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
+ "service": "AVS",
"severity": "中等",
- "text": "將副本集用於DR",
- "waf": "可靠性"
+ "text": "RBAC 許可權應授予 ADDS 組,而不是特定使用者",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
- "service": "Redis",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
+ "service": "AVS",
"severity": "高",
- "text": "為 Azure Cache for Redis 啟用區域冗餘。Azure Cache for Redis 支持高級層和企業層中的區域冗餘配置。區域冗餘緩存可以將其節點放置在同一區域的不同 Azure 可用性區域中。它消除了作為單點故障的數據中心或可用區中斷,並提高了緩存的整體可用性。",
- "waf": "可靠性"
- },
- {
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
- "service": "Redis",
- "severity": "中等",
- "text": "為 Azure Cache for Redis 實例配置數據持久性。由於緩存數據存儲在記憶體中,因此多個節點的罕見和計劃外故障可能會導致所有數據被丟棄。為了避免完全丟失數據,Redis 持久性允許您定期拍攝記憶體中數據的快照,並將其存儲到存儲帳戶中。",
- "waf": "可靠性"
+ "text": "Azure 中 Azure VMware 解決方案資源的 RBAC 許可權僅「鎖定」為一組有限的擁有者",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
- "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
- "service": "Redis",
- "severity": "中等",
- "text": "使用異地冗餘存儲帳戶保留 Azure Cache for Redis 數據,或在異地冗餘不可用的情況下使用區域冗餘",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保所有自定義角色的範圍都具有 CloudAdmin 允許的授權",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.cache/redis",
- "checklist": "Redis Resiliency checklist",
- "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
- "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
- "service": "Redis",
- "severity": "中等",
- "text": "為高級 Azure Cache for Redis 實例配置被動異地複製。異地複製是一種用於連結兩個或多個 Azure Cache for Redis 實例的機制,通常跨越兩個 Azure 區域。異地複製主要用於跨區域災難恢復。兩個高級層緩存實例通過異地複製進行連接,從而提供對主緩存的讀取和寫入,並將數據複製到輔助緩存。",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
+ "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
+ "service": "AVS",
+ "severity": "高",
+ "text": "是否為手頭的客戶用例選擇了正確的 Azure VMware 解決方案連接模型",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
- "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
- "service": "AKS",
- "severity": "低",
- "text": "如果 AKS Windows 工作負載需要,可以使用 HostProcess 容器",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保使用「連接監視器」監視從本地到 Azure 的 ExpressRoute 或 VPN 連接",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
- "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
- "service": "AKS",
- "severity": "低",
- "text": "如果運行事件驅動的工作負載,請使用KEDA",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保創建從 Azure 本機資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視 Azure VMware 解決方案後端 ExpressRoute 連接",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
- "link": "https://dapr.io/",
- "service": "AKS",
- "severity": "低",
- "text": "使用 Dapr 簡化微服務開發",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保創建從本地資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視端到端連接",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
- "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
- "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
+ "service": "AVS",
"severity": "高",
- "text": "使用 SLA 支援的 AKS 產品/服務",
- "waf": "可靠性"
+ "text": "使用路由伺服器時,請確保從路由伺服器到 ExR 閘道再到本地的路由不超過 1000 個(ARS 限制)。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "低",
- "text": "在容器和部署定義中使用中斷預算",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
+ "service": "AVS",
+ "severity": "高",
+ "text": "是否為在 Azure 門戶中管理 Azure VMware 解決方案資源的角色實現了 Privileged Identity Management(不允許長期許可權)",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
- "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
- "service": "ACR",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
+ "service": "AVS",
"severity": "高",
- "text": "如果使用專用註冊表,請配置區域複製以將映像存儲在多個區域中",
- "waf": "可靠性"
+ "text": "應為 Azure VMware 解決方案 PIM 角色實現 Privileged Identity Management 審核報告",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
- "service": "AKS",
- "severity": "低",
- "text": "使用外部應用(如 kubecost)將成本分配給不同的使用者",
- "waf": "成本"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
- "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
- "service": "AKS",
- "severity": "低",
- "text": "使用縮減模式刪除/取消分配節點",
- "waf": "成本"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
- "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
+ "service": "AVS",
"severity": "中等",
- "text": "需要時,請在 AKS 群集上使用多實例分組 GPU",
- "waf": "成本"
+ "text": "如果使用 Privileged Identity Management,請確保使用有效的 SMTP 記錄創建啟用了 Entra ID 的有效帳戶,以便 Azure VMware 解決方案自動主機更換通知。(需要長期許可)",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
- "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
- "service": "AKS",
- "severity": "低",
- "text": "如果運行開發/測試群集,請使用 NodePool Start/Stop",
- "waf": "成本"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
+ "service": "AVS",
+ "severity": "高",
+ "text": "將 CloudAdmin 帳戶的使用限制為僅緊急訪問",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
- "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
+ "service": "AVS",
"severity": "中等",
- "text": "使用適用於 Kubernetes 的 Azure Policy 確保群集符合性",
+ "text": "在 vCenter 中創建自定義 RBAC 角色,以在 vCenter 中實施最小特權模型",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
- "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
+ "service": "AVS",
"severity": "中等",
- "text": "使用使用者/系統節點池將應用程式與控制平面分開",
+ "text": "是定義為定期輪換 cloudadmin (vCenter) 和管理員 (NSX) 憑據的過程",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
- "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
- "service": "AKS",
- "severity": "低",
- "text": "向系統節點池添加污點以使其專用",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
+ "service": "AVS",
+ "severity": "高",
+ "text": "使用集中式識別提供者用於在 Azure VMware 解決方案上運行的工作負載 (VM)",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
- "link": "https://learn.microsoft.com/azure/container-registry/",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
+ "service": "AVS",
"severity": "中等",
- "text": "對映像使用專用註冊表,例如 ACR",
+ "text": "是否在 NSX-T 中實施了東西向流量篩選",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerregistry/registries",
- "checklist": "Azure AKS Review",
- "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
- "link": "https://learn.microsoft.com/azure/security-center/container-security",
- "service": "ACR",
- "severity": "中等",
- "text": "掃描映像以查找漏洞",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
+ "service": "AVS",
+ "severity": "高",
+ "text": "Azure VMware 解決方案上的工作負載不會直接向 Internet 公開。流量由 Azure 應用程式閘道、Azure 防火牆或第三方解決方案進行篩選和檢查",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
+ "service": "AVS",
"severity": "高",
- "text": "定義應用分離要求(命名空間/節點池/集群)",
+ "text": "對 Azure VMware 解決方案和基於 Azure VMware 解決方案的工作負載的入站 Internet 請求實施審核和日誌記錄",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
- "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
+ "service": "AVS",
"severity": "中等",
- "text": "使用 CSI 機密存儲驅動程式將機密存儲在 Azure Key Vault 中",
+ "text": "對來自 Azure VMware 解決方案或基於 Azure VMware 解決方案的工作負載的出站 Internet 連接實施會話監視,以識別可疑/惡意活動",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
- "link": "https://learn.microsoft.com/azure/aks/update-credentials",
- "service": "AKS",
- "severity": "高",
- "text": "如果將服務主體用於群集,請定期刷新憑據(如每季度)",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "334fdf91-c234-4182-a652-75269440b4be",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "是否在 Azure 的 ExR/VPN 閘道子網上啟用了 DDoS 標準防護",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
- "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
+ "service": "AVS",
"severity": "中等",
- "text": "如果需要,請添加金鑰管理服務 etcd 加密",
+ "text": "使用專用特權訪問工作站 (PAW) 管理 Azure VMware 解決方案、vCenter、NSX Manager 和 HCX Manager",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
- "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
- "service": "AKS",
- "severity": "低",
- "text": "如果需要,請考慮使用適用於 AKS 的機密計算",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "為 Azure VMware 解決方案上運行的工作負載啟用高級威脅檢測(Microsoft Defender for Cloud,又名 ASC)",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
+ "service": "AVS",
"severity": "中等",
- "text": "考慮使用 Defender for Containers",
+ "text": "使用適用於伺服器的 Azure ARC 使用 Azure 本機技術正確管理在 Azure VMware 解決方案上運行的工作負載(適用於 Azure VMware 解決方案的 Azure ARC 尚不可用)",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
- "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
- "service": "AKS",
- "severity": "高",
- "text": "使用託管標識而不是服務主體",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
+ "service": "AVS",
+ "severity": "低",
+ "text": "確保 Azure VMware 解決方案上的工作負載在運行時使用足夠的數據加密(如來賓內磁碟加密和 SQL TDE)。(vSAN 靜態加密為預設加密)",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
- "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad",
- "service": "AKS",
- "severity": "中等",
- "text": "將身份驗證與 AAD(使用託管集成)集成",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
+ "service": "AVS",
+ "severity": "低",
+ "text": "使用來賓內加密時,請盡可能將加密密鑰存儲在 Azure Key Vault 中",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
- "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5ac94222-3e13-4810-9230-81a941741583",
+ "service": "AVS",
"severity": "中等",
- "text": "限制對管理員 kubeconfig (get-credentials --admin) 的訪問",
+ "text": "請考慮對 Azure VMware 解決方案上運行的工作負載使用擴展的安全更新支援(Azure VMware 解決方案符合 ESU 條件)",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
- "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
- "service": "AKS",
- "severity": "中等",
- "text": "將授權與 AAD RBAC 集成",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保使用適當的 vSAN 資料冗餘方法(RAID 規範)",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d88408f3-7273-44c8-96ba-280214590146",
+ "service": "AVS",
"severity": "高",
- "text": "在 Kubernetes 中使用命名空間限制 RBAC 許可權",
- "waf": "安全"
+ "text": "確保允許失敗策略已到位,以滿足您的 vSAN 儲存需求",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
- "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
- "service": "AKS",
- "severity": "中等",
- "text": "對於 Pod Identity Access Management,請使用 Azure AD 工作負載標識(預覽版)",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保已請求足夠的配額,確保已考慮增長和災難恢復要求",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
+ "service": "AVS",
"severity": "中等",
- "text": "對於 AKS 非互動式登錄名,請使用 kubelogin(預覽版)",
- "waf": "安全"
+ "text": "確保瞭解對 ESXi 的訪問限制,其中存在可能影響第三方解決方案的訪問限制。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
- "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
+ "service": "AVS",
"severity": "中等",
- "text": "禁用 AKS 本地帳戶",
- "waf": "安全"
+ "text": "確保您制定了有關ESXi主機密度和效率的策略,並牢記請求新節點的提前期",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
- "service": "AKS",
- "severity": "低",
- "text": "如果需要,請配置 Just-in-time 群集訪問",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保 Azure VMware 解決方案的良好成本管理流程已到位 - 可以使用 Azure 成本管理",
+ "waf": "成本"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
- "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
+ "service": "AVS",
"severity": "低",
- "text": "如果需要,為 AKS 配置 AAD 條件訪問",
- "waf": "安全"
+ "text": "Azure 預留實例是否用於優化使用 Azure VMware 解決方案的成本",
+ "waf": "成本"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
- "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
- "service": "AKS",
- "severity": "低",
- "text": "如果 Windows AKS 工作負載需要,請配置 gMSA",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "使用其他 Azure 本機服務時,請考慮使用 Azure 專用連結",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
- "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保所有必需的資源都駐留在同一個 Azure 可用性區域中",
+ "waf": "性能"
+ },
+ {
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
+ "service": "AVS",
"severity": "中等",
- "text": "為了獲得更精細的控制,請考慮使用託管的 Kubelet 身份",
+ "text": "為 Azure VMware 解決方案來賓 VM 工作負載啟用 Microsoft Defender for Cloud",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
- "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
+ "service": "AVS",
"severity": "中等",
- "text": "如果使用 AGIC,請勿跨集群共用 AppGW",
- "waf": "可靠性"
+ "text": "使用已啟用 Azure Arc 的伺服器管理 Azure VMware 解決方案來賓 VM 工作負載",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
- "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
- "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
+ "service": "AVS",
"severity": "高",
- "text": "不要使用 AKS HTTP 路由載入項,而是將託管 NGINX 入口與應用程式路由載入項一起使用。",
- "waf": "可靠性"
+ "text": "在 Azure VMware 解決方案上啟用診斷和指標日誌記錄",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
+ "service": "AVS",
"severity": "中等",
- "text": "對於 Windows 工作負載,請使用加速網路",
- "waf": "性能"
+ "text": "將Log Analytics代理部署到 Azure VMware 解決方案來賓 VM 工作負載",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
- "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
- "severity": "高",
- "text": "使用標準 ALB(而不是基本 ALB)",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保已針對 Azure VMware 解決方案 VM 工作負載記錄並實施了備份策略和解決方案",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
+ "service": "AVS",
"severity": "中等",
- "text": "如果使用 Azure CNI,請考慮對 NodePool 使用不同的子網",
+ "text": "使用 Microsoft Defender for Cloud 對 Azure VMware 解決方案上運行的工作負載進行合規性監視",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
- "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
+ "service": "AVS",
"severity": "中等",
- "text": "使用專用終結點(首選)或虛擬網路服務終結點從群集訪問 PaaS 服務",
+ "text": "是否將適用的合規性基線添加到 Microsoft Defender for Cloud",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
- "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
+ "service": "AVS",
"severity": "高",
- "text": "選擇最適合你要求的 CNI 網路外掛程式(建議使用 Azure CNI)",
- "waf": "可靠性"
+ "text": "在選擇要用於 Azure VMware 解決方案部署的 Azure 區域時是否評估了數據駐留",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
+ "service": "AVS",
"severity": "高",
- "text": "如果使用 Azure CNI,請根據每個節點的最大 Pod 數相應地調整子網的大小",
- "waf": "性能"
+ "text": "數據處理影響(服務提供者/服務消費者模型)是否清晰且有據可查",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
- "severity": "高",
- "text": "如果使用 Azure CNI,請檢查每個節點的最大 Pod 數(預設為 30)",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "547c1747-dc56-4068-a714-435cd19dd244",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "僅當出於合規性原因需要時,才考慮將CMK(客戶管理的密鑰)用於 vSAN。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "對於內部應用,組織通常會在其防火牆中打開整個AKS子網。這也會打開對節點的網路訪問,並可能打開對 Pod 的訪問(如果使用 Azure CNI)。如果 LoadBalancer IP 位於不同的子網中,則只有此子網可供應用用戶端使用。另一個原因是,如果 AKS 子網中的 IP 位址是稀缺資源,則將其 IP 位址用於服務會降低群集的最大可伸縮性。",
- "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
- "link": "https://learn.microsoft.com/azure/aks/internal-lb",
- "service": "AKS",
- "severity": "低",
- "text": "如果使用專用IP LoadBalancer服務,請使用專用子網(而不是 AKS 子網)",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
+ "service": "AVS",
+ "severity": "高",
+ "text": "創建儀錶板以啟用核心 Azure VMware 解決方案監視見解",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
+ "service": "AVS",
"severity": "高",
- "text": "相應調整服務 IP 位址範圍的大小(這將限制群集的可伸縮性)",
- "waf": "可靠性"
+ "text": "針對 Azure VMware 解決方案性能(CPU >80%、平均記憶體 >80%、vSAN >70%)自動警報的關鍵閾值創建警告警報",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
- "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
- "service": "AKS",
- "severity": "低",
- "text": "如果需要,請添加您自己的 CNI 外掛程式",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保創建嚴重警示以監控 vSAN 消耗量是否低於 75%,因為這是 VMware 的支援閾值",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
- "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
- "service": "AKS",
- "severity": "低",
- "text": "如果需要,請在 AKS 中配置每個節點的公共 IP",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保為 Azure 服務運行狀況警報和通知配置警報",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
- "link": "https://learn.microsoft.com/azure/aks/concepts-network",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
+ "service": "AVS",
"severity": "中等",
- "text": "使用入口控制器公開基於 Web 的應用,而不是使用 LoadBalancer 類型的服務公開它們",
- "waf": "可靠性"
+ "text": "將 Azure VMware 解決方案記錄設定為發送到 Azure 儲存帳戶或 Azure EventHub 進行處理",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
- "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
+ "service": "AVS",
"severity": "低",
- "text": "使用 Azure NAT 閘道作為 outboundType 來縮放出口流量",
- "waf": "可靠性"
+ "text": "如果需要深入瞭解 VMware vSphere:解決方案中是否使用了 vRealize Operations 和/或 vRealize Network Insights?",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
- "service": "AKS",
- "severity": "中等",
- "text": "使用IP的動態分配來避免 Azure CNI IP 耗盡",
- "waf": "可靠性"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
+ "service": "AVS",
+ "severity": "高",
+ "text": "確保虛擬機的 vSAN 儲存策略不是預設存儲策略,因為此策略應用厚置備",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
- "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
- "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
- "service": "AKS",
- "severity": "高",
- "text": "如果安全要求要求,請使用 AzFW/NVA 篩選出口流量",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保未將 vSphere 內容庫放置在 vSAN 上,因為 vSAN 是有限的資源",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
- "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
- "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
+ "service": "AVS",
"severity": "中等",
- "text": "如果使用公共 API 終端節點,請限制可以存取它的 IP 位址",
- "waf": "安全"
+ "text": "確保備份解決方案的數據存儲庫存儲在 vSAN 儲存之外。在 Azure 本機或磁碟池支持的數據存儲中",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
- "link": "https://learn.microsoft.com/azure/aks/private-clusters",
- "service": "AKS",
- "severity": "高",
- "text": "如果要求要求,請使用私有集群",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保使用 Azure Arc for Servers 進行混合管理,確保在 Azure VMware 解決方案上運行的工作負載(Arc for Azure VMware 解決方案處於預覽狀態)",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
- "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
+ "service": "AVS",
"severity": "中等",
- "text": "對於 Windows 2019 和 2022 AKS 節點,可以使用 Calico 網路策略",
- "waf": "安全"
+ "text": "確保使用 Azure Log Analytics 和 Azure Monitor 監視在 Azure VMware 解決方案上運行的工作負載",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
- "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
- "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
- "service": "AKS",
- "severity": "高",
- "text": "啟用 Kubernetes 網路策略選項 (Calico/Azure)",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "在現有更新管理工具或 Azure 更新管理中包括在 Azure VMware 解決方案上運行的工作負載",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "高",
- "text": "使用 Kubernetes 網路策略提高集群內安全性",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "使用 Azure Policy 在 Azure 管理、監視和安全解決方案中加入 Azure VMware 解決方案工作負載",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
- "service": "AKS",
- "severity": "高",
- "text": "將 WAF 用於 Web 工作負載(UI 或 API)",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保在 Azure VMware 解決方案上運行的工作負載已載入 Microsoft Defender for Cloud",
"waf": "安全"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
- "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
+ "service": "AVS",
"severity": "中等",
- "text": "在 AKS 虛擬網路中使用 DDoS 標準",
- "waf": "安全"
+ "text": "確保備份不存儲在 vSAN 上,因為 vSAN 是有限的資源",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
- "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
- "link": "https://learn.microsoft.com/azure/aks/http-proxy",
- "service": "AKS",
- "severity": "低",
- "text": "如果需要,請添加公司 HTTP 代理",
- "waf": "安全"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "是否考慮了所有災難恢復解決方案,並決定了最適合您業務的解決方案?[SRM/JetStream/Zerto/Veeam/...]",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
- "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
+ "service": "AVS",
"severity": "中等",
- "text": "考慮使用服務網格進行高級微服務通信管理",
- "waf": "安全"
+ "text": "當災難恢復技術是本機 Azure IaaS 時,請使用 Azure Site Recovery",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
+ "service": "AVS",
"severity": "高",
- "text": "設定有關最關鍵指標的警報(請參閱容器見解以獲取建議)",
- "waf": "操作"
+ "text": "將自動恢復計劃與任一災難解決方案結合使用,盡可能避免手動任務",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
- "service": "AKS",
- "severity": "低",
- "text": "定期查看 Azure 顧問,瞭解有關群集的建議",
- "waf": "操作"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "8255461e-2aee-4345-9aec-8339248b262d",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "使用地緣政治區域對作為輔助災難恢復環境",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
- "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
- "service": "AKS",
- "severity": "低",
- "text": "啟用 AKS 自動證書輪換",
- "waf": "操作"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
+ "service": "AVS",
+ "severity": "高",
+ "text": "在區域之間使用 2 個不同的地址空間,例如:10.0.0.0/16 和 192.168.0.0/16 用於不同的區域",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
- "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
- "service": "AKS",
- "severity": "高",
- "text": "定期(例如,每季度)升級 kubernetes 版本,或使用 AKS 自動升級功能",
- "waf": "操作"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "ExpressRoute Global Reach 是用於主 Azure VMware 解決方案私有雲和輔助 Azure VMware 解決方案私有雲之間的連接,還是通過網路虛擬設備完成路由?",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
- "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
- "service": "AKS",
- "severity": "高",
- "text": "如果您不使用 node-image 升級,請使用 kured 進行 Linux 節點升級",
- "waf": "操作"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "是否考慮了所有備份解決方案,並決定了最適合您業務的解決方案?[ MABS/CommVault/Metallic.io/Veeam/ .",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
- "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
- "service": "AKS",
- "severity": "高",
- "text": "定期(例如,每周)升級群集節點映像的常規過程",
- "waf": "操作"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "將備份解決方案部署在與 Azure VMware 解決方案私有雲相同的區域中",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
- "service": "AKS",
- "severity": "低",
- "text": "考慮使用 gitops 將應用程式或集群配置部署到多個集群",
- "waf": "操作"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "在 vSan 外部的 Azure 本機組件上部署備份解決方案",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
- "link": "https://learn.microsoft.com/azure/aks/command-invoke",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
+ "service": "AVS",
"severity": "低",
- "text": "請考慮在專用群集上使用 AKS 命令調用",
- "waf": "操作"
+ "text": "是否已制定請求還原由 Azure 平臺管理的 VMware 元件的流程?",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
- "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
+ "service": "AVS",
"severity": "低",
- "text": "對於計劃的事件,請考慮使用 Node Auto Drain",
- "waf": "操作"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
- "link": "https://learn.microsoft.com/azure/aks/faq",
- "service": "AKS",
- "severity": "高",
- "text": "開發自己的治理實踐,以確保節點 RG(又名“基礎設施 RG”)中的操作員不會執行任何更改",
+ "text": "對於手動部署,必須記錄所有配置和部署",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
- "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
+ "service": "AVS",
"severity": "低",
- "text": "使用自定義節點 RG(又名“Infra RG”)名稱",
+ "text": "對於手動部署,請考慮實施資源鎖,以防止對 Azure VMware 解決方案私有雲執行意外操作",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
- "link": "https://kubernetes.io/docs/setup/release/notes/",
- "service": "AKS",
- "severity": "中等",
- "text": "請勿在 YAML 清單中使用已棄用的 Kubernetes API",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
+ "service": "AVS",
+ "severity": "低",
+ "text": "對於自動化部署,請部署最小的私有雲並根據需要進行擴展",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
- "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
+ "service": "AVS",
"severity": "低",
- "text": "污染 Windows 節點",
+ "text": "對於自動部署,請在開始部署之前請求或預留配額",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
- "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
+ "service": "AVS",
"severity": "低",
- "text": "使 Windows 容器修補程式級別與主機修補程式級別保持同步",
+ "text": "對於自動部署,請確保通過自動化或 Azure Policy 創建相關資源鎖,以便進行適當的治理",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "通過群集級別的診斷設置",
- "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
- "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
+ "service": "AVS",
"severity": "低",
- "text": "將主日誌(又名 API 紀錄)發送到 Azure Monitor 或首選日誌管理解決方案",
+ "text": "為 ExR 授權金鑰實現人類可理解的名稱,以便輕鬆識別密鑰的目的/用途",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
- "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "255461e2-aee3-4553-afc8-339248b262d6",
+ "service": "AVS",
"severity": "低",
- "text": "如果需要,請使用 nodePool 快照",
- "waf": "成本"
+ "text": "當使用單獨的服務原則部署 Azure VMware 解決方案和 ExpressRoute 時,請使用 Key Vault 儲存機密和授權密鑰",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
- "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
+ "service": "AVS",
"severity": "低",
- "text": "考慮將現成節點池用於對時間敏感的工作負載",
+ "text": "當需要在 Azure VMware 解決方案中/上部署許多資源時,定義用於在 IaC 中序列化操作的資源依賴項,因為 Azure VMware 解決方案僅支援有限數量的並行操作。",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
- "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
+ "service": "AVS",
"severity": "低",
- "text": "考慮用於快速突發的 AKS 虛擬節點",
+ "text": "使用單個 Tier-1 閘道執行 NSX-T 分段的自動配置時,請使用 Azure 門戶 API 而不是 NSX-Manager API",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
- "severity": "高",
- "text": "使用 Container Insights(或 Prometheus 等其他工具)監控集群指標",
- "waf": "操作"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "打算使用自動橫向擴展時,請務必為運行 Azure VMware 解決方案的訂閱申請足夠的 Azure VMware 解決方案配額",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
- "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
- "service": "AKS",
- "severity": "高",
- "text": "使用 Container Insights(或 Telegraf/ElasticSearch 等其他工具)存儲和分析集群日誌",
- "waf": "操作"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "打算使用自動縮減時,請務必在執行此操作之前考慮存儲策略要求",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
- "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
+ "service": "AVS",
"severity": "中等",
- "text": "監控節點的 CPU 和記憶體利用率",
- "waf": "操作"
+ "text": "擴展操作始終需要在單個 SDDC 中序列化,因為一次只能執行一個擴展操作(即使使用多個集群也是如此)",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
- "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
+ "service": "AVS",
"severity": "中等",
- "text": "如果使用 Azure CNI,請監視每個節點消耗的 Pod IP 的百分比",
- "waf": "操作"
+ "text": "考慮並驗證體系結構中使用的第三方解決方案的縮放操作(支援與否)",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "OS 磁碟上的 I/O 是關鍵資源。如果節點中的操作系統在 I/O 上受到限制,這可能會導致不可預知的行為,通常最終導致節點被聲明為 NotReady",
- "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
- "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
+ "service": "AVS",
"severity": "中等",
- "text": "監視節點中的OS磁碟佇列深度",
- "waf": "操作"
+ "text": "在自動化中為環境定義和強制實施橫向擴展/橫向擴展最大限制",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
- "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
+ "service": "AVS",
"severity": "中等",
- "text": "如果不對 AzFW/NVA 使用出口篩選,請監視標準 ALB 分配的 SNAT 連接埠",
+ "text": "實施監控規則以監控自動擴展操作,並監控成功和失敗,以啟用適當的(自動化)回應",
"waf": "操作"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
- "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
- "service": "AKS",
- "severity": "中等",
- "text": "訂閱 AKS 群集的資源運行狀況通知",
- "waf": "操作"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
"severity": "高",
- "text": "在 Pod 規範中配置請求和限制",
- "waf": "操作"
- },
- {
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "769ef669-1a48-435a-a942-223ece80b123",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
- "service": "AKS",
- "severity": "中等",
- "text": "強制實施命名空間的資源配額",
- "waf": "操作"
+ "text": "使用 MON 時,請注意同時配置的 VM 的限制(HCX 的 MON 限制 [400 - 標準,1000 - 大型設備])",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "AVS",
"severity": "高",
- "text": "確保訂閱具有足夠的配額來橫向擴展節點池",
- "waf": "操作"
+ "text": "使用 MON 時,不能在超過 100 個網路分機上啟用 MON",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
- "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
+ "service": "AVS",
"severity": "中等",
- "text": "使用群集自動縮放程式",
+ "text": "如果使用 VPN 連接進行遷移,請相應地調整 MTU 大小。",
"waf": "性能"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
- "guid": "831c2872-c693-4b39-a887-a561bada49bc",
- "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
- "service": "AKS",
- "severity": "低",
- "text": "自定義 AKS 節點池的節點配置",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e614658d-d457-4e92-9139-b821102cad6e",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "對於連接到 Azure(500Mbps 或更低)的低連接區域,請考慮部署 HCX WAN 優化設備",
"waf": "性能"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
- "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
+ "service": "AVS",
"severity": "中等",
- "text": "需要時使用 Horizontal Pod Autoscaler",
- "waf": "性能"
+ "text": "確保從本地裝置啟動遷移,而不是從雲端裝置啟動遷移(不要執行反向遷移)",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "description": "更大的節點將帶來更高的性能和功能,例如臨時磁碟和加速網路,但它們會增加爆炸半徑並降低擴展粒度",
- "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
- "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
- "service": "AKS",
- "severity": "高",
- "text": "考慮適當的節點大小,不要太大或太小",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "使用 Azure Netapp Files 擴展 Azure VMware 解決方案的儲存時,請考慮將其用作 VMware 資料儲存庫,而不是直接附加到 VM 。",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
- "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
- "service": "AKS",
- "severity": "低",
- "text": "如果可伸縮性需要超過 5000 個節點,請考慮使用其他 AKS 群集",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保將專用 ExpressRoute 閘道用於外部資料儲存解決方案",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
- "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
- "service": "AKS",
- "severity": "低",
- "text": "考慮訂閱 EventGrid Events for AKS 自動化",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "AVS",
+ "severity": "中等",
+ "text": "確保在用於外部數據存儲解決方案的 ExpressRoute 閘道上啟用了 FastPath",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
- "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
- "service": "AKS",
- "severity": "低",
- "text": "若要在 AKS 群集上長時間運行操作,請考慮事件終止",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "AVS",
+ "severity": "高",
+ "text": "如果使用延伸群集,請確保供應商支援所選的災難恢復解決方案",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
- "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
- "service": "AKS",
- "severity": "低",
- "text": "如果需要,請考慮將 Azure 專用主機用於 AKS 節點",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "AVS",
+ "severity": "高",
+ "text": "如果使用延伸群集,請確保提供的 SLA 符合您的要求",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
- "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
- "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "AVS",
"severity": "高",
- "text": "使用臨時OS磁碟",
- "waf": "性能"
+ "text": "如果使用延伸群集,請確保兩條 ExpressRoute 線路都連接到連接中心。",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
- "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
- "service": "AKS",
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "AVS",
"severity": "高",
- "text": "對於非臨時磁碟,在運行多個 Pod/節點時,請為節點使用高 IOPS 和更大的 OS 磁碟,因為它需要高性能才能運行多個 Pod,並且會生成具有預設 AKS 日誌輪換閾值的大量日誌",
- "waf": "性能"
+ "text": "如果使用延伸群集,請確保兩條 ExpressRoute 線路都啟用了 GlobalReach。",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
- "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
- "service": "AKS",
- "severity": "低",
- "text": "對於超高性能存儲選項,請在 AKS 上使用超級磁碟For hyper performance storage option use Ultra Disks on AKS",
- "waf": "性能"
+ "arm-service": "Microsoft.AVS/privateClouds",
+ "checklist": "Azure VMware Solution Design Review",
+ "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "AVS",
+ "severity": "高",
+ "text": "是否正確考慮了網站容災設置,並在需要時為您的業務進行了更改。",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
- "service": "AKS",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
+ "service": "Azure Data Factory",
"severity": "中等",
- "text": "避免將狀態保留在群集中,並將數據存儲在外部(AzStorage、AzSQL、Cosmos 等)",
- "waf": "性能"
+ "text": "利用 Azure 數據工廠的 FTA 復原能力手冊",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
- "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
- "service": "AKS",
- "severity": "中等",
- "text": "如果使用 AzFiles Standard,出於性能原因,請考慮使用 AzFiles Premium 和/或 ANF",
- "waf": "性能"
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
+ "severity": "高",
+ "text": "在支援可用區的區域中使用區域冗餘管道",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Azure AKS Review",
- "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
- "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
- "service": "AKS",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
+ "link": "https://learn.microsoft.com/azure/data-factory/source-control",
+ "service": "Azure Data Factory",
"severity": "中等",
- "text": "如果使用 Azure 磁碟和可用區,請考慮在區域內為 LRS 磁碟設置節點池,並使用 VolumeBindingMode:WaitForFirstConsumer 在正確的區域中預配存儲,或將 ZRS 磁碟用於跨多個區域的節點池",
- "waf": "性能"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "severity": "高",
- "text": "根據您的業務和 SLO 要求選擇正確的功能託管計劃",
- "waf": "可靠性"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
- "service": "Azure Functions",
- "severity": "高",
- "text": "利用區域適用的可用區(不適用於消耗層)",
+ "text": "使用 DevOps 透過 Github/Azure DevOps 集成備份 ARM 範本",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "中等",
- "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
- "waf": "可靠性"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "Azure Functions",
- "severity": "高",
- "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3",
- "waf": "可靠性"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "Azure Functions",
- "severity": "高",
- "text": "確保為應用服務計劃上運行的所有函數應用啟用“始終開啟”",
+ "text": "請確保在另一個區域中複製自承載集成運行時 VM",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
- "service": "Azure Functions",
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
+ "service": "Azure Data Factory",
"severity": "中等",
- "text": "將函數應用與其自己的存儲帳戶配對。盡量不要重用函數應用的存儲帳戶,除非它們緊密耦合",
+ "text": "請確保在姊妹區域中複製或複製您的網路。必須在另一個區域創建 Vnet 的副本",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Azure Function Review",
- "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "Azure Functions",
- "severity": "中等",
- "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護函數應用代碼",
- "waf": "操作"
+ "arm-service": "Microsoft.DataFactory/datafactories",
+ "checklist": "Azure Data Factory Review Checklist",
+ "description": "如果ADF管道使用Key Vault,則無需執行任何操作即可複製Key Vault。Key Vault 是一項託管服務,Microsoft 會為你處理它",
+ "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "Azure Data Factory",
+ "severity": "低",
+ "text": "如果使用 Keyvault 集成,請使用 Keyvault 的 SLA 來瞭解可用性",
+ "waf": "可靠性"
},
{
"arm-service": "Microsoft.ApiManagement/service",
@@ -1649,3500 +1441,3633 @@
"waf": "安全"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
- "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
- "service": "Spring Apps",
- "severity": "中等",
- "text": "Azure Spring Apps 允許對每個應用進行兩次部署,其中只有一個部署接收生產流量。您可以使用藍綠部署策略實現零停機時間。藍綠部署僅在標準層和企業層中可用。可以使用 CI/CD 和 ADO/GitHub 操作自動執行部署",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ab5351f6-383a-45ed-9c5e-b143b16db40a",
+ "link": "https://learn.microsoft.com/azure/aks/use-windows-hpc",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果 AKS Windows 工作負載需要,可以使用 HostProcess 容器",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
- "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
- "service": "Spring Apps",
- "severity": "中等",
- "text": "可以在多個區域中為應用程式創建 Azure Spring Apps 實例,並且流量管理器/Front Door 可以路由流量。",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a280dcf5-90ce-465d-b8e1-3f9ccbd46926",
+ "link": "https://learn.microsoft.com/azure/azure-functions/functions-kubernetes-keda",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果運行事件驅動的工作負載,請使用KEDA",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
- "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
- "service": "Spring Apps",
- "severity": "中等",
- "text": "在支持的區域中,Azure Spring Apps 可以部署為區域冗餘,這意味著實例會自動分佈在可用性區域之間。此功能僅在標準層和企業層中可用。",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "26886d20-b66c-457b-a591-19bf8e8f5c58",
+ "link": "https://dapr.io/",
+ "service": "AKS",
+ "severity": "低",
+ "text": "使用 Dapr 簡化微服務開發",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
- "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
- "service": "Spring Apps",
- "severity": "中等",
- "text": "對應用使用1個以上的應用實例",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (sku.tier=='Paid') | distinct id,compliant",
+ "guid": "71d41e36-10cc-457b-9a4b-1410d4395898",
+ "link": "https://learn.microsoft.com/azure/aks/uptime-sla",
+ "service": "AKS",
+ "severity": "高",
+ "text": "使用 SLA 支援的 AKS 產品/服務",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "7504c230-6035-4183-95a5-85762acc6075",
- "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
- "service": "Spring Apps",
- "severity": "中等",
- "text": "使用日誌、指標和跟蹤監視 Azure Spring Apps。將 ASA 與應用程式見解集成,並跟蹤故障並創建工作簿。",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1288b3c-6a57-4cfc-9444-51e1a3d3453a",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "低",
+ "text": "在容器和部署定義中使用中斷預算",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
- "service": "Spring Apps",
- "severity": "中等",
- "text": "在 Spring Cloud Gateway 中設置自動縮放",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "3c763963-7a55-42d5-a15e-401955387e5c",
+ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
+ "service": "ACR",
+ "severity": "高",
+ "text": "如果使用專用註冊表,請配置區域複製以將映像存儲在多個區域中",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
- "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
- "service": "Spring Apps",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f82cb8eb-8c0a-4a63-a25a-4956eaa8dc4a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost",
+ "service": "AKS",
"severity": "低",
- "text": "為具有標準使用量和專用計劃的應用啟用自動縮放。",
- "waf": "可靠性"
- },
- {
- "arm-service": "Microsoft.AppPlatform/Spring",
- "checklist": "Azure Spring Apps Review",
- "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
- "link": "https://learn.microsoft.com/azure/spring-apps/overview",
- "service": "Spring Apps",
- "severity": "中等",
- "text": "使用企業計劃為關鍵任務應用提供 Spring Boot 的商業支援。使用其他層,您可以獲得 OSS 支援。",
- "waf": "可靠性"
+ "text": "使用外部應用(如 kubecost)將成本分配給不同的使用者",
+ "waf": "成本"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4d3dfbab-9924-4831-a68d-fdf0d72f462c",
+ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode",
+ "service": "AKS",
"severity": "低",
- "text": "有關最佳實踐,請參閱基線高可用性區域冗餘 Web 應用程式體系結構",
- "waf": "可靠性"
+ "text": "使用縮減模式刪除/取消分配節點",
+ "waf": "成本"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "87e651ea-bc4a-4a87-a6df-c06a4b570ebc",
+ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance",
+ "service": "AKS",
"severity": "中等",
- "text": "使用高級層和標準層。這些層支援暫存槽和自動備份。",
- "waf": "可靠性"
+ "text": "需要時,請在 AKS 群集上使用多實例分組 GPU",
+ "waf": "成本"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
- "service": "App Services",
- "severity": "高",
- "text": "利用區域適用的可用性區域(需要高級 v2 或 v3 層)",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "2b72a08b-0410-4cd6-9093-e068a5cf27e8",
+ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果運行開發/測試群集,請使用 NodePool Start/Stop",
+ "waf": "成本"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.azurepolicy) and properties.addonProfiles.azurepolicy.enabled==true) | distinct id,compliant",
+ "guid": "9ca48e4a-85e2-4223-bce8-bb12307ca5f1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes",
+ "service": "AKS",
"severity": "中等",
- "text": "實施健康檢查",
- "waf": "可靠性"
+ "text": "使用適用於 Kubernetes 的 Azure Policy 確保群集符合性",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
- "service": "App Services",
- "severity": "高",
- "text": "請參閱 Azure 應用服務的備份和還原最佳做法",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | project id,name,resourceGroup,poolcount=array_length(pools) | extend compliant = (poolcount > 1)",
+ "guid": "6f158e3e-a3a9-42c2-be7e-2165c3a87af4",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "使用使用者/系統節點池將應用程式與控制平面分開",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
- "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
- "service": "App Services",
- "severity": "高",
- "text": "實現 Azure 應用服務可靠性最佳做法",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a7a1f893-9bda-4477-98f2-4c116775c2ea",
+ "link": "https://learn.microsoft.com/azure/aks/use-system-pools",
+ "service": "AKS",
+ "severity": "低",
+ "text": "向系統節點池添加污點以使其專用",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
- "service": "App Services",
- "severity": "低",
- "text": "熟悉如何在災難期間將應用服務應用移動到另一個區域",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "55b46a94-8008-4ae7-b7e4-b475b6c8bdbf",
+ "link": "https://learn.microsoft.com/azure/container-registry/",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "對映像使用專用註冊表,例如 ACR",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
- "service": "App Services",
+ "arm-service": "microsoft.containerregistry/registries",
+ "checklist": "Azure AKS Review",
+ "guid": "59bce65d-e8a0-43f9-9879-468d66a786d6",
+ "link": "https://learn.microsoft.com/azure/security-center/container-security",
+ "service": "ACR",
+ "severity": "中等",
+ "text": "掃描映像以查找漏洞",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d167dd18-2b0a-4c24-8b99-9a646f8389a7",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-isolation",
+ "service": "AKS",
"severity": "高",
- "text": "熟悉 Azure 應用服務中的可靠性支援",
- "waf": "可靠性"
+ "text": "定義應用分離要求(命名空間/節點池/集群)",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
- "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "5e3df584-eccc-4d97-a3b6-bcda3b50eb2e",
+ "link": "https://github.com/Azure/secrets-store-csi-driver-provider-azure",
+ "service": "AKS",
"severity": "中等",
- "text": "確保為在應用服務計劃上運行的函數應用啟用“Always On”",
- "waf": "可靠性"
+ "text": "使用 CSI 機密存儲驅動程式將機密存儲在 Azure Key Vault 中",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
- "service": "App Services",
- "severity": "中等",
- "text": "使用運行狀況檢查監視應用服務實例",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b03dda6d-58d7-4c89-8ddb-107d5769ae66",
+ "link": "https://learn.microsoft.com/azure/aks/update-credentials",
+ "service": "AKS",
+ "severity": "高",
+ "text": "如果將服務主體用於群集,請定期刷新憑據(如每季度)",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e7ba73a3-0508-4f80-806f-527db30cee96",
+ "link": "https://learn.microsoft.com/azure/aks/use-kms-etcd-encryption",
+ "service": "AKS",
"severity": "中等",
- "text": "使用 Application Insights 可用性測試監視 Web 應用或網站的可用性和回應能力",
- "waf": "可靠性"
+ "text": "如果需要,請添加金鑰管理服務 etcd 加密",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
- "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ec8e4e42-0344-41b0-b865-9123e8956d31",
+ "link": "https://learn.microsoft.com/azure/confidential-computing/confidential-nodes-aks-overview",
+ "service": "AKS",
"severity": "低",
- "text": "使用 Application Insights 標準測試監視 Web 應用或網站的可用性和回應能力",
- "waf": "可靠性"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "使用 Azure Key Vault 儲存應用程式所需的任何機密。 Key Vault 為儲存機密提供安全且經過審核的環境,並通過 Key Vault SDK 或應用服務 Key Vault 引用與應用服務很好地集成。",
- "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
- "severity": "高",
- "text": "使用 Key Vault 儲存機密",
+ "text": "如果需要,請考慮使用適用於 AKS 的機密計算",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "使用託管標識通過 Key Vault SDK 或透過應用服務 Key Vault 引用連接到 Key Vault。",
- "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
- "service": "App Services",
- "severity": "高",
- "text": "使用託管標識連接到 Key VaultUse Managed Identity to connect to Key Vault",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c9e95ffe-6dd1-4a17-8c5f-110389ca9b21",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "考慮使用 Defender for Containers",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "將應用服務 TLS 證書存儲在 Key Vault 中。",
- "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.servicePrincipalProfile.clientId=='msi') | distinct id,compliant",
+ "guid": "ed127dd1-42b0-46b2-8c69-99a646f3389a",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity",
+ "service": "AKS",
"severity": "高",
- "text": "使用 Key Vault 儲存 TLS 證書。",
+ "text": "使用託管標識而不是服務主體",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "處理敏感信息的系統應隔離。 為此,請使用單獨的應用服務計劃或應用服務環境,並考慮使用不同的訂閱或管理組。",
- "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
- "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.aadProfile) | distinct id,compliant",
+ "guid": "7e42c78e-78c0-46a6-8a21-94956e698dc4",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad",
+ "service": "AKS",
"severity": "中等",
- "text": "隔離處理敏感信息的系統",
+ "text": "將身份驗證與 AAD(使用託管集成)集成",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "應用服務上的本地磁碟未加密,敏感數據不應存儲在這些磁碟上。 (例如:D:\\\\Local 和 %TMP%)。",
- "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a2fe27b2-e287-401a-8352-beedf79b488d",
+ "link": "https://learn.microsoft.com/azure/aks/control-kubeconfig-access",
+ "service": "AKS",
"severity": "中等",
- "text": "不要將敏感數據存儲在本地磁碟上",
+ "text": "限制對管理員 kubeconfig (get-credentials --admin) 的訪問",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "對於經過身份驗證的 Web 應用程式,請使用成熟的標識提供者,例如 Azure AD 或 Azure AD B2C。 利用所選的應用程式框架與此提供程式整合,或使用應用服務身份驗證/授權功能。",
- "guid": "919ca0b2-c121-459e-814b-933df574eccc",
- "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "eec4962c-c3bd-421b-b77f-26e5e6b3bec3",
+ "link": "https://learn.microsoft.com/azure/aks/manage-azure-rbac",
+ "service": "AKS",
"severity": "中等",
- "text": "使用已建立的身份提供程式進行身份驗證",
+ "text": "將授權與 AAD RBAC 集成",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "將代碼從受控且受信任的環境(例如管理良好且安全的 DevOps 部署管道)部署到應用服務。這樣可以避免未經版本控制和驗證從惡意主機部署的代碼。",
- "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d4f3537c-1346-4dc5-9027-a71ffe1bd05d",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-identity",
+ "service": "AKS",
"severity": "高",
- "text": "從受信任的環境部署",
+ "text": "在 Kubernetes 中使用命名空間限制 RBAC 許可權",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "禁用 FTP/FTPS 和 WebDeploy/SCM 的基本身份驗證。 這將禁止訪問這些服務,並強制使用 Azure AD 安全終結點進行部署。 請注意,還可以使用 Azure AD 憑據打開 SCM 網站。",
- "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
- "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
- "service": "App Services",
- "severity": "高",
- "text": "禁用基本身份驗證",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d2e0d5d7-71d4-41e3-910c-c57b4a4b1410",
+ "link": "https://learn.microsoft.com/azure/aks/workload-identity-migration-sidecar",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "對於 Pod Identity Access Management,請使用 Azure AD 工作負載標識(預覽版)",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "如果可能,請使用託管標識連接到 Azure AD 受保護的資源。 如果無法做到這一點,請將機密存儲在 Key Vault 中,並改用託管標識連接到 Key Vault。",
- "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
- "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
- "service": "App Services",
- "severity": "高",
- "text": "使用託管標識連接到資源",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f4dcf690-1b30-407d-abab-6f8aa780d3a3",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#non-interactive-sign-in-with-kubelogin",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "對於 AKS 非互動式登錄名,請使用 kubelogin(預覽版)",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "如果使用 Azure 容器註冊表中儲存的映像,請使用託管標識拉取這些映像。",
- "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
- "service": "App Services",
- "severity": "高",
- "text": "使用託管標識拉取容器",
- "waf": "安全"
- },
- {
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "通過配置應用服務的診斷設置,可以將所有遙測數據發送到Log Analytics,作為日誌記錄和監視的中心目標。這允許你監視應用服務的運行時活動,例如 HTTP 日誌、應用程式日誌、平臺日誌等。",
- "guid": "47768314-c115-4775-a2ea-55b46ad48408",
- "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.disableLocalAccounts==true) | distinct id,compliant",
+ "guid": "b085b1f2-3119-4771-8c9a-bbf4411810ec",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#disable-local-accounts",
+ "service": "AKS",
"severity": "中等",
- "text": "將應用服務運行時日誌發送到Log Analytics",
+ "text": "禁用 AKS 本地帳戶",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "設置診斷設置,將活動日誌發送到Log Analytics,作為日誌記錄和監視的中心目標。這樣,你就可以監視應用服務資源本身上的控制平面活動。",
- "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
- "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
- "service": "App Services",
- "severity": "中等",
- "text": "將應用服務活動日誌發送到Log Analytics",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "36abb0db-c118-4f4c-9880-3f30f9a2deb6",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#configure-just-in-time-cluster-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果需要,請配置 Just-in-time 群集訪問",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "使用區域 VNet 集成、網路安全組和 UDR 的組合來控制出站網路訪問。 流量應路由到 NVA,例如 Azure 防火牆。 確保監控防火牆的日誌。",
- "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
- "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
- "service": "App Services",
- "severity": "中等",
- "text": "應控制出站網路訪問",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4d7f4c6-79bf-45d0-aa05-ce8fc717e150",
+ "link": "https://learn.microsoft.com/azure/aks/managed-aad#use-conditional-access-with-azure-ad-and-aks",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果需要,為 AKS 配置 AAD 條件訪問",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "可以使用 VNet 集成並使用 VNet NAT 閘道或 NVA(如 Azure 防火牆)來提供穩定的出站 IP。 這允許接收方根據需要根據IP列出允許清單。 請注意,對於與 Azure 服務的通信,通常不需要依賴於 IP 位址,應改用服務終結點等機制。 (此外,在接收端使用專用終結點可避免發生 SNAT,並提供穩定的出站 IP 範圍。",
- "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
- "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e1123a7c-a333-4eb4-a120-4ee3f293c9f3",
+ "link": "https://learn.microsoft.com/azure/aks/use-group-managed-service-accounts",
+ "service": "AKS",
"severity": "低",
- "text": "確保與互聯網位址的出站通信具有穩定的IP",
+ "text": "如果 Windows AKS 工作負載需要,請配置 gMSA",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "使用應用服務訪問限制、服務終結點或專用終結點的組合來控制入站網路訪問。對於 Web 應用本身和 SCM 網站,可能需要和配置不同的訪問限制。",
- "guid": "0725769e-e669-41a4-a34a-c932223ece80",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
- "severity": "高",
- "text": "應控制入站網路訪問",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1f711a74-3672-470b-b8b8-a2148d640d79",
+ "link": "https://learn.microsoft.com/azure/aks/use-managed-identity#use-a-pre-created-kubelet-managed-identity",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "為了獲得更精細的控制,請考慮使用託管的 Kubelet 身份",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "使用 Web 應用程式防火牆(如應用程式閘道或 Azure Front Door)防範惡意入站流量。 請務必監控 WAF 的日誌。",
- "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
- "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "cbd8ac2a-aebc-4a2a-94da-1dbf3dc99248",
+ "link": "https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "如果使用 AGIC,請勿跨集群共用 AppGW",
+ "waf": "可靠性"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnull(properties.addonProfiles.httpApplicationRouting) or properties.addonProfiles.httpApplicationRouting.enabled==false) | distinct id,compliant",
+ "guid": "8008ae7d-7e4b-4475-a6c8-bdbf59bce65d",
+ "link": "https://learn.microsoft.com/azure/aks/http-application-routing",
+ "service": "AKS",
"severity": "高",
- "text": "在應用服務前面使用 WAF",
- "waf": "安全"
+ "text": "不要使用 AKS HTTP 路由載入項,而是將託管 NGINX 入口與應用程式路由載入項一起使用。",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "確保僅鎖定對 WAF 的訪問,從而無法繞過 WAF。 結合使用訪問限制、服務終結點和專用終結點。",
- "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
- "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7bacd7b9-c025-4a9d-a5d2-25d6bc5439d9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "對於 Windows 工作負載,請使用加速網路",
+ "waf": "性能"
+ },
+ {
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (tolower(properties.networkProfile.loadBalancerSku)=='standard') | distinct id,compliant",
+ "guid": "ba7da7be-9952-4914-a384-5d997cb39132",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
"severity": "高",
- "text": "避免繞過 WAF",
- "waf": "安全"
+ "text": "使用標準 ALB(而不是基本 ALB)",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "在應用服務配置中將最低 TLS 策略設置為 1.2。",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
- "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22fbe8d6-9b40-47ef-9011-25bb1a555a6b",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet",
+ "service": "AKS",
"severity": "中等",
- "text": "將最低 TLS 策略設置為 1.2",
+ "text": "如果使用 Azure CNI,請考慮對 NodePool 使用不同的子網",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "將應用服務配置為僅使用 HTTPS。 這會導致應用服務從 HTTP 重定向到 HTTPS。 強烈建議在代碼或 WAF 中使用 HTTP 嚴格傳輸安全性 (HSTS),這會通知瀏覽器只能使用 HTTPS 訪問網站。",
- "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
- "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
- "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
- "service": "App Services",
- "severity": "高",
- "text": "僅使用 HTTPS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c3c39c98-6bb2-4c12-859a-114b5e3df584",
+ "link": "https://learn.microsoft.com/azure/private-link/private-link-overview",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "使用專用終結點(首選)或虛擬網路服務終結點從群集訪問 PaaS 服務",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "不要在 CORS 配置中使用通配符,因為這允許所有源訪問服務(從而破壞 CORS 的目的)。具體而言,僅允許您希望能夠訪問服務的源。",
- "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
- "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.networkPlugin=='azure') | distinct id,compliant",
+ "guid": "a0f61565-9de5-458f-a372-49c831112dbd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
"severity": "高",
- "text": "不得將通配符用於 CORS",
- "waf": "安全"
+ "text": "選擇最適合你要求的 CNI 網路外掛程式(建議使用 Azure CNI)",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "不得在生產環境中啟用遠端調試,因為這會在服務上打開其他埠,從而增加攻擊面。請注意,該服務會在 48 小時後自動轉為遠端調試。",
- "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
- "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
- "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
- "service": "App Services",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "7faf12e7-0943-4f63-8472-2da29c2b1cd6",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
"severity": "高",
- "text": "關閉遠端調試",
- "waf": "安全"
+ "text": "如果使用 Azure CNI,請根據每個節點的最大 Pod 數相應地調整子網的大小",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "啟用 Defender for App Service。 這(除其他威脅外)檢測與已知惡意IP位址的通信。 在操作過程中查看 Defender for App Service 中的建議。",
- "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
- "service": "App Services",
- "severity": "中等",
- "text": "啟用 Defender for Cloud - Defender for App Service",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "22f54b29-bade-43aa-b1e8-c38ec9366673",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "高",
+ "text": "如果使用 Azure CNI,請檢查每個節點的最大 Pod 數(預設為 30)",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "Azure 在其網路上提供 DDoS 基本保護,可以通過智慧 DDoS 標準功能進行改進,該功能可以瞭解正常的流量模式並檢測異常行為。DDoS 標準適用於虛擬網路,因此必須為應用前面的網路資源(例如應用程式閘道或 NVA)配置它。",
- "guid": "223ece80-b123-4071-a541-6415833ea3ad",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "App Services",
- "severity": "中等",
- "text": "在 WAF VNet 上啟用 DDOS 保護標準",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "對於內部應用,組織通常會在其防火牆中打開整個AKS子網。這也會打開對節點的網路訪問,並可能打開對 Pod 的訪問(如果使用 Azure CNI)。如果 LoadBalancer IP 位於不同的子網中,則只有此子網可供應用用戶端使用。另一個原因是,如果 AKS 子網中的 IP 位址是稀缺資源,則將其 IP 位址用於服務會降低群集的最大可伸縮性。",
+ "guid": "13c00567-4b1e-4945-a459-c373e7ed6162",
+ "link": "https://learn.microsoft.com/azure/aks/internal-lb",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果使用專用IP LoadBalancer服務,請使用專用子網(而不是 AKS 子網)",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "如果使用 Azure 容器註冊表中儲存的映像,請使用其專用終結點和應用設置“WEBSITE_PULL_IMAGE_OVER_VNET”通過虛擬網络從 Azure 容器註冊表拉取這些映射。",
- "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
- "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
- "service": "App Services",
- "severity": "中等",
- "text": "通過虛擬網路拉取容器",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "43f63047-22d9-429c-8b1c-d622f54b29ba",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "高",
+ "text": "相應調整服務 IP 位址範圍的大小(這將限制群集的可伸縮性)",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "按照參與的滲透測試規則對 Web 應用程式進行滲透測試。",
- "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
- "service": "App Services",
- "severity": "中等",
- "text": "進行滲透測試",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "57bf217f-6dc8-481c-81e2-785773e9c00f",
+ "link": "https://learn.microsoft.com/azure/aks/use-byo-cni",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果需要,請添加您自己的 CNI 外掛程式",
"waf": "安全"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "部署根據 DevSecOps 實踐驗證和掃描漏洞的受信任代碼。",
- "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
- "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
- "service": "App Services",
- "severity": "中等",
- "text": "部署經過驗證的代碼",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4b3bb365-9458-44d9-9ed1-5c8f52890364",
+ "link": "https://learn.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果需要,請在 AKS 中配置每個節點的公共 IP",
+ "waf": "性能"
},
{
- "arm-service": "microsoft.web/sites",
- "checklist": "Azure App Service Review",
- "description": "使用最新版本的受支援平臺、程式設計語言、協定和框架。",
- "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
- "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
- "service": "App Services",
- "severity": "高",
- "text": "使用最新的平臺、語言、協定和框架",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b3808b9f-a1cf-4204-ad01-3a923ce474db",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-network",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "使用入口控制器公開基於 Web 的應用,而不是使用 LoadBalancer 類型的服務公開它們",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
- "severity": "高",
- "text": "使 2 個副本具有 99.9% 的讀取操作可用性",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ccb534e7-416e-4a1d-8e93-533b53199085",
+ "link": "https://learn.microsoft.com/azure/aks/nat-gateway",
+ "service": "AKS",
+ "severity": "低",
+ "text": "使用 Azure NAT 閘道作為 outboundType 來縮放出口流量",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
- "service": "Cognitive Search",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "8ee9a69a-1b58-4b1e-9c61-476e110a160b",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni#dynamic-allocation-of-ips-and-enhanced-subnet-support",
+ "service": "AKS",
"severity": "中等",
- "text": "使 3 個副本具有 99.9% 的讀/寫操作可用性",
+ "text": "使用IP的動態分配來避免 Azure CNI IP 耗盡",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
- "service": "Cognitive Search",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.networkProfile.outboundType=='userDefinedRouting') | distinct id,compliant",
+ "guid": "3b365a91-7ecb-4e48-bbe5-4cd7df2e8bba",
+ "link": "https://learn.microsoft.com/azure/aks/limit-egress-traffic",
+ "service": "AKS",
"severity": "高",
- "text": "通過啟用讀取和/或寫入副本來利用可用區",
- "waf": "可靠性"
+ "text": "如果安全要求要求,請使用 AzFW/NVA 篩選出口流量",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
- "service": "Cognitive Search",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = ((isnull(properties.apiServerAccessProfile.enablePrivateCluster) or properties.apiServerAccessProfile.enablePrivateCluster==false) and isnotnull(properties.apiServerAccessProfile.authorizedIPRanges)) | distinct id,compliant",
+ "guid": "c4581559-bb91-463e-a908-aed8c44ce3b2",
+ "link": "https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges",
+ "service": "AKS",
"severity": "中等",
- "text": "對於區域冗餘,請在2個或更多區域中為搜索手動創建服務,因為它不提供跨地理區域複製搜索索引的自動方法",
- "waf": "可靠性"
+ "text": "如果使用公共 API 終端節點,請限制可以存取它的 IP 位址",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
- "service": "Cognitive Search",
- "severity": "中等",
- "text": "若要跨多個服務同步數據,請使用索引器更新多個服務上的內容,或使用 REST API 推送多個服務上的內容更新",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ecccd979-3b6b-4cda-9b50-eb2eb03dda6d",
+ "link": "https://learn.microsoft.com/azure/aks/private-clusters",
+ "service": "AKS",
+ "severity": "高",
+ "text": "如果要求要求,請使用私有集群",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
- "service": "Cognitive Search",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | where isnotnull(properties.apiServerAccessProfile.enablePrivateCluster) | extend compliant = (properties.apiServerAccessProfile.enablePrivateCluster==true) | distinct id, compliant",
+ "guid": "ce7f2a7c-297c-47c6-adea-a6ff838db665",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "中等",
- "text": "使用 Azure 流量管理器協調請求",
- "waf": "可靠性"
+ "text": "對於 Windows 2019 和 2022 AKS 節點,可以使用 Calico 網路策略",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Search/searchServices",
- "checklist": "Cognitive Search Review Checklist",
- "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
- "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
- "service": "Cognitive Search",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = isnotnull(properties.networkProfile.networkPolicy) | distinct id,compliant",
+ "guid": "58d7c892-ddb1-407d-9769-ae669ca48e4a",
+ "link": "https://learn.microsoft.com/azure/aks/use-network-policies",
+ "service": "AKS",
"severity": "高",
- "text": "備份和還原 Azure 認知搜索索引。使用此範例代碼將索引定義和快照備份到一系列 Json 檔",
- "waf": "可靠性"
+ "text": "啟用 Kubernetes 網路策略選項 (Calico/Azure)",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
- "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
- "service": "Azure Monitor",
- "text": "Azure Monitor 中的數據收集規則 -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "85e2223e-ce8b-4b12-907c-a5f16f158e3e",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
+ "severity": "高",
+ "text": "使用 Kubernetes 網路策略提高集群內安全性",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "45901365-d38e-443f-abcb-d868266abca2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Azure Backup",
- "text": "檢查未找到底層數據源的備份實例",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "a3a92c2d-e7e2-4165-a3a8-7af4a7a1f893",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-network",
+ "service": "AKS",
+ "severity": "高",
+ "text": "將 WAF 用於 Web 工作負載(UI 或 API)",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "VM",
- "text": "刪除或存檔未關聯的服務(磁碟、網卡、IP 位址等)",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "9bda4776-8f24-4c11-9775-c2ea55b46a94",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ddos-protection-overview",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "在 AKS 虛擬網路中使用 DDoS 標準",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Azure Backup",
- "text": "考慮在網站恢復存儲和非任務關鍵型應用程式的備份之間取得良好的平衡",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "Resources | where type=~'microsoft.containerservice/managedclusters' | project resourceGroup,name,pools=properties.agentPoolProfiles | mv-expand pools | project subnetId=tostring(pools.vnetSubnetID) | where isnotempty(subnetId) | join (Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,enableDdosProtection=tostring(properties.enableDdosProtection),subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,enableDdosProtection,subnetId=tostring(subnets.id)) on subnetId | distinct id,resourceGroup,name,enableDdosProtection | extend compliant = (enableDdosProtection == 'true')",
+ "guid": "6c46b91a-1107-4485-ad66-3183e2a8c266",
+ "link": "https://learn.microsoft.com/azure/aks/http-proxy",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果需要,請添加公司 HTTP 代理",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
- "service": "Azure Monitor",
- "text": "檢查 40 個不同 Log Analytics 工作區之間的支出和節省機會 - 對非生產工作區使用不同的保留和數據收集 - 創建每日上限以實現意識和層大小調整 - 如果確實設置了每日上限,除了在達到上限時創建警報外,請確保還創建警報規則,以便在達到某個百分比(例如 90%)時收到通知。- 如果可能,考慮工作空間改造 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e9855d04-c3c3-49c9-a6bb-2c12159a114b",
+ "link": "https://learn.microsoft.com/azure/aks/servicemesh-about",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "考慮使用服務網格進行高級微服務通信管理",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Cost Optimization Checklist",
- "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Azure Monitor",
- "text": "強制執行清除日誌策略和自動化(如果需要,可以將記錄移至冷存儲)",
- "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "67f7a9ed-5b31-4f38-a3f3-9812b2463cff",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts",
+ "service": "AKS",
+ "severity": "高",
+ "text": "設定有關最關鍵指標的警報(請參閱容器見解以獲取建議)",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "VM",
- "text": "檢查磁碟是否確實需要,如果不是:刪除。如果需要,請尋找較低的儲存層或使用備份 -",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "337453a3-cc63-4963-9a65-22ac19e80696",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-get-started",
+ "service": "AKS",
+ "severity": "低",
+ "text": "定期查看 Azure 顧問,瞭解有關群集的建議",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
- "service": "Storage",
- "text": "考慮使用自定義規則將未使用的存儲移動到較低層 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "3aa70560-e7e7-4968-be3d-628af35b2ced",
+ "link": "https://learn.microsoft.com/azure/aks/certificate-rotation",
+ "service": "AKS",
+ "severity": "低",
+ "text": "啟用 AKS 自動證書輪換",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "VM",
- "text": "確保 advisor 配置為適合 VM 大小調整",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "e189c599-df0d-45a7-9dd4-ce32c1881370",
+ "link": "https://learn.microsoft.com/azure/aks/supported-kubernetes-versions",
+ "service": "AKS",
+ "severity": "高",
+ "text": "定期(例如,每季度)升級 kubernetes 版本,或使用 AKS 自動升級功能",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "description": "通過在成本分析系統中搜索計量類別許可證進行檢查",
- "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
- "service": "VM",
- "text": "在所有 Windows VM 上運行腳本 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server - 如果頻繁創建 Windows VM,請考慮實施策略",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f7c4c0d-4e51-4464-ad24-57ed67138b82",
+ "link": "https://learn.microsoft.com/azure/aks/node-updates-kured",
+ "service": "AKS",
+ "severity": "高",
+ "text": "如果您不使用 node-image 升級,請使用 kured 進行 Linux 節點升級",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "VM",
- "text": "如果您已經擁有許可證,也可以將其置於 AHUB https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "139c9580-ade3-426a-ba09-cf157d9f6477",
+ "link": "https://learn.microsoft.com/azure/aks/node-image-upgrade",
+ "service": "AKS",
+ "severity": "高",
+ "text": "定期(例如,每周)升級群集節點映像的常規過程",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "VM",
- "text": "使用靈活性選項(不超過 4-5 個系列)整合保留的 VM 系列",
- "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "0102ce16-ee30-41e6-b882-e52e4621dd68",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/bedrock/bedrock-automated-deployments",
+ "service": "AKS",
+ "severity": "低",
+ "text": "考慮使用 gitops 將應用程式或集群配置部署到多個集群",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
- "service": "VM",
- "text": "利用 Azure 預留實例:此功能允許將 VM 預留 1 年或 3 年,與 PAYG 價格相比,可顯著節省成本。",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "d7672c26-7602-4482-85a4-14527fbe855c",
+ "link": "https://learn.microsoft.com/azure/aks/command-invoke",
+ "service": "AKS",
+ "severity": "低",
+ "text": "請考慮在專用群集上使用 AKS 命令調用",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
- "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
- "service": "VM",
- "text": "只能保留較大的磁碟 => 1 TiB -",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "31d7aaab-7571-4449-ab80-53d89e89d17b",
+ "link": "https://learn.microsoft.com/azure/aks/node-auto-repair#node-autodrain",
+ "service": "AKS",
+ "severity": "低",
+ "text": "對於計劃的事件,請考慮使用 Node Auto Drain",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
- "service": "VM",
- "text": "調整大小優化后",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "ed0fda7f-211b-47c7-8b6e-c18873fb473c",
+ "link": "https://learn.microsoft.com/azure/aks/faq",
+ "service": "AKS",
+ "severity": "高",
+ "text": "開發自己的治理實踐,以確保節點 RG(又名“基礎設施 RG”)中的操作員不會執行任何更改",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Sql/servers",
- "checklist": "Cost Optimization Checklist",
- "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
- "service": "Azure SQL",
- "text": "檢查是否適用並強制執行策略/更改 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (properties.nodeResourceGroup !startswith 'MC_') | distinct id,compliant",
+ "guid": "73b32a5a-67f7-4a9e-b5b3-1f38c3f39812",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
+ "severity": "低",
+ "text": "使用自定義節點 RG(又名“Infra RG”)名稱",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "VM",
- "text": "虛擬機 + 許可證部分折扣 (ahub + 3YRI) 約為 70% 的折扣",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b2463cff-e189-4c59-adf0-d5a73dd4ce32",
+ "link": "https://kubernetes.io/docs/setup/release/notes/",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "請勿在 YAML 清單中使用已棄用的 Kubernetes API",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "VM",
- "text": "考慮使用 VMSS 來滿足需求,而不是按比例調整",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c1881370-6f7c-44c0-b4e5-14648d2457ed",
+ "link": "https://learn.microsoft.com/azure-stack/aks-hci/adapt-apps-mixed-os-clusters",
+ "service": "AKS",
+ "severity": "低",
+ "text": "污染 Windows 節點",
+ "waf": "操作"
},
{
"arm-service": "microsoft.containerservice/managedClusters",
- "checklist": "Cost Optimization Checklist",
- "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "checklist": "Azure AKS Review",
+ "guid": "67138b82-0102-4ce1-9ee3-01e6e882e52e",
+ "link": "https://learn.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-20H2%2Cwindows-10-20H2",
"service": "AKS",
- "text": "使用 AKS 自動縮放程式符合群集使用方式(確保 Pod 要求與縮放程式符合)",
- "waf": "成本"
+ "severity": "低",
+ "text": "使 Windows 容器修補程式級別與主機修補程式級別保持同步",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Azure Backup",
- "text": "將恢復點移至保管庫存檔(如果適用)(驗證)",
- "training": "https://azure.microsoft.com/pricing/reservations/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "通過群集級別的診斷設置",
+ "guid": "5b56ad48-408f-4e72-934c-476ba280dcf5",
+ "link": "https://learn.microsoft.com/azure/aks/monitor-aks",
+ "service": "AKS",
+ "severity": "低",
+ "text": "將主日誌(又名 API 紀錄)發送到 Azure Monitor 或首選日誌管理解決方案",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Databricks/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
- "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
- "service": "Databricks",
- "text": "請考慮盡可能使用帶回退功能的現成 VM。考慮群集的自動終止。",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "64d1a846-e28a-4b6b-9a33-22a635c15a21",
+ "link": "https://learn.microsoft.com/azure/aks/node-pool-snapshot",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果需要,請使用 nodePool 快照",
"waf": "成本"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
- "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
- "service": "Azure Functions",
- "text": "功能 - 重用連接",
- "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5a5b252-1e44-4a59-a9d2-399c4d7b68d0",
+ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool",
+ "service": "AKS",
+ "severity": "低",
+ "text": "考慮將現成節點池用於對時間敏感的工作負載",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
- "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
- "service": "Azure Functions",
- "text": "函數 - 本地快取資料",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.aciConnectorLinux) and properties.addonProfiles.aciConnectorLinux.enabled==true) | distinct id,compliant",
+ "guid": "c755562f-2b4e-4456-9b4d-874a748b662e",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "低",
+ "text": "考慮用於快速突發的 AKS 虛擬節點",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Azure Functions",
- "text": "函數 - 冷啟動 - 使用“從包運行”功能。這樣,代碼將下載為單個 zip 檔。例如,這可以顯著改進具有大量節點模組的 Javascript 函數。使用特定於語言的工具來減小包大小,例如,搖樹 Javascript 應用程式。",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "6f8389a7-f82c-4b8e-a8c0-aa63a25a4956",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
+ "severity": "高",
+ "text": "使用 Container Insights(或 Prometheus 等其他工具)監控集群指標",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "Azure Functions",
- "text": "功能 - 保持功能溫暖",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "成本"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Azure Functions",
- "text": "使用具有不同功能的自動縮放時,可能會有一個資源驅動所有資源的所有自動縮放 - 請考慮將其移動到單獨的消耗計劃(並考慮更高的 CPU 計劃)",
- "waf": "成本"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
- "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
- "service": "Azure Functions",
- "text": "給定計劃中的函數應用都縮放在一起,因此縮放的任何問題都可能影響計劃中的所有應用。",
- "waf": "成本"
- },
- {
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Cost Optimization Checklist",
- "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
- "service": "Azure Functions",
- "text": "我需要為「等待時間」付費嗎?這個問題通常是在執行異步操作並等待結果的 C# 函數的上下文中提出的,例如 await Task.Delay(1000) 或 await client。GetAsync('http://google.com')。答案是肯定的 - GB 秒計算基於函數的開始和結束時間以及該時間段內的記憶體使用方式。在這段時間內實際發生的CPU活動未計入計算。此規則的一個例外是,如果使用的是持久函數。您無需為在業務流程協調程式函數中等待所花費的時間付費。在可能的情況下應用需求塑造技術(開發環境?)https://github.com/Azure-Samples/functions-csharp-premium-scaler",
- "waf": "成本"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Front Door",
- "text": "Frontdoor - 關閉預設主頁在應用的應用程式設置中,將 AzureWebJobsDisableHomepage 設置為 true。這將向PoP返回204(無內容),因此僅返回標頭數據。",
- "waf": "成本"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Cost Optimization Checklist",
- "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Front Door",
- "text": "Frontdoor - 路由到不返回任何內容的內容。設置函數、函數代理,或在 WebApp 中添加返回 200 (OK) 且不發送內容或發送最少內容的路由。這樣做的好處是您可以在調用時註銷。",
- "waf": "成本"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
- "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
- "service": "Storage",
- "text": "考慮為使用較少的數據存檔層",
- "waf": "成本"
- },
- {
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "VM",
- "text": "檢查大小與層不匹配的磁碟大小(即 513 GiB 磁碟將支付 P30 (1TiB) 並考慮調整大小",
- "waf": "成本"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "Storage",
- "text": "盡可能考慮使用標準 SSD,而不是 Premium 或 Ultra",
- "waf": "成本"
- },
- {
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "Storage",
- "text": "對於存儲帳戶,請確保所選層不會增加事務費用(移動到下一層可能會更便宜)",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.addonProfiles.omsagent) and properties.addonProfiles.omsagent.enabled==true) | distinct id,compliant",
+ "guid": "eaa8dc4a-2436-47b3-9697-15b1752beee0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview",
+ "service": "AKS",
+ "severity": "高",
+ "text": "使用 Container Insights(或 Telegraf/ElasticSearch 等其他工具)存儲和分析集群日誌",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Cost Optimization Checklist",
- "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "Site Recovery",
- "text": "對於 ASR,如果 RPO/RTO 和複製輸送量允許,請考慮使用標準 SSD 磁碟",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "4621dd68-c5a5-4be2-bdb1-1726769ef669",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "監控節點的 CPU 和記憶體利用率",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Cost Optimization Checklist",
- "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
- "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
- "service": "Storage",
- "text": "存儲帳戶:檢查熱層和/或 GRS 必填",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "1a4835ac-9422-423e-ae80-b123081a5417",
+ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "如果使用 Azure CNI,請監視每個節點消耗的 Pod IP 的百分比",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "VM",
- "text": "磁碟 - 驗證高級 SSD 磁碟在任何地方的使用方式:例如,非生產磁碟可以交換到標準 SSD 或按需高級 SSD",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "OS 磁碟上的 I/O 是關鍵資源。如果節點中的操作系統在 I/O 上受到限制,這可能會導致不可預知的行為,通常最終導致節點被聲明為 NotReady",
+ "guid": "415833ea-3ad3-4c2d-b733-165c3acbe04b",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "監視節點中的OS磁碟佇列深度",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
- "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
- "service": "Synapse",
- "text": "創建預算以管理成本並創建警報,自動通知利益相關者支出異常和超支風險。",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "be209d39-fda4-4777-a424-d116785c2fa5",
+ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "如果不對 AzFW/NVA 使用出口篩選,請監視標準 ALB 分配的 SNAT 連接埠",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "Synapse",
- "text": "將成本數據匯出到存儲帳戶以進行其他數據分析。",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "74c2ee76-569b-4a79-a57e-dedf91b022c9",
+ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "訂閱 AKS 群集的資源運行狀況通知",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Synapse",
- "text": "通過在不使用資源時暫停資源來控制專用 SQL 池的成本。",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "b54eb2eb-03dd-4aa3-9927-18e2edb11726",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "高",
+ "text": "在 Pod 規範中配置請求和限制",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
- "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
- "service": "Synapse",
- "text": "啟用無伺服器 Apache Spark 自動暫停功能,並相應地設置超時值。",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "769ef669-1a48-435a-a942-223ece80b123",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "強制實施命名空間的資源配額",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Synapse",
- "text": "創建多個不同大小的 Apache Spark 池定義。",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "081a5417-4158-433e-a3ad-3c2de733165c",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "AKS",
+ "severity": "高",
+ "text": "確保訂閱具有足夠的配額來橫向擴展節點池",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Synapse/workspaces",
- "checklist": "Cost Optimization Checklist",
- "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
- "service": "Synapse",
- "text": "使用預購計劃購買為期一年的 Azure Synapse 提交單元 (SCU),以節省 Azure Synapse Analytics 成本。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.autoScalerProfile)) | distinct id,compliant",
+ "guid": "90ce65de-8e13-4f9c-abd4-69266abca264",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "使用群集自動縮放程式",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "VM",
- "text": "將現成 VM 用於可中斷作業:這些 VM 可以以折扣價競標和購買,為非關鍵工作負載提供經濟高效的解決方案。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | extend compliant = (isnotnull(properties.austoscalerProfile)) | distinct id,compliant",
+ "guid": "831c2872-c693-4b39-a887-a561bada49bc",
+ "link": "https://learn.microsoft.com/azure/aks/custom-node-configuration",
+ "service": "AKS",
+ "severity": "低",
+ "text": "自定義 AKS 節點池的節點配置",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "VM",
- "text": "合理調整所有 VM 的大小",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "faa19bfe-9d55-4d04-a3c4-919ca1b2d121",
+ "link": "https://learn.microsoft.com/azure/aks/concepts-scale",
+ "service": "AKS",
+ "severity": "中等",
+ "text": "需要時使用 Horizontal Pod Autoscaler",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "VM",
- "text": "將 VM 大小與規範化大小和最新大小交換",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "description": "更大的節點將帶來更高的性能和功能,例如臨時磁碟和加速網路,但它們會增加爆炸半徑並降低擴展粒度",
+ "guid": "5ae124ba-34df-4585-bcdc-e9bd3bb0cdb3",
+ "link": "https://blog.cloudtrooper.net/2020/10/23/which-vm-size-should-i-choose-as-aks-node/",
+ "service": "AKS",
+ "severity": "高",
+ "text": "考慮適當的節點大小,不要太大或太小",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "調整 VM 大小 - 從低於 5% 的監視使用率開始,然後工作到 40%",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "38800e6a-ae01-40a2-9fbc-ae5a06e5462d",
+ "link": "https://learn.microsoft.com/azure/aks/quotas-skus-regions#service-quotas-and-limits",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果可伸縮性需要超過 5000 個節點,請考慮使用其他 AKS 群集",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Cost Optimization Checklist",
- "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "VM",
- "text": "容器化應用程式可以提高 VM 密度並節省擴展成本",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "成本"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9583c0f6-6083-43f6-aa6b-df7102c901bb",
+ "link": "https://learn.microsoft.com/azure/event-grid/event-schema-aks",
+ "service": "AKS",
+ "severity": "低",
+ "text": "考慮訂閱 EventGrid Events for AKS 自動化",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
- "service": "IoT Hub DPS",
- "severity": "高",
- "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c5016d8c-c6c9-4165-89ae-673ef0fff19d",
+ "link": "https://learn.microsoft.com/azure/aks/manage-abort-operations",
+ "service": "AKS",
+ "severity": "低",
+ "text": "若要在 AKS 群集上長時間運行操作,請考慮事件終止",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "IoT Hub DPS",
- "severity": "高",
- "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響",
- "waf": "可靠性"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "c4e37133-f186-4ce1-aed9-9f1b32f6e021",
+ "link": "https://learn.microsoft.com/azure/aks/use-azure-dedicated-hosts",
+ "service": "AKS",
+ "severity": "低",
+ "text": "如果需要,請考慮將 Azure 專用主機用於 AKS 節點",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "8aed4fbf-0830-4883-899d-222a154af478",
- "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "IoT Hub DPS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "graph": "where type=='microsoft.containerservice/managedclusters' | project id,resourceGroup,name,pools=properties.agentPoolProfiles | mvexpand pools | extend compliant = (pools.osDiskType=='Ephemeral') | project id,name=strcat(name,'-',pools.name), resourceGroup, compliant",
+ "guid": "24367b33-6971-45b1-952b-eee0b9b588de",
+ "link": "https://learn.microsoft.com/azure/aks/cluster-configuration",
+ "service": "AKS",
"severity": "高",
- "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
- "waf": "可靠性"
+ "text": "使用臨時OS磁碟",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
- "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
- "service": "IoT Hub DPS",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "f0ce315f-1120-4166-8206-94f2cf3a4d07",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/disks-types",
+ "service": "AKS",
"severity": "高",
- "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3",
- "waf": "可靠性"
+ "text": "對於非臨時磁碟,在運行多個 Pod/節點時,請為節點使用高 IOPS 和更大的 OS 磁碟,因為它需要高性能才能運行多個 Pod,並且會生成具有預設 AKS 日誌輪換閾值的大量日誌",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Devices/provisioningServices",
- "checklist": "Device Provisioning Service Review",
- "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
- "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
- "service": "IoT Hub DPS",
- "severity": "中等",
- "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼",
- "waf": "操作"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "39c486ce-d5af-4062-89d5-18bb5fd795db",
+ "link": "https://learn.microsoft.com/azure/aks/use-ultra-disks",
+ "service": "AKS",
+ "severity": "低",
+ "text": "對於超高性能存儲選項,請在 AKS 上使用超級磁碟For hyper performance storage option use Ultra Disks on AKS",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
- "service": "Bot service",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "9f7547c1-747d-4c56-868a-714435bd19dd",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region",
+ "service": "AKS",
"severity": "中等",
- "text": "遵循 Azure 機器人服務中的可靠性支持建議",
- "waf": "可靠性"
+ "text": "避免將狀態保留在群集中,並將數據存儲在外部(AzStorage、AzSQL、Cosmos 等)",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
- "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
- "service": "Bot service",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "24429eb7-2281-4376-85cc-57b4a4b18142",
+ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-storage",
+ "service": "AKS",
"severity": "中等",
- "text": "部署具有本地數據駐留和區域合規性的機器人",
- "waf": "可靠性"
+ "text": "如果使用 AzFiles Standard,出於性能原因,請考慮使用 AzFiles Premium 和/或 ANF",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.BotService/botServices",
- "checklist": "Azure Bot Service",
- "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
- "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
- "service": "Bot service",
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Azure AKS Review",
+ "guid": "83958a8c-2689-4b32-ab57-cfc64546135a",
+ "link": "https://learn.microsoft.com/azure/aks/availability-zones#azure-disk-availability-zone-support",
+ "service": "AKS",
"severity": "中等",
- "text": "Azure 機器人服務在全域和區域服務的主動-主動模式下運行。發生中斷時,無需檢測錯誤或管理服務。Azure 機器人服務在多區域地理體系結構中自動執行自動故障轉移和自動恢復。對於歐盟機器人區域服務,Azure 機器人服務在歐洲境內提供兩個完整區域,並提供主動/主動複製,以確保冗餘。對於全球機器人服務,所有可用的區域/地理位置都可以作為全球足跡。",
- "waf": "可靠性"
+ "text": "如果使用 Azure 磁碟和可用區,請考慮在區域內為 LRS 磁碟設置節點池,並使用 VolumeBindingMode:WaitForFirstConsumer 在正確的區域中預配存儲,或將 ZRS 磁碟用於跨多個區域的節點池",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
- "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
+ "service": "Entra",
"severity": "中等",
- "text": "Azure SAP 解決方案中心 (ACSS) 是一項 Azure 產品/服務,可使 SAP 成為 Azure 上的頂級工作負載。ACSS 是一種端到端解決方案,使你能夠在 Azure 上創建和運行 SAP 系統作為統一的工作負載,並為創新提供更無縫的基礎。可以利用新的和現有的基於 Azure 的 SAP 系統的管理功能。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+ "text": "使用一個 Entra 租戶來管理 Azure 資源,除非你對多租戶有明確的法規或業務要求。",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
- "service": "SAP",
- "severity": "中等",
- "text": "Azure 支援在Linux和 Windows 中自動執行 SAP 部署。SAP 部署自動化框架是一種開源編排工具,可以部署、安裝和維護 SAP 環境。",
- "training": "https://github.com/Azure/sap-automation",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Entra",
+ "severity": "低",
+ "text": "使用多租戶自動化方法管理 Microsoft Entra ID 租戶。",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
- "service": "SAP",
- "severity": "中等",
- "text": "在符合 RTO 要求的任何時間點和時間範圍內對生產資料庫執行時間點恢復;時間點恢復通常包括操作員在DBMS層上或通過SAP刪除數據時出現的錯誤",
- "waf": "可靠性"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
- "service": "SAP",
- "severity": "中等",
- "text": "測試備份和恢復時間,以驗證它們是否滿足在災難發生后同時還原所有系統的 RTO 要求。",
- "waf": "可靠性"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "b651423c-8552-42db-a545-5cb50c05527a",
- "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "Entra",
"severity": "高",
- "text": "可以在配對區域之間複製標準存儲,但不能使用標準存儲來存儲資料庫或虛擬硬碟。您只能在使用的配對區域之間複製備份。對於所有其他數據,請使用本機 DBMS 功能(如 SQL Server Always On 或 SAP HANA 系統複製)運行複製。將 Site Recovery、rsync 或 robocopy 以及其他第三方軟體組合用於 SAP 應用程式層。",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "可靠性"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
- "severity": "中等",
- "text": "使用 Azure 可用性區域實現高可用性時,必須考慮 SAP 應用程式伺服器和資料庫伺服器之間的延遲。對於具有高延遲的區域,需要制定操作過程,以確保 SAP 應用程式伺服器和資料庫伺服器始終在同一區域中運行。",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "可靠性"
+ "text": "使用具有相同 ID 的 Azure Lighthouse 進行多租戶管理。",
+ "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Entra",
"severity": "高",
- "text": "設置從本地到主要和次要 Azure 災難恢復區域的 ExpressRoute 連接。此外,作為使用 ExpressRoute 的替代方法,請考慮設置從本地到主要和輔助 Azure 災難恢復區域的 VPN 連接。",
- "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
- "waf": "可靠性"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "SAP",
- "severity": "低",
- "text": "跨區域複製證書、機密或密鑰等金鑰保管庫內容,以便解密DR區域中的數據。",
- "waf": "可靠性"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
- "service": "SAP",
- "severity": "中等",
- "text": "對等連接主虛擬網路和災難恢復虛擬網路。例如,對於 HANA 系統複製,需要將 SAP HANA DB 虛擬網路對等互連到災難恢復網站的 SAP HANA DB 虛擬網路。",
- "waf": "可靠性"
+ "text": "如果向合作夥伴授予管理租戶的訪問許可權,請使用 Azure Lighthouse。",
+ "waf": "成本"
},
{
- "checklist": "SAP Checklist",
- "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
- "service": "SAP",
- "severity": "低",
- "text": "如果將 Azure NetApp 檔案儲存用於 SAP 部署,則至少要在兩個區域的高級層中創建兩個 Azure NetApp 檔帳戶。",
- "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
- "waf": "可靠性"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "348ef254-c27d-442e-abba-c7571559ab91",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
+ "service": "Entra",
+ "severity": "高",
+ "text": "強制實施與雲操作模型相符的 RBAC 模型。跨管理組和訂閱確定範圍和分配。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
+ "service": "Entra",
"severity": "高",
- "text": "應使用本機資料庫複製技術來同步HA對中的資料庫。",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
- "waf": "可靠性"
+ "text": "僅對所有帳戶類型使用身份驗證類型「工作或學校帳戶」。避免使用 Microsoft 帳戶",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
- "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
- "service": "SAP",
- "severity": "高",
- "text": "主虛擬網路 (VNet) 的 CIDR 不應與DR網站的 VNet 的 CIDR 衝突或重疊",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "可靠性"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "僅使用組來分配許可權。如果已建立組管理系統,則將本地組添加到僅 Entra ID 組。",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
+ "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
+ "service": "Entra",
"severity": "高",
- "text": "使用 Site Recovery 將應用程式伺服器複製到 DR 網站。Site Recovery 還可以説明將中心服務群集 VM 複製到DR網站。調用DR時,需要在DR網站上重新配置Linux Pacemaker群集(例如,替換VIP或SBD、運行 corosync.conf 等)。",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
- "waf": "可靠性"
+ "text": "對有權訪問 Azure 環境的任何用戶強制實施 Microsoft Entra ID 條件訪問策略。",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
+ "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
+ "service": "Entra",
"severity": "高",
- "text": "考慮 SAP 軟體針對單點故障的可用性。這包括應用程式中的單點故障,例如 SAP NetWeaver 和 SAP S/4HANA 架構中使用的 DBMS、SAP ABAP 和 ASCS + SCS。此外,還有其他工具,例如 SAP Web Dispatcher。",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
- "waf": "可靠性"
+ "text": "對有權訪問 Azure 環境的任何使用者強制實施多重身份驗證。",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
- "service": "SAP",
- "severity": "高",
- "text": "對於 SAP 和 SAP 資料庫,請考慮實現自動故障轉移群集。在 Windows 中,Windows Server 故障轉移群集支援故障轉移。在 Linux 中,Linux Pacemaker 或第三方工具(如 SIOS Protection Suite 和 Veritas InfoScale)支援故障轉移。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "可靠性"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "強制實施 Microsoft Entra ID 特權標識管理 (PIM) 以建立零長期訪問許可權和最低特權。",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
- "service": "SAP",
- "severity": "高",
- "text": "Azure 不支援主 VM 和輔助 VM 共用 DBMS 數據存儲的體系結構。對於 DBMS 層,常見的體系結構模式是同時複製資料庫,並使用與主虛擬機和輔助虛擬機使用的存儲堆疊不同的存儲堆疊。",
- "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
- "waf": "可靠性"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
+ "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "如果計劃從 Active Directory 域服務切換到 Entra 域服務,請評估所有工作負載的相容性。",
+ "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
- "service": "SAP",
- "severity": "高",
- "text": "DBMS 數據和事務/重做日誌檔存儲在 Azure 支援的塊存儲或 Azure NetApp 檔中。不支援將 Azure 檔案儲存或 Azure 高級檔儲存作為 DBMS 資料和/或使用 SAP 工作負載重做日誌檔的存儲。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
- "waf": "可靠性"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "將 Microsoft Entra ID 日誌與平臺為中心的 Azure Monitor 集成。Azure Monitor 允許圍繞 Azure 中的日誌和監視數據提供單一事實來源,為組織提供雲原生選項,以滿足日誌收集和保留方面的要求。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
- "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
- "service": "SAP",
+ "ammp": true,
+ "checklist": "Azure Landing Zone Review",
+ "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
+ "service": "Entra",
"severity": "高",
- "text": "可以在 Windows 中將 Azure 共用磁碟用於 ASCS + SCS 元件和特定的高可用性方案。為 SAP 應用程式層元件和 DBMS 層單獨設置故障轉移群集。Azure 目前不支援將 SAP 應用程式層元件和 DBMS 層合併到一個故障轉移群集中的高可用性體系結構。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "可靠性"
+ "text": "實施緊急訪問或打破玻璃帳戶,以防止租戶範圍的帳戶鎖定。",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
- "service": "SAP",
- "severity": "高",
- "text": "SAP 應用程式層元件 (ASCS) 和 DBMS 層的大多數故障轉移群集都需要故障轉移群集的虛擬 IP 位址。 Azure 負載均衡器應處理所有其他情況的虛擬IP位址。一個設計原則是每個集群配置使用一個負載均衡器。建議使用標準版本的負載均衡器(標準負載均衡器 SKU)。",
- "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
- "waf": "可靠性"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "35037e68-9349-4c15-b371-228514f4cdff",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "請勿使用本地同步帳戶進行 Microsoft Entra ID 角色分配,除非你有特別需要它的方案。",
+ "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
- "service": "SAP",
- "severity": "高",
- "text": "確保在負載均衡器上啟用了浮動IP",
- "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
- "waf": "可靠性"
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對應用程式的訪問許可權時,請將其作為平臺資源進行管理,因為每個租戶只能有一個實例。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
- "service": "SAP",
- "severity": "高",
- "text": "在部署高可用性基礎結構之前,請根據所選的區域確定是使用 Azure 可用性集還是可用性區域進行部署。",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
+ "service": "VNet",
+ "severity": "中等",
+ "text": "對於需要最大靈活性的網路方案,請使用中心輻射型網路拓撲。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
- "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
+ "service": "VNet",
"severity": "高",
- "text": "如果要滿足 SAP 元件(中央服務、應用程式伺服器和資料庫)應用程式的基礎結構 SLA,則必須為所有元件選擇相同的高可用性選項(VM、可用性集、可用性區域)。",
- "waf": "可靠性"
+ "text": "在中心虛擬網路中部署共用網路服務,包括 ExpressRoute 閘道、VPN 閘道和 Azure 防火牆或合作夥伴 NVA。如有必要,還可以部署 DNS 服務。",
+ "waf": "成本"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "VNet",
"severity": "高",
- "text": "不要在同一可用性集中混合使用不同角色的伺服器。將中央服務 VM、資料庫 VM、應用程式 VM 保留在自己的可用性集中",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "可靠性"
+ "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
- "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
- "service": "SAP",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
+ "service": "NVA",
"severity": "中等",
- "text": "除非使用鄰近放置組,否則無法在 Azure 可用性區域內部署 Azure 可用性集。",
- "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "text": "部署合作夥伴網路技術或 NVA 時,請遵循合作夥伴供應商的指導。",
"waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
- "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
- "service": "SAP",
- "severity": "高",
- "text": "創建可用性集時,請使用最大數量的容錯域和更新可用的域。例如,如果在一個可用性集中部署兩個以上的 VM,請使用最大數量的容錯域(三個)和足夠的更新域來限制潛在的物理硬體故障、網路中斷或電源中斷的影響,以及 Azure 計劃內維護。默認的容錯域數為 2,以後無法連線更改。",
- "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
- "waf": "可靠性"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
+ "service": "ExpressRoute",
+ "severity": "低",
+ "text": "如果需要在中心輻射型方案中在 ExpressRoute 和 VPN 閘道之間傳輸,請使用 Azure 路由伺服器。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "高",
- "text": "在可用性集部署中使用 Azure 鄰近放置組時,所有三個 SAP 元件(中央服務、應用程式伺服器和資料庫)都應位於同一鄰近放置組中。",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Network/virtualHubs",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
+ "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
+ "service": "ARS",
+ "severity": "低",
+ "text": "如果使用路由伺服器,請對路由伺服器子網使用 /27 前置綴。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
- "severity": "高",
- "text": "每個 SAP SID 使用一個鄰近放置組。組不跨可用性區域或 Azure 區域",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
+ "service": "VNet",
+ "severity": "中等",
+ "text": "對於跨 Azure 區域具有多個中心輻射型拓撲的網路體系結構,請在中心 VNet 之間使用全域虛擬網路對等互連將區域相互連接。",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
- "severity": "高",
- "text": "根據操作系統的不同,使用以下服務之一來運行 SAP 中心服務群集。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
+ "service": "VNet",
+ "severity": "中等",
+ "text": "使用用於網路的 Azure Monitor 監視 Azure 上網路的端到端狀態。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
+ "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
"severity": "中等",
- "text": "Azure 目前不支援將 ASCS 和 DB HA 組合在同一 Linux Pacemaker 群集中;將它們分成單獨的集群。但是,最多可以將五個多個中心服務群集合併到一對 VM 中。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "text": "如果一個區域中有超過 400 個分支網路,請部署一個額外的中心,以繞過 VNet 對等互連限制 (500) 和可通過 ExpressRoute 播發的最大前綴數 (1000)。",
"waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
+ "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
+ "service": "VNet",
"severity": "中等",
- "text": "在可用性集或可用性區域中的高可用性對中部署兩個 VM。這些 VM 的大小應相同,並具有相同的存儲配置。",
+ "text": "將每個路由表的路由數限制為 400 個。",
+ "waf": "可靠性"
+ },
+ {
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
+ "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
+ "service": "VNet",
+ "severity": "高",
+ "text": "配置 VNet 對等互連時,請使用「允許流量流向遠端虛擬網路」設置。",
"waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "Azure 支援在 Red Hat Enterprise Linux (RHEL) 上運行的同一高可用性群集上安裝和配置 SAP HANA 和 ASCS/SCS 和 ERS 實例。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "可靠性"
+ "text": "使用 ExpressRoute Direct 時,請配置 MACsec,以便加密組織路由器和 MSEE 之間的第二層級別的流量。該圖顯示了流中的此加密。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
- "severity": "高",
- "text": "在高級託管 SSD 上運行所有生產系統,並使用 Azure NetApp 檔或超級磁碟存儲。至少OS磁碟應位於高級層,以便您可以獲得更好的性能和最佳SLA。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "可靠性"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
+ "service": "ExpressRoute",
+ "severity": "中等",
+ "text": "對於無法使用MACsec的情況(例如,不使用ExpressRoute Direct),請使用 VPN 閘道通過 ExpressRoute 專用對等互連建立 IPsec 隧道。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "ExpressRoute",
"severity": "高",
- "text": "應僅在 SAP 認證的存儲類型上運行 Azure 上的 SAP HANA。請注意,某些卷必須在某些磁碟配置(如果適用)上運行。這些配置包括啟用寫入加速器和使用高級存儲。您還需要確保在儲存上運行的檔案系統與在電腦上運行的 DBMS 相容。",
- "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
- "waf": "可靠性"
+ "text": "確保在 Azure 區域和本地位置之間不使用重疊的 IP 位址空間。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
- "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
+ "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
+ "severity": "中等",
+ "text": "使用專用 Internet 的位址分配範圍中的 IP 位址 (RFC 1918)。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
+ "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "VNet",
"severity": "高",
- "text": "請考慮根據用於 SAP 工作負載的儲存類型配置高可用性。Azure Site Recovery 不支援 Azure 中提供的某些存儲服務,因此高可用性配置可能會有所不同。",
- "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
- "waf": "可靠性"
+ "text": "確保不會浪費IP位址空間,不要創建不必要的大型虛擬網路(例如/16)。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
- "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
+ "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
+ "service": "VNet",
"severity": "高",
- "text": "不同的本機 Azure 儲存服務(如 Azure 檔存儲、Azure NetApp 檔、Azure 共用磁碟)可能並非在所有區域都可用。因此,若要在故障轉移后在DR區域上設置類似的SAP,請確保在DR網站中提供相應的存儲服務。",
+ "text": "請勿對生產網站和災難恢復網站使用重疊的IP位址範圍。",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
"waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
+ "service": "DNS",
"severity": "中等",
- "text": "自動執行 SAP System Start-Stop 以管理成本。",
- "waf": "成本"
+ "text": "對於只需要在 Azure 中進行名稱解析的環境,請使用 Azure 專用 DNS 進行解析,並使用委託區域進行名稱解析(例如“azure.contoso.com”)。",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
- "severity": "低",
- "text": "如果將 Azure 高級存儲與 SAP HANA 配合使用,則可以使用 Azure 標準 SSD 儲存來選擇成本敏感的儲存解決方案。但是,請注意,選擇“標準 SSD”或“標準 HDD Azure”存儲將影響各個 VM 的 SLA。此外,對於具有較低 I/O 輸送量和低延遲的系統(例如非生產環境),可以使用較低系列的 VM。",
- "waf": "成本"
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
+ "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
+ "service": "DNS",
+ "severity": "中等",
+ "text": "對於需要跨 Azure 和本地進行名稱解析且沒有現有企業 DNS 服務(如 Active Directory)的環境,請使用 Azure DNS 專用解析程式將 DNS 請求路由到 Azure 或本地 DNS 伺服器。",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
- "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
+ "service": "DNS",
"severity": "低",
- "text": "作為成本較低的替代配置(多用途),可以為非生產 HANA 資料庫伺服器 VM 選擇低性能 SKU。但是,請務必注意,某些 VM 類型(如 E 系列)未經 HANA 認證(SAP HANA 硬體目錄),或者無法實現小於 1 毫秒的存儲延遲。",
- "waf": "成本"
+ "text": "需要並部署自己的 DNS(例如 Red Hat OpenShift)的特殊工作負載應使用其首選的 DNS 解決方案。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
- "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/dnsZones",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "614658d3-558f-4d77-849b-821112df27ee",
+ "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
+ "service": "DNS",
"severity": "高",
- "text": "對管理組、訂閱、資源組和資源強制實施 RBAC 模型",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "安全"
+ "text": "啟用 Azure DNS 的自動註冊,以自動管理虛擬網路中部署的虛擬機的 DNS 記錄的生命週期。",
+ "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "45911475-e39e-4530-accc-d979366bcda2",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
+ "service": "Bastion",
"severity": "中等",
- "text": "強制實施主體傳播,以便透過雲連接器將身份從 SAP 雲應用程式轉發到 SAP 本地(包括 IaaS)",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
+ "text": "使用 Azure Bastion 安全地連接到網路。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
- "service": "SAP",
+ "arm-service": "microsoft.network/bastionHosts",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
+ "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
+ "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
+ "service": "Bastion",
"severity": "中等",
- "text": "使用 SAML 通過 Azure AD 實現 SAP SaaS 應用程式(如 SAP Analytics Cloud、SAP Cloud Platform、Business by Design、SAP Qualtrics 和 SAP C4C)的 SSO。",
+ "text": "在子網 /26 或更大的情況下使用 Azure Bastion。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "WAF",
"severity": "中等",
- "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為登陸區域的入站 HTTP/S 連接提供全域保護。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
- "service": "SAP",
- "severity": "中等",
- "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "低",
+ "text": "使用 Azure Front Door 和 Azure 應用程式閘道幫助保護 HTTP/S 應用時,請在 Azure Front Door 中使用 WAF 策略。鎖定 Azure 應用程式閘道,以便僅接收來自 Azure Front Door 的流量。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
- "service": "SAP",
- "severity": "中等",
- "text": "可以使用SAP NetWeaver SSO 或合作夥伴解決方案將 SSO 實現到 SAP GUI。",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "WAF",
+ "severity": "高",
+ "text": "當入站 HTTP/S 連接需要 WAF 和其他反向代理時,請將它們部署在登陸區域虛擬網路中,並將它們與它們要保護和向 Internet 公開的應用一起部署。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
- "service": "SAP",
- "severity": "中等",
- "text": "對於 SAP GUI 和 Web 瀏覽器存取的 SSO,請實施 SNC/Kerberos/SPNEGO(簡單且受保護的 GSSAPI 協商機制),因為它易於配置和維護。對於使用 X.509 用戶端證書的 SSO,請考慮 SAP 安全登錄伺服器,它是 SAP SSO 解決方案的一個元件。",
- "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
+ "severity": "高",
+ "text": "使用 Azure DDoS 網路或 IP 保護計劃來幫助保護虛擬網路中的公共 IP 位址終結點。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
- "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
- "service": "SAP",
- "severity": "中等",
- "text": "對於 SAP GUI 和 Web 瀏覽器存取的 SSO,請實施 SNC/Kerberos/SPNEGO(簡單且受保護的 GSSAPI 協商機制),因為它易於配置和維護。對於使用 X.509 用戶端證書的 SSO,請考慮 SAP 安全登錄伺服器,它是 SAP SSO 解決方案的一個元件。",
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
+ "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
+ "service": "VNet",
+ "severity": "高",
+ "text": "在即將到來的重大更改之前,規劃如何管理網路出站流量配置和策略。2025 年 9 月 30 日,新部署的預設出站訪問將停用,僅允許顯式訪問配置。",
+ "waf": "可靠性"
+ },
+ {
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
+ "service": "VNet",
+ "severity": "高",
+ "text": "添加診斷設置以保存所有受保護的公共IP位址(DDoS IP或網路保護)的 DDoS 相關日誌。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
+ "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
+ "service": "Policy",
+ "severity": "高",
+ "text": "確保存在策略分配,以拒絕直接綁定到虛擬機的公共IP位址。 如果特定 VM 上需要公共 IP,請使用排除項。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "16785d6f-a96c-496a-b885-18f482734c88",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "使用 OAuth for SAP NetWeaver 實現 SSO,以允許第三方或自定義應用程式訪問 SAP NetWeaver OData 服務。",
- "waf": "安全"
+ "text": "使用 ExpressRoute 作為到 Azure 的主要連接。 使用 VPN 作為備用連接源。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "description": "可以使用 AS 路徑預置和連接權重來影響從 Azure 到本地的流量,並使用自己的路由器中的所有 BGP 屬性來影響從本地到 Azure 的流量。",
+ "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "實現 SSO 到 SAP HANA",
- "waf": "安全"
+ "text": "使用多個 ExpressRoute 線路或多個本地位置時,請使用 BGP 屬性來優化路由。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
+ "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "將 Azure AD 視為 RISE 上託管的 SAP 系統的標識提供者。有關詳細資訊,請參閱將服務與 Azure AD 集成。",
- "waf": "安全"
+ "text": "根據頻寬和性能要求為 ExpressRoute/VPN 閘道選擇正確的 SKU。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
- "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
- "service": "SAP",
- "severity": "中等",
- "text": "對於訪問 SAP 的應用程式,可能需要使用主體傳播來建立 SSO。",
- "waf": "安全"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
+ "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
+ "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
+ "service": "ExpressRoute",
+ "severity": "高",
+ "text": "確保僅在達到與其成本相符的頻寬時才使用無限數據的 ExpressRoute 線路。",
+ "waf": "成本"
},
{
- "checklist": "SAP Checklist",
- "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
+ "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
+ "service": "ExpressRoute",
+ "severity": "高",
+ "text": "如果線路對等互連位置支援本地 SKU 的 Azure 區域,則利用 ExpressRoute 的本地 SKU 來降低線路成本。",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
+ "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "如果使用的是需要 SAP Identity Authentication Service (IAS) 的 SAP BTP 服務或 SaaS 解決方案,請考慮在 SAP Cloud Identity Authentication Services 和 Azure AD 之間實現 SSO 以存取這些 SAP 服務。此集成允許 SAP IAS 充當代理標識提供者,並將身份驗證請求轉發到 Azure AD,作為中央使用者存儲和標識提供者。",
- "waf": "安全"
+ "text": "在受支援的 Azure 區域中部署區域冗餘 ExpressRoute 閘道。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "實現 SSO 到 SAP BTP",
- "waf": "安全"
+ "text": "對於需要頻寬高於 10 Gbps 或專用 10/100 Gbps 埠的方案,請使用 ExpressRoute Direct。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
- "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
+ "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "如果使用的是 SAP SuccessFactors,請考慮使用 Azure AD 自動使用者預配。通過此整合,當你向 SAP SuccessFactors 添加新員工時,可以在 Azure AD 中自動建立使用者帳戶。 (可選)可以在 Microsoft 365 或 Azure AD 支援的其他 SaaS 應用程式中建立使用者帳戶。 使用將電子郵件地址寫回 SAP SuccessFactors。",
- "waf": "安全"
+ "text": "如果需要低延遲,或者從本地到 Azure 的輸送量必須大於 10 Gbps,請啟用 FastPath 以從數據路徑繞過 ExpressRoute 閘道。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
+ "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
+ "service": "VPN",
"severity": "中等",
- "text": "對 SAP 訂閱強制實施現有管理組策略",
- "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
- "waf": "操作"
+ "text": "使用區域冗餘 VPN 閘道將分支或遠端位置連接到 Azure(如果可用)。",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
- "severity": "高",
- "text": "將緊密耦合的應用程式集成到同一個 SAP 訂閱中,以避免額外的路由和管理複雜性",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
- "waf": "操作"
+ "arm-service": "microsoft.network/virtualNetworkGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
+ "service": "VPN",
+ "severity": "中等",
+ "text": "在本地使用冗餘 VPN 設備(主動/主動或主動/被動)。",
+ "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
+ "service": "ExpressRoute",
"severity": "高",
- "text": "利用訂閱作為縮放單元並擴展我們的資源,請考慮按環境部署訂閱,例如。沙箱、非生產、生產",
- "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
- "waf": "操作"
+ "text": "如果使用 ExpressRoute Direct,請考慮使用到本地 Azure 區域的 ExpressRoute 本地線路來節省成本。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "成本"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
- "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
- "service": "SAP",
- "severity": "高",
- "text": "確保在訂閱預配過程中增加配額(例如,訂閱中可用的 VM 核心總數)",
- "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "waf": "操作"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
+ "service": "ExpressRoute",
+ "severity": "中等",
+ "text": "當需要流量隔離或專用頻寬時,例如用於分離生產環境和非生產環境,請使用不同的 ExpressRoute 線路。它將幫助您確保隔離的路由域並減輕嘈雜的鄰居風險。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
- "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
- "service": "SAP",
- "severity": "低",
- "text": "配額 API 是一個 REST API,可用於查看和管理 Azure 服務的配額。如有必要,請考慮使用它。",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
+ "service": "ExpressRoute",
+ "severity": "中等",
+ "text": "使用內置的 Express Route Insights 監視 ExpressRoute 的可用性和利用率。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
- "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
- "service": "SAP",
- "severity": "高",
- "text": "如果部署到可用性區域,請確保在配額獲得批准后,VM 的區域部署可用。提交支援請求,其中包含所需的訂閱、VM 系列、CPU 數量和可用性區域。",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
+ "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
+ "service": "ExpressRoute",
+ "severity": "中等",
+ "text": "使用連接監視器監視整個網路的連接監視,尤其是本地和 Azure 之間的連接監視。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
- "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
- "service": "SAP",
- "severity": "高",
- "text": "確保所需的服務和功能在所選部署區域內可用,例如。ANF、區域等",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
- "waf": "操作"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
+ "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
+ "service": "ExpressRoute",
+ "severity": "中等",
+ "text": "使用來自不同對等互連位置的 ExpressRoute 線路實現冗餘。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "利用 Azure 資源標記進行成本分類和資源分組(:BillTo、部門(或營業單位)、環境(生產、階段、開發)、層(Web 層、應用層)、應用程式擁有者、ProjectName)",
- "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
- "waf": "操作"
+ "text": "如果僅使用單個 ExpressRoute 線路,則使用網站到網站 VPN 作為 ExpressRoute 的故障轉移。",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
+ "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
+ "service": "ExpressRoute",
"severity": "高",
- "text": "使用 Azure 備份服務幫助保護 HANA 資料庫。",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "text": "如果在 GatewaySubnet 中使用路由表,請確保傳播閘道路由。",
"waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
- "service": "SAP",
- "severity": "中等",
- "text": "如果為 HANA、Oracle 或 DB2 資料庫部署 Azure NetApp 檔,請使用 Azure 應用程式一致性快照工具( AzAcSnap )來創建應用程式一致性快照。AzAcSnap 還支援 Oracle 資料庫。請考慮在中央 VM 上使用 AzAcSnap,而不是在單個 VM 上使用 AzAcSnap。",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d581a947-69a2-4783-942e-9df3664324c8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
+ "service": "ExpressRoute",
+ "severity": "高",
+ "text": "如果使用 ExpressRoute,則本地路由應是動態的:如果連接失敗,它應收斂到線路的其餘連接。負載應在兩個連接之間共用,理想情況下為主動/主動,儘管也支持主動/被動。",
"waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
- "severity": "高",
- "text": "確保操作系統和 SAP 系統之間的時區匹配。",
- "waf": "操作"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
+ "service": "ExpressRoute",
+ "severity": "中等",
+ "text": "確保 ExpressRoute 線路的兩個物理鏈路連接到網路中的兩個不同的邊緣設備。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "不要將不同的應用程式服務分組到同一個集群中。例如,不要將DRBD和中央服務集群組合在同一集群上。但是,可以使用同一個 Pacemaker 群集來管理大約五個不同的中心服務(多 SID 群集)。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "text": "確保在客戶或供應商邊緣路由設備上啟用並配置雙向轉發檢測 (BFD)。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
- "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
- "service": "SAP",
- "severity": "低",
- "text": "請考慮在暫停模型中運行開發/測試系統,以節省和優化 Azure 運行成本。",
- "waf": "成本"
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "ExpressRoute",
+ "severity": "高",
+ "text": "將 ExpressRoute 閘道連接到來自不同對等互連位置的兩條或多條線路,以實現更高的復原能力。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
- "link": "https://learn.microsoft.com/azure/lighthouse/overview",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
+ "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "如果通過管理客戶的 SAP 資產與客戶合作,請考慮使用 Azure Lighthouse。Azure Lighthouse 允許託管服務提供者使用 Azure 本機標識服務對客戶的環境進行身份驗證。它將控制權交到客戶手中,因為他們可以隨時撤銷訪問許可權並審核服務提供者的行為。",
+ "text": "配置 ExpressRoute 虛擬網路閘道的診斷日誌和警報。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
- "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
+ "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "使用 Azure Update Manager 檢查單個 VM 或多個 VM 的可用更新狀態,並考慮計劃定期修補。",
- "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
- "waf": "操作"
+ "text": "請勿使用 ExpressRoute 線路進行 VNet 到 VNet 通信。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "service": "N/A",
"severity": "低",
- "text": "使用 SAP Landscape Management (LaMa) 優化和管理 SAP Basis 運營。使用適用於 Azure 的 SAP LaMa 連接器重新置放、複製、克隆和刷新 SAP 系統。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
- "waf": "操作"
+ "text": "請勿將 Azure 流量發送到混合位置進行檢查。 相反,請遵循“Azure 中的流量保留在 Azure 中”的原則,以便 Azure 中的資源之間的通信通過 Microsoft 主幹網络進行。",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
- "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
+ "link": "https://learn.microsoft.com/azure/firewall/overview",
+ "service": "Firewall",
+ "severity": "高",
+ "text": "使用 Azure 防火牆來管理到 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西流量篩選(如果組織需要)。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
+ "service": "Firewall",
"severity": "中等",
- "text": "使用用於 SAP 解決方案的 Azure Monitor 監視 Azure 上的 SAP 工作負載(SAP HANA、高可用性 SUSE 群集和 SQL 系統)。請考慮使用 SAP 解決方案管理器補充用於 SAP 解決方案的 Azure Monitor。",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
- "waf": "操作"
+ "text": "創建全域 Azure 防火牆策略以管理全球網路環境中的安全狀況,並將其分配給所有 Azure 防火牆實例。通過 Azure 基於角色的訪問控制將增量防火牆策略委派給本地安全團隊,從而允許使用精細策略來滿足特定區域的要求。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
+ "service": "Firewall",
+ "severity": "低",
+ "text": "如果組織想要使用此類解決方案來幫助保護出站連接,請在 Firewall Manager 中配置受支援的合作夥伴 SaaS 安全提供者。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
+ "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
+ "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
+ "service": "Firewall",
"severity": "高",
- "text": "運行適用於 SAP 的 VM 擴展檢查。適用於 SAP 的 VM 擴展使用虛擬機 (VM) 的分配託管標識來訪問 VM 監視和配置數據。該檢查可確保 SAP 應用程式中的所有性能指標都來自適用於 SAP 的基礎 Azure 擴展。",
- "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
- "waf": "操作"
+ "text": "使用應用程式規則篩選目標主機名上的出站流量,以查找受支持的協定。 使用基於 FQDN 的網路規則和具有 DNS 代理的 Azure 防火牆來篩選通過其他協定流向 Internet 的傳出流量。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "SAP",
- "severity": "中等",
- "text": "使用 Azure Policy 進行訪問控制和合規性報告。Azure Policy 提供了強制實施組織範圍設置的功能,以確保一致的策略遵守和快速違規檢測。",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "操作"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
+ "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features",
+ "service": "Firewall",
+ "severity": "高",
+ "text": "使用 Azure 防火牆高級版啟用其他安全功能。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
- "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
- "service": "SAP",
- "severity": "中等",
- "text": "使用 Azure 網路觀察程式中的連接監視器監視 SAP 資料庫和應用程式伺服器的延遲指標。或者使用 Azure Monitor 收集和顯示網路延遲度量。",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
- "waf": "操作"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
+ "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
+ "service": "Firewall",
+ "severity": "高",
+ "text": "將 Azure 防火牆威脅情報模式配置為「警報」和「拒絕」以獲得額外保護。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "73686af4-6791-4f89-95ad-a43324e13811",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
- "service": "SAP",
- "severity": "中等",
- "text": "在預配的 Azure 基礎結構上對 SAP HANA 執行質量檢查,以驗證預配的 VM 是否符合 Azure 上的 SAP HANA 最佳做法。",
- "waf": "操作"
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
+ "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
+ "service": "Firewall",
+ "severity": "高",
+ "text": "將 Azure 防火牆 IDPS 模式配置為「拒絕」以獲得額外保護。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
+ "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
+ "service": "Firewall",
"severity": "高",
- "text": "對於每個 Azure 訂閱,請在區域部署之前對 Azure 可用性區域運行延遲測試,以選擇用於在 Azure 上部署 SAP 的低延遲區域。",
- "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "waf": "性能"
+ "text": "對於未連接到虛擬 WAN 的 VNet 中的子網,請附加路由表,以便將 Internet 流量重定向到 Azure 防火牆或網路虛擬設備。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
- "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
+ "service": "Firewall",
"severity": "中等",
- "text": "運行復原報告,確保整個預配的 Azure 基礎結構(計算、資料庫、網路、存儲、Site Recovery)的配置符合適用於 Azure 的 Cloud Adaption Framework 定義的配置。",
- "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
- "waf": "可靠性"
+ "text": "添加診斷設置,使用「特定於資源」的目標表保存所有 Azure 防火牆部署的日誌。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
- "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
- "service": "SAP",
- "severity": "中等",
- "text": "使用適用於 SAP 的 Microsoft Sentinel 解決方案實施威脅防護。使用此解決方案監視 SAP 系統,並檢測整個業務邏輯和應用程式層的複雜威脅。",
- "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
+ "service": "Firewall",
+ "severity": "重要",
+ "text": "從 Azure 防火牆經典規則(如果存在)遷移到防火牆策略。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "操作"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
+ "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
+ "service": "Firewall",
+ "severity": "高",
+ "text": "對 Azure 防火牆子網使用 /26 前置綴。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
- "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
+ "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
+ "service": "Firewall",
"severity": "中等",
- "text": "Azure 標記可用於對資源進行邏輯分組和跟蹤,自動執行其部署,最重要的是,提供對所發生成本的可見性。",
- "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
- "waf": "操作"
+ "text": "根據防火牆策略中的規則的使用頻率,將規則排列到規則集合組和規則集合中。",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
- "service": "SAP",
- "severity": "低",
- "text": "對延遲敏感型應用程式使用虛擬機間延遲監視。",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
+ "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
+ "service": "Firewall",
+ "severity": "中等",
+ "text": "使用IP組或IP前置綴來減少IP表規則的數量。",
"waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
+ "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
+ "service": "Firewall",
"severity": "中等",
- "text": "使用 Azure Site Recovery 監視來維護 SAP 應用程式伺服器的災難恢復服務的運行狀況。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
- "waf": "可靠性"
+ "text": "不要使用通配符作為DNAT的源IP,例如 *或 any,您應該為傳入的DNAT指定源IP。",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
+ "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
+ "service": "Firewall",
"severity": "中等",
- "text": "從防病毒掃描中排除所有資料庫檔系統和可執行程式。包含它們可能會導致性能問題。請與資料庫供應商聯繫,瞭解排除清單中的規範性詳細資訊。例如,Oracle 建議從防病毒掃描中排除 /oracle}sapdata。",
+ "text": "通過監控 SNAT 埠使用方式、評估 NAT 閘道設置並確保無縫故障轉移,防止 SNAT 埠耗盡。如果埠計數接近限制,則表明 SNAT 耗盡可能迫在眉睫。",
"waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "c027f893-f404-41a9-b33d-39d625a14964",
- "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "346840b8-1064-496e-8396-4b1340172d52",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
+ "service": "Firewall",
+ "severity": "高",
+ "text": "如果使用的是 Azure 防火牆高級版,請啟用 TLS 檢查。",
+ "waf": "性能"
+ },
+ {
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
+ "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
+ "service": "Firewall",
"severity": "低",
- "text": "請考慮在遷移後收集非 HANA 資料庫的完整資料庫統計資訊。例如,實施SAP 註釋1020260 - 交付 Oracle 統計資訊。",
+ "text": "使用 Web 類別允許或拒絕對特定主題的出站訪問。",
"waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
+ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
+ "service": "Firewall",
"severity": "中等",
- "text": "請考慮將 Oracle 自動儲存管理 (ASM) 用於使用 Azure 上的 SAP 的所有 Oracle 部署。",
- "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+ "text": "作為 TLS 檢查的一部分,請計劃從 Azure 應用閘道接收流量以進行檢查。",
"waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
+ "link": "https://learn.microsoft.com/azure/firewall/dns-details",
+ "service": "Firewall",
"severity": "中等",
- "text": "對於運行 Oracle 的 Azure 上的 SAP,SQL 腳本集合可説明你診斷性能問題。 自動工作負載存儲庫 (AWR) 報告包含用於診斷 Oracle 系統中問題的寶貴資訊。我們建議您在多個工作階段期間運行 AWR 報告,並為其選擇高峰時間,以確保分析的廣泛覆蓋範圍。",
- "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
- "waf": "性能"
+ "text": "啟用 Azure 防火牆 DNS 代理配置。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
+ "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
+ "service": "Firewall",
"severity": "高",
- "text": "使用 Azure Site Recovery 監視來維護 SAP 應用程式伺服器的災難恢復服務的運行狀況。",
- "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "text": "將 Azure 防火牆與 Azure Monitor 集成,並啟用診斷日誌記錄以存儲和分析防火牆日誌。",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "SAP",
- "severity": "中等",
- "text": "若要安全交付 HTTP/S 應用,請使用應用程式閘道 v2 並確保啟用 WAF 保護和策略。",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
+ "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
+ "service": "Firewall",
+ "severity": "低",
+ "text": "實施防火牆規則的備份",
+ "waf": "操作"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "App Gateway",
+ "severity": "高",
+ "text": "不要中斷注入虛擬網路的 Azure PaaS 服務的控制平面通信,例如使用 0.0.0.0/0 路由或阻止控制平面流量的 NSG 規則。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
+ "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
+ "service": "ExpressRoute",
"severity": "中等",
- "text": "如果在遷移到 Azure 期間未更改虛擬機器的 DNS 或虛擬名稱,則後台 DNS 和虛擬名稱將連接 SAP 環境中的許多系統介面,並且客戶有時只會知道開發人員隨時間推移定義的介面。遷移后,當虛擬或 DNS 名稱更改時,各種系統之間會出現連接挑戰,建議保留 DNS 別名以防止出現此類困難。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "操作"
+ "text": "通過專用終結點和 ExpressRoute 專用對等互連從本地訪問 Azure PaaS 服務。此方法可避免在公共 Internet 上傳輸。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "service": "SAP",
- "severity": "中等",
- "text": "使用不同的 DNS 區域來區分每個環境(沙箱、開發、預生產和生產)。具有自己的 VNet 的 SAP 部署除外;在這裡,私有 DNS 區域可能不是必需的。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
- "waf": "操作"
+ "arm-service": "Microsoft.Network/virtualNetworks",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
+ "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
+ "service": "VNet",
+ "severity": "高",
+ "text": "默認情況下,不要在所有子網上啟用虛擬網路服務終結點。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "a3592829-e6e2-4061-9368-6af46791f893",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/azureFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
+ "link": "azure/private-link/inspect-traffic-with-azure-firewall",
+ "service": "Firewall",
"severity": "中等",
- "text": "本地和全域 VNet 對等互連提供連接,是確保跨多個 Azure 區域的 SAP 部署的登陸區域之間的連接的首選方法",
- "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
- "waf": "可靠性"
+ "text": "使用 FQDN 而不是 Azure 防火牆或 NVA 中的 IP 位址篩選流向 Azure PaaS 服務的出口流量,以防止數據外洩。如果使用專用連結,則可以阻止所有 FQDN,否則僅允許所需的 PaaS 服務。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
- "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
- "service": "SAP",
+ "arm-service": "microsoft.network/expressRouteCircuits",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
+ "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
+ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
+ "service": "ExpressRoute",
"severity": "高",
- "text": "不支援在 SAP 應用程式和 SAP 資料庫伺服器之間部署任何 NVA",
- "training": "https://me.sap.com/notes/2731110",
- "waf": "性能"
+ "text": "至少對閘道子網使用 /27 前置綴。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
- "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
- "service": "SAP",
- "severity": "中等",
- "text": "在需要跨 Azure 區域和本地位置的全域傳輸連接的新網路、大型網路或全球網路中使用虛擬 WAN 進行 Azure 部署。使用此方法,無需手動設置 Azure 網路的可傳遞路由,並且可以遵循 Azure 部署上的 SAP 標準。",
- "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "waf": "操作"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
+ "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
+ "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
+ "service": "NSG",
+ "severity": "高",
+ "text": "不要依賴使用 VirtualNetwork 服務標記的 NSG 入站預設規則來限制連接。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
+ "service": "NSG",
"severity": "中等",
- "text": "僅當使用合作夥伴 NVA 時,才考慮在區域之間部署網路虛擬設備 (NVA)。如果存在本機 NVA,則不需要區域或 VNet 之間的 NVA。部署合作夥伴網路技術和 NVA 時,請按照供應商的指南驗證與 Azure 網路衝突的配置。",
- "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
- "waf": "操作"
+ "text": "使用 NSG 説明保護子網之間的流量,以及平台中的東西向流量(登陸區域之間的流量)。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
- "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
- "service": "SAP",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "NSG",
"severity": "中等",
- "text": "虛擬 WAN 管理基於虛擬 WAN 的拓撲的分支 VNet 之間的連接(無需設置使用者定義的路由 [UDR] 或 NVA),同一虛擬中心中 VNet 到 VNet 流量的最大網路輸送量為每秒 50 G。如有必要,SAP 登陸區域可以使用 VNet 對等互連連接到其他登陸區域並克服此頻寬限制。",
- "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
- "waf": "操作"
+ "text": "使用 NSG 和應用程式安全組對登陸區域內的流量進行微分段,並避免使用中心 NVA 篩選流量流。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "82734c88-6ba2-4802-8459-11475e39e530",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "高",
- "text": "不建議將公共IP分配給運行SAP工作負載的 VM。",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
+ "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
+ "service": "NSG",
+ "severity": "中等",
+ "text": "啟用 VNet 流日誌並將其饋送到流量分析中,以深入了解內部和外部流量流。",
+ "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
- "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
- "service": "SAP",
- "severity": "高",
- "text": "配置 ASR 時,請考慮在 DR 端保留 IP 位址",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "操作"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "SAP",
- "severity": "高",
- "text": "避免對生產網站和DR網站使用重疊的IP位址範圍。",
- "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
- "waf": "操作"
+ "arm-service": "Microsoft.Network/networkSecurityGroups",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
+ "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
+ "service": "NSG",
+ "severity": "中等",
+ "text": "由於規則限制為 1000 條,因此每個 NSG 實施的 NSG 規則不要超過 900 個。",
+ "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
- "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
+ "service": "VWAN",
"severity": "中等",
- "text": "雖然 Azure 確實可以説明您在 VNet 中創建多個委派子網,但 Azure NetApp 檔的 VNet 中只能存在一個委派子網。如果對 Azure NetApp 檔使用多個委託子網,則嘗試創建新卷將失敗。",
- "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
+ "text": "如果在虛擬 WAN 路由設計清單中明確描述了你的方案,請使用虛擬 WAN。",
+ "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
- "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
+ "service": "VWAN",
"severity": "中等",
- "text": "使用 Azure 防火牆管理發往 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西向流量篩選(如果組織需要)",
- "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
- "waf": "安全"
+ "text": "使用每個 Azure 區域的虛擬 WAN 中心,透過通用的全球 Azure 虛擬 WAN 跨 Azure 區域將多個登陸區域連接在一起。",
+ "waf": "性能"
},
{
- "checklist": "SAP Checklist",
- "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
- "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
+ "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
+ "service": "VWAN",
"severity": "中等",
- "text": "當應用程式閘道充當 SAP Web 應用的反向代理時,應用程式閘道和 Web 應用程式防火牆存在限制,如應用程式閘道、SAP Web 調度程式和其他第三方服務之間的比較所示。",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+ "text": "對於出站 Internet 流量保護和篩選,請在安全中心部署 Azure 防火牆。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
+ "service": "VWAN",
"severity": "中等",
- "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為與登陸區域的入站 HTTP/S 連接提供全域保護。",
- "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
- "waf": "安全"
+ "text": "確保虛擬 WAN 網路體系結構與已確定的體系結構方案保持一致。",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
+ "service": "VWAN",
"severity": "中等",
- "text": "使用 Azure Front Door 和應用程式閘道保護 HTTP/S 應用程式時,請利用 Azure Front Door 中的 Web 應用程式防火牆策略。鎖定應用程式閘道以僅接收來自 Azure Front Door 的流量。",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "安全"
+ "text": "使用適用於虛擬 WAN 的 Azure Monitor 見解來監視虛擬 WAN 的端到端拓撲、狀態和關鍵指標。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "5ada4332-4e13-4811-9231-81aa41742694",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
+ "service": "VWAN",
"severity": "中等",
- "text": "使用 Web 應用程式防火牆在流量暴露於 Internet 時對其進行掃描。另一種選擇是將其與負載均衡器或具有內置防火牆功能(如應用程式閘道或第三方解決方案)的資源一起使用。",
- "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
- "waf": "安全"
+ "text": "不要在虛擬 WAN 中禁用分支到分支流量,除非應明確阻止這些流。",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
+ "service": "VWAN",
"severity": "中等",
- "text": "在需要跨 Azure 區域和本地位置的全域傳輸連接的新網路、大型網路或全球網路中使用虛擬 WAN 進行 Azure 部署。使用此方法,無需手動設置 Azure 網路的可傳遞路由,並且可以遵循 Azure 部署上的 SAP 標準。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
- "waf": "性能"
+ "text": "使用 AS-Path 作為中心路由首選項,因為它比 ExpressRoute 或 VPN 更靈活。",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
+ "service": "VWAN",
"severity": "中等",
- "text": "若要防止數據洩露,請使用 Azure 專用連結安全地訪問平臺即服務資源,例如 Azure Blob 存儲、Azure 檔存儲、Azure Data Lake Storage Gen2、Azure 數據工廠等。Azure 專用終結點還有助於保護 VNet 與 Azure 存儲、Azure 備份等服務之間的流量。VNet 與啟用專用終結點的服務之間的流量通過 Microsoft 全球網路傳輸,從而防止其暴露在公共 Internet 上。",
- "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
- "waf": "安全"
+ "text": "在虛擬 WAN 中配置基於標籤的傳播,否則虛擬中心之間的連接將受到損害。",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
- "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
- "service": "SAP",
+ "arm-service": "microsoft.network/virtualWans",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "9c75dfef-573c-461c-a698-68598595581a",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
+ "service": "VWAN",
"severity": "高",
- "text": "請確保在 SAP 應用程式和 DBMS 層中使用的 VM 上啟用了 Azure 加速網路。",
- "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
- "waf": "性能"
+ "text": "至少為虛擬中心分配一個 /23 前置綴,以確保有足夠的IP空間可用。",
+ "waf": "可靠性"
},
{
- "checklist": "SAP Checklist",
- "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
- "service": "SAP",
- "severity": "中等",
- "text": "請確保將 Azure 負載均衡器的內部部署設置為使用直接伺服器返回 (DSR)。此設置(啟用浮動IP)將減少內部負載均衡器配置用於 DBMS 層上的高可用性配置時的延遲。",
- "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "高",
+ "text": "戰略性地利用 Azure Policy,為環境定義控制,使用策略計劃對相關策略進行分組。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "6791f893-5ada-4433-84e1-3811523181aa",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "SAP",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "中等",
- "text": "可以使用應用程式安全組 (ASG) 和 NSG 規則在 SAP 應用程式層和 DBMS 層之間定義網路安全存取控制清單。ASG 對虛擬機進行分組,以説明管理其安全性。",
- "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "text": "將法規和合規性要求映射到 Azure Policy 定義和 Azure 角色分配。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "高",
- "text": "不支援將 SAP 應用程式層和 SAP DBMS 放置在未對等互連的不同 Azure VNet 中。",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "性能"
- },
- {
- "checklist": "SAP Checklist",
- "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
- "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
- "service": "SAP",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "中等",
- "text": "若要優化 SAP 應用程式的網路延遲,請考慮使用 Azure 鄰近放置組。",
- "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
- "waf": "性能"
+ "text": "在中間根管理組建立 Azure Policy 定義,以便可以在繼承的範圍內分配它們。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "高",
- "text": "根本不支援在本地和 Azure 之間運行 SAP Application Server 層和 DBMS 層拆分。這兩個層都需要完全駐留在本地或 Azure 中。",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "性能"
+ "text": "如果需要,在最高適當級別管理策略分配,並在底層管理排除項。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
- "link": "https://me.sap.com/notes/2015553",
- "service": "SAP",
- "severity": "高",
- "text": "不建議將資料庫管理系統 (DBMS) 和 SAP 系統的應用程式層託管在不同的 VNet 中,並將它們與 VNet 對等互連連接,因為層之間的過多網路流量可能會產生大量成本。建議使用 Azure 虛擬網路中的子網來分隔 SAP 應用程式層和 DBMS 層。",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
- "waf": "成本"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "43334f24-9116-4341-a2ba-527526944008",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
+ "service": "Policy",
+ "severity": "低",
+ "text": "使用 Azure Policy 控制使用者可以在訂閱/管理組級別預配哪些服務。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "402a9846-d515-4061-aff8-cd30088693fa",
- "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
- "service": "SAP",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
"severity": "高",
- "text": "如果將負載均衡器與Linux客戶機作業系統配合使用,請檢查Linux網路參數 net.ipv4.tcp_timestamps是否設置為0。",
- "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
- "waf": "性能"
+ "text": "盡可能使用內置策略,以最大程度地減少運營開銷。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
- "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
- "service": "SAP",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "description": "通過將「資源策略參與者」角色分配給特定範圍,可以將策略管理委派給相關團隊。例如,中心 IT 團隊可以監督管理組級別的策略,而應用程式團隊則處理其訂閱的策略,從而在遵守組織標準的情況下實現分散式治理。",
+ "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
+ "service": "Policy",
"severity": "中等",
- "text": "對於 SAP RISE/ECS 部署,虛擬對等互連是與客戶現有 Azure 環境建立連接的首選方式。SAP vnet 和客戶 vnet 都受網路安全組 (NSG) 保護,從而通過 VNet 對等互連在 SAP 和資料庫埠上進行通信",
+ "text": "在特定範圍內分配內置的「資源策略參與者」角色,以啟用應用程式級治理。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
- "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
- "service": "SAP",
- "severity": "高",
- "text": "查看 Azure VM 的 SAP HANA 資料庫備份。",
- "waf": "成本"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "19048384-5c98-46cb-8913-156a12476e49",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Policy",
+ "severity": "中等",
+ "text": "限制在根管理組範圍內執行的 Azure Policy 分配數,以避免在繼承的範圍內通過排除項進行管理。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
- "service": "SAP",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
+ "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
+ "service": "Policy",
"severity": "中等",
- "text": "查看用於 SAP 的 Site Recovery 內置監視。",
- "waf": "成本"
+ "text": "如果存在任何數據主權要求,則應部署 Azure 策略來強制實施這些要求。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
- "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
- "service": "SAP",
- "severity": "高",
- "text": "查看監視 SAP HANA 系統環境指南。",
- "waf": "操作"
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
+ "service": "Policy",
+ "severity": "中等",
+ "text": "對於主權登陸區域,部署主權策略基線,並在正確的管理組級別進行分配。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
- "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
- "service": "SAP",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
+ "service": "Policy",
"severity": "中等",
- "text": "查看 Azure Linux VM 中的 Oracle 資料庫備份策略。",
- "waf": "操作"
+ "text": "對於主權登陸區域,將主權控制目標記錄到策略映射。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
- "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
- "service": "SAP",
+ "arm-service": "Microsoft.Authorization/policyDefinitions",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
+ "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
+ "service": "Policy",
"severity": "中等",
- "text": "查看 Azure Blob 儲存與 SQL Server 2016 的配合。",
- "waf": "操作"
+ "text": "對於主權登陸區,請確保已制定“主權控制目標到策略映射”的管理流程。",
+ "waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
- "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
- "service": "SAP",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
"severity": "中等",
- "text": "查看 Azure VM 自動備份 v2 的使用方式。",
+ "text": "使用單個監視器日誌工作區集中管理平臺,但 Azure 基於角色的訪問控制 (Azure RBAC)、數據主權要求或數據保留策略要求使用單獨工作區的情況除外。",
+ "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
- "service": "SAP",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Monitor",
"severity": "高",
- "text": "使用進階磁碟時開啟M系列的寫入加速器(V1)",
+ "text": "如果日誌保留要求超過 12 年,請將日誌匯出到 Azure 存儲。使用具有一次寫入、多次讀取策略的不可變存儲,使數據在使用者指定的時間間隔內不可擦除且不可修改。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
- "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
- "service": "SAP",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
+ "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
+ "service": "VM",
"severity": "中等",
- "text": "測試可用性區域延遲。",
- "waf": "性能"
+ "text": "使用 Azure Policy 監視 OS 等級虛擬機 (VM) 配置偏移。通過策略啟用 Azure Automanage 計算機配置審核功能可説明應用程式團隊工作負載立即使用功能,而無需付出任何努力。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
- "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
- "service": "SAP",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
+ "service": "VM",
"severity": "中等",
- "text": "為所有 SAP 元件啟動 SAP EarlyWatch Alert。",
- "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
- "waf": "性能"
+ "text": "使用 Azure Update Manager 作為 Azure 中 Windows 和 Linux VM 的修補機制。",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
- "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
- "service": "SAP",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
+ "service": "VM",
"severity": "中等",
- "text": "使用 SAP ABAPMeter 報表 /SSA/CAT 查看 SAP 應用程式伺服器到資料庫伺服器的延遲。",
- "training": "https://me.sap.com/notes/0002879613",
- "waf": "性能"
+ "text": "使用 Azure Arc 將 Azure Update Manager 用作 Azure 外部的 Windows 和 Linux VM 的修補機制。",
+ "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
- "service": "SAP",
+ "arm-service": "microsoft.network/networkWatchers",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "90483845-c986-4cb2-a131-56a12476e49f",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Network Watcher",
"severity": "中等",
- "text": "查看使用 CCMS 的 SQL Server 性能監視。",
- "waf": "性能"
+ "text": "使用網路觀察程序主動監視流量流。",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
- "link": "https://me.sap.com/notes/500235",
- "service": "SAP",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Monitor",
"severity": "中等",
- "text": "測試 SAP 應用程式層 VM 和 DBMS VM (NIPING) 之間的網路延遲。",
- "training": "https://me.sap.com/notes/1100926/E",
- "waf": "性能"
+ "text": "使用 Azure Monitor 紀錄獲取見解和報告。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
- "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
- "service": "SAP",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+ "service": "Monitor",
"severity": "中等",
- "text": "查看 SAP HANA Studio 警報。",
- "waf": "性能"
+ "text": "使用 Azure Monitor 警報生成操作警報。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
- "link": "https://me.sap.com/notes/1969700",
- "service": "SAP",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "Monitor",
"severity": "中等",
- "text": "使用 HANA_Configuration_Minichecks 執行 SAP HANA 執行狀況檢查。",
- "waf": "性能"
+ "text": "通過 Azure 自動化帳戶使用更改和清單跟蹤時,請確保已選擇受支持的區域,以便將 Log Analytics 工作區和自動化帳戶連結在一起。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
+ "service": "Backup",
+ "severity": "低",
+ "text": "使用 Azure 備份時,請使用正確的備份類型(GRS、ZRS 和 LRS)進行備份,因為預設設置為 GRS。",
+ "waf": "可靠性"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "VM",
"severity": "中等",
- "text": "如果在 Azure、本地或其他雲環境中運行 Windows 和 Linux VM,則可以使用 Azure 自動化中的更新管理中心來管理作業系統更新,包括安全修補程式。",
- "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "text": "使用 Azure 來賓策略通過 VM 擴展自動部署軟體配置,並強制實施合規的基線 VM 配置。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "08951710-79a2-492a-adbc-06d7a401545b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
- "service": "SAP",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "description": "使用 Azure Policy 的來賓配置功能來審核和修正電腦設置(例如 OS、應用程式、環境),以確保資源與預期配置保持一致,並且更新管理可以強制實施 VM 的修補程式管理。",
+ "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "VM",
"severity": "中等",
- "text": "定期查看 SAP 安全 OSS 說明,因為 SAP 會發佈高度關鍵的安全補丁或熱修復程式,需要立即採取行動來保護 SAP 系統。",
- "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+ "text": "通過 Azure Policy 監視 VM 安全配置偏移。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "低",
- "text": "對於 SQL Server 上的 SAP,可以禁用 SQL Server 系統管理員帳戶,因為 SQL Server 上的 SAP 系統不使用該帳戶。在禁用原始系統管理員帳戶之前,請確保具有系統管理員許可權的其他使用者可以訪問伺服器。",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "VM",
+ "severity": "中等",
+ "text": "使用 Azure Site Recovery 實現 Azure 到 Azure 虛擬機的災難恢復方案。這使您能夠跨區域複製工作負載。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "service": "SAP",
- "severity": "高",
- "text": "禁用xp_cmdshell。SQL Server 功能xp_cmdshell啟用 SQL Server 內部作業系統命令行介面。這是安全審計中的潛在風險。",
- "training": "https://me.sap.com/notes/3019299/E",
- "waf": "安全"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "Backup",
+ "severity": "中等",
+ "text": "使用 Azure 本機備份功能或與 Azure 相容的第三方備份解決方案。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "WAF",
"severity": "高",
- "text": "加密 Azure 上的 SAP HANA 資料庫伺服器使用 SAP HANA 本機加密技術。此外,如果在 Azure 上使用 SQL Server,請使用透明數據加密 (TDE) 來保護數據和日誌檔,並確保備份也已加密。",
- "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
- "waf": "安全"
+ "text": "添加診斷設置以保存來自應用程式交付服務(如 Azure Front Door 和 Azure 應用程式閘道)的 WAF 日誌。定期查看日誌,以檢查攻擊和誤報檢測。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "SAP",
+ "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "WAF",
"severity": "中等",
- "text": "為所有 Azure 資源管理器和經典記憶體啟用了 Azure 儲存加密,並且無法禁用。由於預設情況下數據是加密的,因此無需修改代碼或應用程式即可使用 Azure 儲存加密。",
- "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
- "waf": "安全"
+ "text": "將 WAF 日誌從應用程式交付服務(如 Azure Front Door 和 Azure 應用程式閘道)發送到 Microsoft Sentinel。檢測攻擊並將 WAF 遙測集成到整個 Azure 環境中。",
+ "waf": "操作"
},
{
- "checklist": "SAP Checklist",
- "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "5017f154-e3ab-4369-9829-e7e316183687",
"link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "SAP",
+ "service": "Key Vault",
"severity": "高",
- "text": "使用 Azure Key Vault 儲存機密和憑據",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "text": "使用 Azure Key Vault 儲存機密和憑據。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
+ "guid": "a0477a20-9945-4bda-9333-4f2491163418",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
+ "service": "Key Vault",
"severity": "中等",
- "text": "建議在成功部署后鎖定 Azure 資源,以防止未經授權的更改。還可以使用自定義的 Azure 策略(自定義角色)在每個訂閱的基礎上強制實施 LOCK 約束和規則。",
- "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+ "text": "對不同的應用程式和區域使用不同的 Azure Key Vault,以避免事務規模限制並限制對機密的訪問。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
- "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
"severity": "中等",
- "text": "預配啟用軟刪除和清除策略的 Azure Key Vault,以允許對已刪除物件進行保留保護。",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "text": "在啟用軟刪除和清除策略的情況下預配 Azure Key Vault,以允許對已刪除物件進行保留保護。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
- "service": "SAP",
- "severity": "高",
- "text": "根據現有要求、法規和合規性控制(內部/外部) - 確定所需的 Azure 策略和 Azure RBAC 角色",
- "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中等",
+ "text": "遵循最低特權模型,將永久刪除密鑰、機密和證書的授權限制為專用的自定義 Microsoft Entra ID 角色。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "高",
- "text": "在 SAP 環境中啟用 Microsoft Defender for Endpoint 時,建議排除 DBMS 伺服器上的數據和日誌檔,而不是面向所有伺服器。排除目標檔時,請遵循 DBMS 供應商的建議。",
- "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中等",
+ "text": "使用公共證書頒發機構自動執行證書管理和續訂過程,以簡化管理。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
- "service": "SAP",
- "severity": "高",
- "text": "委派具有 Microsoft Defender for Cloud 實時訪問許可權的 SAP 管理員自定義角色。",
- "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "913156a1-2476-4e49-b541-acdce979377b",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中等",
+ "text": "建立金鑰和證書輪換的自動化流程。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "低",
- "text": "通過將第三方安全產品與 DIAG (SAP GUI)、RFC 和 SPNEGO for HTTPS 的安全網路通信 (SNC) 集成,對傳輸中的數據進行加密",
- "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中等",
+ "text": "在保管庫上啟用防火牆和虛擬網路服務終結點或專用終結點,以控制對密鑰保管庫的訪問。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
- "service": "SAP",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
+ "service": "Key Vault",
"severity": "中等",
- "text": "對於主體加密功能,預設使用 Microsoft 管理的金鑰,並在需要時使用客戶管理的密鑰。",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "text": "使用以平臺為中心的 Azure Monitor Log Analytics 工作區來審核 Key Vault 的每個實例中的密鑰、證書和機密使用方式。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
- "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
- "service": "SAP",
- "severity": "高",
- "text": "對每個應用程式、每個環境、每個區域使用 Azure Key Vault。",
- "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中等",
+ "text": "委託 Key Vault 實例化和特權訪問,並使用 Azure Policy 強制實施一致的合規配置。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
- "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
- "service": "SAP",
- "severity": "高",
- "text": "若要控制和管理非 HANA Windows 和非 Windows 作業系統的磁碟加密密鑰和機密,請使用 Azure Key Vault。Azure Key Vault 不支援 SAP HANA,因此必須使用 SAP ABAP 或 SSH 密鑰等替代方法。",
- "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中等",
+ "text": "每個應用程式、每個環境、每個區域使用 Azure Key Vault。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
- "service": "SAP",
- "severity": "高",
- "text": "為 Azure 上的 SAP 分支訂閱自定義基於角色的訪問控制 (RBAC) 角色,以避免與網路相關的意外更改",
- "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
+ "service": "Key Vault",
+ "severity": "中等",
+ "text": "如果要自帶密鑰,則並非所有考慮的服務都支援此功能。實施相關的緩解措施,使不一致之處不會妨礙預期的結果。選擇適當的區域對和災難恢復區域,以最大程度地減少延遲。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
- "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
- "service": "SAP",
- "severity": "高",
- "text": "將 DMZ 和 NVA 與 SAP 資產的其餘部分隔離,配置 Azure 專用連結,並安全地管理和控制 Azure 上的 SAP 資源",
- "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
+ "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
+ "service": "Key Vault",
+ "severity": "中等",
+ "text": "對於 Sovereign Landing Zone,請使用 Azure Key Vault 託管 HSM 來儲存機密和憑據。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
- "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
- "service": "SAP",
- "severity": "低",
- "text": "請考慮在 Azure 上使用 Microsoft 反惡意軟體來保護虛擬機免受惡意檔、廣告軟體和其他威脅的侵害。",
- "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
+ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "使用 Microsoft Entra ID 報告功能生成訪問控制審核報告。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
- "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
- "service": "SAP",
- "severity": "低",
- "text": "若要獲得更強大的保護,請考慮使用 Microsoft Defender for Endpoint。",
- "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "09945bda-4333-44f2-9911-634182ba5275",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
+ "service": "Defender",
+ "severity": "高",
+ "text": "為所有訂閱啟用Defender雲安全態勢管理。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
- "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
- "service": "SAP",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+ "service": "Defender",
"severity": "高",
- "text": "通過中心虛擬網路傳遞所有流量,將 SAP 應用程式和資料庫伺服器與 Internet 或本地網路隔離開來,該中心虛擬網路通過虛擬網路對等互連連接到分支網路。對等互連虛擬網路保證 Azure 上的 SAP 解決方案與公共 Internet 隔離。",
- "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+ "text": "在所有訂閱上為伺服器啟用Defender雲工作負載保護計劃。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
- "service": "SAP",
- "severity": "低",
- "text": "對於面向 Internet 的應用程式(如 SAP Fiori),請確保根據應用程式要求分配負載,同時保持安全級別。對於第 7 層安全性,可以使用 Azure 市場中提供的第三方 Web 應用程式防火牆 (WAF)。",
- "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
+ "service": "Defender",
+ "severity": "高",
+ "text": "在所有訂閱上為 Azure 資源啟用 Defender 雲工作負載保護計劃。",
"waf": "安全"
},
{
- "checklist": "SAP Checklist",
- "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
- "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
- "service": "SAP",
- "severity": "中等",
- "text": "若要在用於 SAP 解決方案的 Azure Monitor 中啟用安全通信,可以選擇使用根證書或伺服器證書。我們強烈建議您使用根證書。",
- "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
+ "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
+ "service": "VM",
+ "severity": "高",
+ "text": "在 IaaS 伺服器上啟用端點保護。",
"waf": "安全"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure 事件中心提供靜態數據加密。如果使用自己的金鑰,則仍使用 Microsoft 管理的金鑰對數據進行加密,但此外,Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。",
- "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
- "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
- "service": "Event Hubs",
- "severity": "低",
- "text": "需要時,在靜態數據加密中使用客戶管理的金鑰選項",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
+ "link": "https://learn.microsoft.com/azure/security-center/",
+ "service": "VM",
+ "severity": "中等",
+ "text": "通過 Azure Monitor 紀錄和 Defender for Cloud 監視基本作業系統修補偏移。",
"waf": "安全"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure 事件中心命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施,可以將事件中心命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。如果事件中心命名空間需要最低版本的 TLS,則使用舊版本發出的任何請求都將失敗。",
- "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
- "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Monitor",
"severity": "中等",
- "text": "對請求強制實施傳輸層安全性 (TLS) 的最低要求版本",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "text": "將預設資源配置連接到集中式 Azure Monitor Log Analytics 工作區。",
"waf": "安全"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "創建事件中心命名空間時,會自動為命名空間創建名為 RootManageSharedAccessKey 的策略規則。此策略具有整個命名空間的管理許可權。建議您將此規則視為管理根帳戶,不要在應用程式中使用它。建議將 AAD 用作 RBAC 的身份驗證提供程式。",
- "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
- "service": "Event Hubs",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
+ "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
+ "service": "Entra",
"severity": "中等",
- "text": "避免在不必要的情況下使用root帳戶",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
+ "text": "對於 Sovereign Landing Zone,請在 Entra ID 租戶上啟用透明度日誌。",
"waf": "安全"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure 資源的託管標識可以使用 Azure AD 憑據從 Azure 虛擬機 (VM)、函數應用、虛擬機規模集和其他服務中運行的應用程式授權訪問事件中心資源。通過將 Azure 資源的託管標識與 Azure AD 身份驗證結合使用,可以避免將憑據存儲在雲中運行的應用程式中。",
- "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
- "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
- "service": "Event Hubs",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
+ "service": "Entra",
"severity": "中等",
- "text": "如果可能,應用程式應使用託管標識向 Azure 事件中心進行身份驗證。如果沒有,請考慮在 Azure Key Vault 或等效服務中擁有存儲憑據(SAS、服務主體憑據)",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "對於 Sovereign Landing Zone,請在 Entra ID 租戶上啟用客戶密碼箱。",
"waf": "安全"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "創建許可權時,請對用戶端對 Azure 事件中心的訪問提供精細控制。Azure 事件中心中的許可權可以而且應該限定為單個資源級別,例如消費者組、事件中心實體、事件中心命名空間等。",
- "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
- "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Storage",
"severity": "高",
- "text": "使用最低特權數據平面 RBAC",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "text": "啟用到存儲帳戶的安全傳輸。",
"waf": "安全"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "Azure 事件中心資源日誌包括操作日誌、虛擬網路和 Kafka 日誌。運行時審核日誌捕獲事件中心中所有數據平面訪問操作(例如發送或接收事件)的聚合診斷資訊。",
- "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
- "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
- "service": "Event Hubs",
- "severity": "中等",
- "text": "啟用記錄以進行安全調查。使用 Azure Monitor 捕獲指標和日誌,例如資源日誌、運行時審核日誌和 Kafka 紀錄",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
+ "service": "Storage",
+ "severity": "高",
+ "text": "為存儲帳戶啟用容器軟刪除,以恢復已刪除的容器及其內容。",
"waf": "安全"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "默認情況下,Azure 事件中心具有公共IP位址,並且可通過Internet訪問。專用終結點允許虛擬網路和 Azure 事件中心之間的流量遍歷 Microsoft 主幹網路。除此之外,如果未使用公共終結點,則應禁用這些終結點。",
- "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
- "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
- "service": "Event Hubs",
- "severity": "中等",
- "text": "請考慮使用專用終結點訪問 Azure 事件中心,並在適用時禁用公用網路訪問。",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
- "waf": "安全"
+ "arm-service": "Microsoft.KeyVault/vaults",
+ "checklist": "Azure Landing Zone Review",
+ "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
+ "service": "Key Vault",
+ "severity": "高",
+ "text": "使用 Key Vault 機密可避免對敏感資訊(如憑據、虛擬機、用戶密碼)、證書或密鑰進行硬編碼。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "使用IP防火牆,可以將公共終結點進一步限製為僅一組IPv4位址或 CIDR(無類別域間路由)表示法的IPv4位址範圍。",
- "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
- "service": "Event Hubs",
- "severity": "中等",
- "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 事件中心命名空間",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "安全"
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "41faa1ed-b7f0-447d-8cba-4a4905e5bb83",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
+ "severity": "高",
+ "text": "使 2 個副本具有 99.9% 的讀取操作可用性",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7d956fd9-788a-4845-9b9f-c0340972d810",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#high-availability",
+ "service": "Cognitive Search",
"severity": "中等",
- "text": "利用 FTA 彈性手冊",
+ "text": "使 3 個副本具有 99.9% 的讀/寫操作可用性",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "對於從門戶創建的新 EH 命名空間,在啟用區域的區域中具有高級、專用或標準 SKU,將自動啟用此功能。EH 元數據和事件數據本身都是跨區域複製的",
- "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "44dc5f2b-a032-4d03-aae8-90c3f2c0a4c3",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#availability-zone-support",
+ "service": "Cognitive Search",
"severity": "高",
- "text": "利用可用區(如果區域適用)",
+ "text": "通過啟用讀取和/或寫入副本來利用可用區",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
- "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "cd0730f0-0ff1-4b77-9a2b-2a1f7dd5e291",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#multiple-services-in-separate-geographic-regions",
+ "service": "Cognitive Search",
"severity": "中等",
- "text": "使用高級或專用 SKU 實現可預測的性能",
+ "text": "對於區域冗餘,請在2個或更多區域中為搜索手動創建服務,因為它不提供跨地理區域複製搜索索引的自動方法",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "啟用內置異地災難恢復功能后,可確保命名空間的整個配置(事件中心、消費者組和設置)從主命名空間持續複製到輔助命名空間,並允許隨時從主命名空間向輔助命名空間進行一次故障轉移。主動/被動功能旨在更輕鬆地從失敗的 Azure 區域中恢復和放棄,而無需更改應用程式配置",
- "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
- "service": "Event Hubs",
- "severity": "高",
- "text": "使用主動被動配置規劃異地災難恢復",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "3c964882-aec9-4d44-9f68-4b5f2efbbdb6",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#synchronize-data-across-multiple-services",
+ "service": "Cognitive Search",
+ "severity": "中等",
+ "text": "若要跨多個服務同步數據,請使用索引器更新多個服務上的內容,或使用 REST API 推送多個服務上的內容更新",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "description": "應用於無法容忍關閉區域中事件數據中斷或丟失的DR配置。對於這些情況,請遵循複製指南,不要使用內置的異地災難恢復功能(主動/被動)。使用「主動/主動」時,在不同區域和命名空間中維護多個事件中心,事件將在中心之間複製",
- "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
- "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
- "service": "Event Hubs",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "85ee93c9-f53c-4803-be51-e6e4aa37ff4e",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#use-azure-traffic-manager-to-coordinate-requests",
+ "service": "Cognitive Search",
"severity": "中等",
- "text": "對於業務關鍵型應用程式,請使用 Active Active 配置",
+ "text": "使用 Azure 流量管理器協調請求",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.eventhub/namespaces",
- "checklist": "Azure Event Hub Review",
- "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
- "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
- "service": "Event Hubs",
- "severity": "中等",
- "text": "設計可復原的事件中心",
+ "arm-service": "Microsoft.Search/searchServices",
+ "checklist": "Cognitive Search Review Checklist",
+ "guid": "7be10278-57c1-4a61-8ee3-895aebfec5aa",
+ "link": "https://learn.microsoft.com/azure/search/search-reliability#back-up-and-restore-alternatives",
+ "service": "Cognitive Search",
+ "severity": "高",
+ "text": "備份和還原 Azure 認知搜索索引。使用此範例代碼將索引定義和快照備份到一系列 Json 檔",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "ab91932c-9fc9-4d1b-a881-37f5e6c0cb9e",
- "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ADF_v1.docx",
- "service": "Azure Data Factory",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "應用與存儲相關的 Microsoft 雲安全基準中的指導",
+ "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
+ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
+ "service": "Azure Storage",
+ "severity": "中等",
+ "text": "請考慮「存儲的 Azure 安全基線”",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "默認情況下,Azure 儲存具有公共IP位址,並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲,從而消除對公共 Internet 的暴露",
+ "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "考慮將專用終結點用於 Azure 存儲",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "新創建的存儲帳戶是使用ARM部署模型創建的,因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶",
+ "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
+ "service": "Azure Storage",
+ "severity": "中等",
+ "text": "確保較舊的存儲帳戶未使用“經典部署模型”",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。",
+ "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
+ "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "為所有存儲帳戶啟用 Microsoft DefenderEnable Defender for all of your storage accounts",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "軟刪除機制允許恢復意外刪除的 Blob。",
+ "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
+ "service": "Azure Storage",
+ "severity": "中等",
+ "text": "為 blob 啟用“軟刪除”",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。",
+ "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "利用 Azure 數據工廠的 FTA 復原能力手冊",
- "waf": "可靠性"
+ "text": "禁用 blob 的“軟刪除”",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e503547c-d447-4e82-9138-a7200f1cac6d",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "容器的軟刪除使你能夠在刪除容器后恢復容器,例如從意外刪除操作中恢復。",
+ "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
+ "service": "Azure Storage",
"severity": "高",
- "text": "在支援可用區的區域中使用區域冗餘管道",
- "waf": "可靠性"
+ "text": "為容器啟用“軟刪除”",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "9ef1d6e8-32e5-42e3-911c-818b1a0bc511",
- "link": "https://learn.microsoft.com/azure/data-factory/source-control",
- "service": "Azure Data Factory",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。",
+ "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "使用 DevOps 透過 Github/Azure DevOps 集成備份 ARM 範本",
- "waf": "可靠性"
+ "text": "禁用容器的“軟刪除”",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "e43a18a9-cd29-49cf-b7b1-7db8255562f2",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "severity": "中等",
- "text": "請確保在另一個區域中複製自承載集成運行時 VM",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "通過強制使用者在刪除之前先刪除刪除鎖,防止意外刪除存儲帳戶",
+ "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
+ "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "在存儲帳戶上啟用資源鎖",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "guid": "aee4563a-fd83-4393-98b2-62d6dc5f512a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/analytics/pipelines-disaster-recovery",
- "service": "Azure Data Factory",
- "severity": "中等",
- "text": "請確保在姊妹區域中複製或複製您的網路。必須在另一個區域創建 Vnet 的副本",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略,這樣就無法刪除 blob、容器或存儲帳戶。請注意,「不可能」實際上意味著「不可能」;存儲帳戶包含不可變 blob 後,「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。",
+ "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "考慮不可變的 blob",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.DataFactory/datafactories",
- "checklist": "Azure Data Factory Review Checklist",
- "description": "如果ADF管道使用Key Vault,則無需執行任何操作即可複製Key Vault。Key Vault 是一項託管服務,Microsoft 會為你處理它",
- "guid": "25498f6d-bad3-47da-a43b-c6ce1d7aa9b2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
- "service": "Azure Data Factory",
- "severity": "低",
- "text": "如果使用 Keyvault 集成,請使用 Keyvault 的 SLA 來瞭解可用性",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問,以便對所有數據傳輸進行加密、完整性保護,並對伺服器進行身份驗證。",
+ "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "需要 HTTPS,即在儲存帳戶上禁用埠 80",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
- "service": "IoT",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "在儲存帳戶上配置自定義域(主機名)時,請檢查是否需要 TLS/HTTPS;如果是這樣,可能需要將 Azure CDN 放在存儲帳戶的前面。",
+ "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
+ "service": "Azure Storage",
"severity": "高",
- "text": "利用可用區(如果區域適用)(這是自動啟用的)",
- "waf": "可靠性"
+ "text": "強制實施 HTTPS(禁用 HTTP)時,請檢查是否未對儲存帳戶使用自定義域 (CNAME)。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "當用戶端使用SAS令牌訪問 blob 資料時,要求使用 HTTPS 有助於將憑據丟失的風險降至最低。",
+ "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "請注意 Microsoft 發起的故障轉移。Microsoft 在極少數情況下會執行這些操作,以將所有IoT中心從受影響的區域故障轉移到相應的異地配對區域。",
- "waf": "可靠性"
+ "text": "將共享訪問簽名 (SAS) 令牌限製為僅 HTTPS 連接",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
- "service": "IoT",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "在可能的情況下,AAD 令牌應優先於共用訪問簽名",
+ "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
+ "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
+ "service": "Azure Storage",
"severity": "高",
- "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
- "waf": "可靠性"
+ "text": "使用 Azure Active Directory (Azure AD) 令牌進行 blob 訪問",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
- "service": "IoT",
- "severity": "高",
- "text": "瞭解如何觸發手動故障轉移。",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "將角色分配給使用者、組或應用程式時,請僅向該安全主體授予他們執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。",
+ "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
+ "service": "Azure Storage",
+ "severity": "中等",
+ "text": "IaM 許可權中的最低特權",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Devices/IotHubs",
- "checklist": "IoT Hub Review",
- "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
- "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
- "service": "IoT",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "使用者委派 SAS 使用 Azure Active Directory (Azure AD) 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS,但比服務 SAS 具有安全優勢。",
+ "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
+ "service": "Azure Storage",
"severity": "高",
- "text": "瞭解如何在故障轉移後進行故障回復。",
- "waf": "可靠性"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
- "service": "Front Door",
- "severity": "中等",
- "text": "如果將客戶管理的 TLS 證書用於 Azure Front Door,請使用“最新”證書版本。降低手動續訂證書導致的中斷風險",
- "waf": "操作"
+ "text": "使用 SAS 時,首選「使用者委派 SAS」,而不是基於存儲帳戶密鑰的 SAS。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
- "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
- "service": "App Gateway",
- "severity": "中等",
- "text": "確保使用應用程式閘道 v2 SKU",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "存儲帳戶金鑰(“共用金鑰”)幾乎沒有審核功能。雖然可以監控誰/何時獲取密鑰副本,但一旦密鑰掌握在多個人手中,就不可能將使用方式歸因於特定使用者。僅依靠 AAD 身份驗證可以更輕鬆地將存儲存取許可權綁定到使用者。",
+ "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "請考慮禁用存儲帳戶密鑰,以便僅支援 AAD 訪問(和使用者委派 SAS)。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
- "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "Load Balancer",
- "severity": "中等",
- "text": "確保將標準 SKU 用於 Azure 負載均衡器",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "使用活動日誌數據來標識查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”(即存儲帳戶密鑰、訪問策略等)。",
+ "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
- "service": "Load Balancer",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "通過金鑰過期策略,您可以設置帳戶訪問金鑰輪換的提醒。如果指定的時間間隔已過且鍵尚未旋轉,則會顯示提醒。",
+ "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "確保負載均衡器前端IP位址是區域冗餘的(除非需要區域性前端)。",
+ "text": "使用存儲帳戶密鑰時,請考慮啟用“金鑰過期策略”",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
- "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS 過期策略指定 SAS 有效的建議時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時,他們會看到警告。",
+ "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
+ "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "應用程式閘道 v2 應部署在IP前綴等於或大於 /24 的子網中",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "考慮配置 SAS 過期策略",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "description": "一般而言,反向代理的管理,特別是 WAF 的管理更接近應用程式而不是網路,因此它們與應用程式屬於同一訂閱。如果應用程式閘道和 WAF 由單個團隊管理,則在連接訂閱中集中應用程式閘道和 WAF 可能是可以的。",
- "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "存儲存取策略提供了撤銷服務 SAS 許可權的選項,而無需重新生成儲存帳戶密鑰。",
+ "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "部署 Azure 應用程式閘道 v2 或合作夥伴 NVA,用於在登陸區域虛擬網路中代理入站 HTTP(S) 連接,並使用它們所保護的應用。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "考慮將 SAS 連結到儲存存取策略",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "App Gateway",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
+ "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "請考慮配置應用程式的原始程式碼儲存庫,以檢測簽入的連接字串和存儲帳戶密鑰。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
- "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
- "service": "App Gateway",
- "severity": "中等",
- "text": "使用至少兩個實例數配置自動縮放。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "理想情況下,應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點,請考慮在 Azure KeyVault 或等效服務中使用存儲憑據(連接字串、存儲帳戶密鑰、SAS、服務主體憑據)。",
+ "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "請考慮將連接字串儲存在 Azure KeyVault 中(在無法實現託管標識的情況下)",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
- "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
- "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
- "service": "App Gateway",
- "severity": "中等",
- "text": "跨可用性區域部署應用程式閘道",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣,即使 SAS 遭到入侵,它也只能在很短的時間內有效。如果無法引用存儲訪問策略,則此做法尤為重要。近期過期時間還通過限制可上傳到 blob 的時間來限制可寫入 blob 的數據量。",
+ "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "爭取縮短臨時 SAS 的有效期",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Front Door",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "創建 SAS 時,請盡可能具體和嚴格。首選單個資源和操作的 SAS,而不是提供更廣泛訪問許可權的 SAS。",
+ "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "將 Azure Front Door 與 WAF 策略配合使用,以交付和幫助保護跨多個 Azure 區域的全域 HTTP/S 應用。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "將窄範圍應用於SAS",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "Front Door",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。",
+ "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "使用 Front Door 和應用程式閘道幫助保護 HTTP/S 應用時,請在 Front Door 中使用 WAF 策略。鎖定應用程式閘道以僅接收來自 Front Door 的流量。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址",
"waf": "安全"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/trafficManagerProfiles",
- "checklist": "Azure Application Delivery Networking",
- "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "Traffic Manager",
- "severity": "高",
- "text": "使用流量管理器提供跨 HTTP/S 以外的協定的全域應用。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "SAS 無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型,驗證用戶端是否惡意上傳了大量內容可能是有意義的。",
+ "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
+ "service": "Azure Storage",
+ "severity": "低",
+ "text": "請考慮在用戶端使用SAS上傳檔后檢查上傳的數據。",
+ "waf": "安全"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
- "severity": "低",
- "text": "如果使用者只需要訪問內部應用程式,是否考慮將 Microsoft Entra ID 應用程式代理作為 Azure 虛擬桌面 (AVD) 的替代方法?",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "使用「本地使用者帳戶」通過 SFTP 訪問 Blob 儲存時,“通常”RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更嚴格。遺憾的是,截至 2023 年初,本地使用者是 SFTP 端點當前支援的唯一身份管理形式",
+ "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "SFTP:限制 SFTP 訪問的「本地使用者」數量,並審核一段時間內是否需要訪問。",
"waf": "安全"
},
{
- "checklist": "Azure Application Delivery Networking",
- "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "Entra",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
+ "service": "Azure Storage",
"severity": "中等",
- "text": "若要減少為網路中的傳入連接打開的防火牆埠數,請考慮使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式的安全且經過身份驗證的訪問。",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "text": "SFTP:SFTP 端點不支持類似 POSIX 的 ACL。",
"waf": "安全"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "Front Door",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "存儲支援 CORS(跨域資源分享),即一種 HTTP 功能,使來自不同域的 Web 應用程式能夠放寬同源策略。啟用 CORS 時,請將 CorsRules 保留為最低許可權。",
+ "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
+ "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
+ "service": "Azure Storage",
"severity": "高",
- "text": "在「預防」模式下部署 Front Door 的 WAF 策略。",
+ "text": "避免過於寬泛的 CORS 策略",
"waf": "安全"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "Front Door",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "靜態數據始終在伺服器端加密,此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰(預設)或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰,或者完全在用戶端處理加密來實現。因此,完全不依賴 Azure 存儲來保證機密性。",
+ "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "Azure Storage",
"severity": "高",
- "text": "避免將 Azure 流量管理器和 Azure Front Door 結合使用。",
+ "text": "確定應如何加密靜態數據。了解數據的線程模型。",
"waf": "安全"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "Front Door",
- "severity": "高",
- "text": "在 Azure Front Door 和源上使用相同的功能變數名稱。主機名不匹配可能會導致細微的錯誤。",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
+ "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
+ "service": "Azure Storage",
+ "severity": "中等",
+ "text": "確定應使用哪種/是否應使用平臺加密。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
- "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "Front Door",
- "severity": "低",
- "text": "當 Azure Front Door 源組中只有一個源時,禁用運行狀況探測。",
- "waf": "性能"
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
+ "service": "Azure Storage",
+ "severity": "中等",
+ "text": "確定應使用哪種/是否應使用用戶端加密。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "Front Door",
- "severity": "中等",
- "text": "為 Azure Front Door 選擇良好的運行狀況探測終結點。請考慮構建運行狀況終結點,以檢查應用程式的所有依賴項。",
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Azure Blob Storage Review",
+ "description": "利用 Resource Graph 資源管理器(資源 | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)查找允許匿名 blob 訪問的存儲帳戶。",
+ "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
+ "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
+ "service": "Azure Storage",
+ "severity": "高",
+ "text": "考慮是否需要公共 blob 訪問,或者是否可以對某些存儲帳戶禁用公共 blob 訪問。",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
+ "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
+ "service": "Logic Apps",
+ "severity": "高",
+ "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
- "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "Front Door",
- "severity": "低",
- "text": "將 HEAD 運行狀況探測與 Azure Front Door 配合使用,以減少 Front Door 發送到應用程式的流量。",
- "waf": "性能"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
+ "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "Logic Apps",
+ "severity": "高",
+ "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "Microsoft.Network/loadBalancers",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
- "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "Load Balancer",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
+ "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "Logic Apps",
"severity": "高",
- "text": "使用 Azure NAT 閘道而不是負載均衡器出站規則,以獲得更好的 SNAT 可伸縮性",
+ "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
"waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
- "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "Front Door",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
+ "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
+ "service": "Logic Apps",
"severity": "高",
- "text": "將託管 TLS 證書與 Azure Front Door 配合使用。降低運營成本和因證書續訂而導致的中斷風險。",
- "waf": "操作"
+ "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
- "service": "Front Door",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Logic Apps checklist",
+ "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
+ "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
+ "service": "Logic Apps",
"severity": "中等",
- "text": "將 Azure Front Door WAF 配置定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
+ "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼",
"waf": "操作"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
- "service": "Front Door",
- "severity": "高",
- "text": "將端到端 TLS 與 Azure Front Door 配合使用。使用 TLS 進行從用戶端到 Front Door 的連接,以及從 Front Door 到源的連接。",
- "waf": "安全"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b32e1aa1-4813-4602-88fe-27ca2891f421",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/app-service-web-app/zone-redundant?source=recommendations",
+ "service": "App Services",
+ "severity": "低",
+ "text": "有關最佳實踐,請參閱基線高可用性區域冗餘 Web 應用程式體系結構",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
- "service": "Front Door",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e4b31c6a-2e3f-4df1-8e8b-9c3aa5a27820",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
"severity": "中等",
- "text": "將 HTTP 到 HTTPS 重定向與 Azure Front Door 配合使用。通過自動將較舊的用戶端重定向到 HTTPS 請求來支援它們。",
- "waf": "安全"
+ "text": "使用高級層和標準層。這些層支援暫存槽和自動備份。",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
- "service": "Front Door",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a7e2e6c2-491f-4fa4-a82b-521d0bc3b202",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/migrate-app-service",
+ "service": "App Services",
"severity": "高",
- "text": "啟用 Azure Front Door WAF。保護您的應用程式免受一系列攻擊。",
- "waf": "安全"
+ "text": "利用區域適用的可用性區域(需要高級 v2 或 v3 層)",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
- "service": "Front Door",
- "severity": "高",
- "text": "針對工作負載優化 Azure Front Door WAF。減少誤報檢測。",
- "waf": "安全"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "1275e4a9-7b6a-43c3-a9cd-5ee18d8995ad",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
+ "severity": "中等",
+ "text": "實施健康檢查",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "Front Door",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "35a91c5d-4ad6-4d9b-8e0f-c47db9e6d1e7",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-backup",
+ "service": "App Services",
"severity": "高",
- "text": "啟用在 Azure Front Door WAF 策略中啟用的請求正文檢查功能。",
- "waf": "安全"
+ "text": "請參閱 Azure 應用服務的備份和還原最佳做法",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
- "service": "Front Door",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "e68cd0ec-afc6-4bd8-a27f-7860ad9a0db2",
+ "link": "https://learn.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-app-service/reliability",
+ "service": "App Services",
"severity": "高",
- "text": "啟用 Azure Front Door WAF 預設規則集。默認規則集檢測並阻止常見攻擊。",
- "waf": "安全"
+ "text": "實現 Azure 應用服務可靠性最佳做法",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
- "service": "Front Door",
- "severity": "高",
- "text": "啟用 Azure Front Door WAF 機器人保護規則集。機器人規則檢測好的和壞的機器人。",
- "waf": "安全"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "bd2a865c-0835-4418-bb58-4df91a5a9b3f",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/manage-disaster-recovery#recover-app-content-only",
+ "service": "App Services",
+ "severity": "低",
+ "text": "熟悉如何在災難期間將應用服務應用移動到另一個區域",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
- "service": "Front Door",
- "severity": "中等",
- "text": "使用最新的 Azure Front Door WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。",
- "waf": "安全"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "f3d2f1e4-e6d4-4b7a-a5a5-e2a9b2c6f293",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-app-service",
+ "service": "App Services",
+ "severity": "高",
+ "text": "熟悉 Azure 應用服務中的可靠性支援",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
- "service": "Front Door",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7b5f3d1-0569-4fd2-9f32-c0b64e9c0c5e",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "App Services",
"severity": "中等",
- "text": "向 Azure Front Door WAF 添加速率限制。速率限制會阻止客戶端在短時間內意外或有意發送大量流量。",
- "waf": "安全"
+ "text": "確保為在應用服務計劃上運行的函數應用啟用“Always On”",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
- "service": "Front Door",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "a3b4d5f6-758c-4f9d-9e1a-d7c6b7e8f9ab",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check",
+ "service": "App Services",
"severity": "中等",
- "text": "對 Azure Front Door WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可針對可能使基礎結構不堪重負的大量請求提供保護。",
- "waf": "安全"
- },
- {
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
- "service": "Front Door",
- "severity": "低",
- "text": "如果您不希望收到來自所有地理區域的流量,請使用地理篩選器來阻止來自非預期國家/地區的流量。",
- "waf": "安全"
+ "text": "使用運行狀況檢查監視應用服務實例",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
- "service": "Front Door",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "c7d3e5f9-a19c-4833-8ca6-1dcb0128e129",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-overview",
+ "service": "App Services",
"severity": "中等",
- "text": "使用 Azure Front Door WAF 對流量進行地理篩選時,請指定未知 (ZZ) 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
- "waf": "安全"
+ "text": "使用 Application Insights 可用性測試監視 Web 應用或網站的可用性和回應能力",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
- "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
- "service": "App Gateway",
- "severity": "高",
- "text": "啟用 Azure 應用程式閘道 WAF 機器人保護規則集 機器人規則可檢測好機器人和壞機器人。",
- "waf": "安全"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "guid": "b4e3f2d5-a5c6-4d7e-8b2f-c5d9e7a8f0ea",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/availability-standard-tests",
+ "service": "App Services",
+ "severity": "低",
+ "text": "使用 Application Insights 標準測試監視 Web 應用或網站的可用性和回應能力",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "使用 Azure Key Vault 儲存應用程式所需的任何機密。 Key Vault 為儲存機密提供安全且經過審核的環境,並通過 Key Vault SDK 或應用服務 Key Vault 引用與應用服務很好地集成。",
+ "guid": "834ac932-223e-4ce8-8b12-3071a5416415",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"severity": "高",
- "text": "啟用 Azure 應用程式閘道 WAF 策略中啟用的請求正文檢查功能。",
+ "text": "使用 Key Vault 儲存機密",
"waf": "安全"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "使用託管標識通過 Key Vault SDK 或透過應用服務 Key Vault 引用連接到 Key Vault。",
+ "guid": "833ea3ad-2c2d-4e73-8165-c3acbef4abe1",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-key-vault-references",
+ "service": "App Services",
"severity": "高",
- "text": "針對工作負載優化 Azure 應用程式閘道 WAF。減少誤報檢測。",
+ "text": "使用託管標識連接到 Key VaultUse Managed Identity to connect to Key Vault",
"waf": "安全"
},
{
- "ammp": true,
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
- "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "將應用服務 TLS 證書存儲在 Key Vault 中。",
+ "guid": "f8d39fda-4776-4831-9c11-5775c2ea55b4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-certificate",
+ "service": "App Services",
"severity": "高",
- "text": "在「防護」模式下部署應用程式閘道的 WAF 策略。",
- "waf": "安全"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
- "service": "App Gateway",
- "severity": "中等",
- "text": "向 Azure 應用程式閘道 WAF 添加速率限制。速率限制會阻止客戶端在短時間內意外或有意發送大量流量。",
- "waf": "安全"
- },
- {
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
- "service": "App Gateway",
- "severity": "中等",
- "text": "對 Azure 應用程式閘道 WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可針對可能使基礎結構不堪重負的大量請求提供保護。",
+ "text": "使用 Key Vault 儲存 TLS 證書。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
- "service": "App Gateway",
- "severity": "低",
- "text": "如果您不希望收到來自所有地理區域的流量,請使用地理篩選器來阻止來自非預期國家/地區的流量。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "處理敏感信息的系統應隔離。 為此,請使用單獨的應用服務計劃或應用服務環境,並考慮使用不同的訂閱或管理組。",
+ "guid": "6ad48408-ee72-4734-a475-ba18fdbf590c",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-hosting-plans",
+ "service": "App Services",
+ "severity": "中等",
+ "text": "隔離處理敏感信息的系統",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "應用服務上的本地磁碟未加密,敏感數據不應存儲在這些磁碟上。 (例如:D:\\\\Local 和 %TMP%)。",
+ "guid": "e65de8e0-3f9b-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access",
+ "service": "App Services",
"severity": "中等",
- "text": "使用 Azure 應用程式閘道 WAF 對流量進行地理篩選時,請指定未知 (ZZ) 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
+ "text": "不要將敏感數據存儲在本地磁碟上",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "對於經過身份驗證的 Web 應用程式,請使用成熟的標識提供者,例如 Azure AD 或 Azure AD B2C。 利用所選的應用程式框架與此提供程式整合,或使用應用服務身份驗證/授權功能。",
+ "guid": "919ca0b2-c121-459e-814b-933df574eccc",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-authentication-authorization",
+ "service": "App Services",
"severity": "中等",
- "text": "使用最新的 Azure 應用程式閘道 WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。",
+ "text": "使用已建立的身份提供程式進行身份驗證",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "App Gateway",
- "severity": "中等",
- "text": "添加診斷設置以保存 Azure 應用程式閘道 WAF 紀錄。",
- "waf": "操作"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "將代碼從受控且受信任的環境(例如管理良好且安全的 DevOps 部署管道)部署到應用服務。這樣可以避免未經版本控制和驗證從惡意主機部署的代碼。",
+ "guid": "3f9bcbd4-6826-46ab-aa26-4f9a19aed9c5",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-best-practices",
+ "service": "App Services",
+ "severity": "高",
+ "text": "從受信任的環境部署",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "Front Door",
- "severity": "中等",
- "text": "添加診斷設置以保存 Azure Front Door WAF 紀錄。",
- "waf": "操作"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "禁用 FTP/FTPS 和 WebDeploy/SCM 的基本身份驗證。 這將禁止訪問這些服務,並強制使用 Azure AD 安全終結點進行部署。 請注意,還可以使用 Azure AD 憑據打開 SCM 網站。",
+ "guid": "5d04c2c3-919c-4a0b-8c12-159e114b933d",
+ "link": "https://learn.microsoft.com/azure/app-service/deploy-configure-credentials#disable-basic-authentication",
+ "service": "App Services",
+ "severity": "高",
+ "text": "禁用基本身份驗證",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
- "service": "App Gateway",
- "severity": "中等",
- "text": "將 Azure 應用程式閘道 WAF 紀錄發送到 Microsoft Sentinel。",
- "waf": "操作"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "如果可能,請使用託管標識連接到 Azure AD 受保護的資源。 如果無法做到這一點,請將機密存儲在 Key Vault 中,並改用託管標識連接到 Key Vault。",
+ "guid": "f574eccc-d9bd-43ba-bcda-3b54eb2eb03d",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-managed-identity?tabs=portal%2Chttp",
+ "service": "App Services",
+ "severity": "高",
+ "text": "使用託管標識連接到資源",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "Front Door",
- "severity": "中等",
- "text": "將 Azure Front Door WAF 日誌發送到 Microsoft Sentinel。",
- "waf": "操作"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "如果使用 Azure 容器註冊表中儲存的映像,請使用託管標識拉取這些映像。",
+ "guid": "d9a25827-18d2-4ddb-8072-5769ee6691a4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-managed-identity-to-pull-image-from-azure-container-registry",
+ "service": "App Services",
+ "severity": "高",
+ "text": "使用託管標識拉取容器",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "通過配置應用服務的診斷設置,可以將所有遙測數據發送到Log Analytics,作為日誌記錄和監視的中心目標。這允許你監視應用服務的運行時活動,例如 HTTP 日誌、應用程式日誌、平臺日誌等。",
+ "guid": "47768314-c115-4775-a2ea-55b46ad48408",
+ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs",
+ "service": "App Services",
"severity": "中等",
- "text": "將 Azure 應用程式閘道 WAF 設定定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
- "waf": "操作"
+ "text": "將應用服務運行時日誌發送到Log Analytics",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "設置診斷設置,將活動日誌發送到Log Analytics,作為日誌記錄和監視的中心目標。這樣,你就可以監視應用服務資源本身上的控制平面活動。",
+ "guid": "ee72734b-475b-4a18-bdbf-590ce65de8e0",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log",
+ "service": "App Services",
"severity": "中等",
- "text": "使用 WAF 策略而不是舊版 WAF 配置。",
- "waf": "操作"
+ "text": "將應用服務活動日誌發送到Log Analytics",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "使用區域 VNet 集成、網路安全組和 UDR 的組合來控制出站網路訪問。 流量應路由到 NVA,例如 Azure 防火牆。 確保監控防火牆的日誌。",
+ "guid": "c12159e1-14b9-433d-b574-ecccd9bd3baf",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration",
+ "service": "App Services",
"severity": "中等",
- "text": "篩選後端中的入站流量,以便它們僅接受來自應用程式閘道子網的連接,例如使用NSG。",
+ "text": "應控制出站網路訪問",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoors",
- "checklist": "Azure Application Delivery Networking",
- "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
- "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
- "service": "Front Door",
- "severity": "中等",
- "text": "確保源僅從 Azure Front Door 實例獲取流量。",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "可以使用 VNet 集成並使用 VNet NAT 閘道或 NVA(如 Azure 防火牆)來提供穩定的出站 IP。 這允許接收方根據需要根據IP列出允許清單。 請注意,對於與 Azure 服務的通信,通常不需要依賴於 IP 位址,應改用服務終結點等機制。 (此外,在接收端使用專用終結點可避免發生 SNAT,並提供穩定的出站 IP 範圍。",
+ "guid": "cda3b54e-b2eb-403d-b9a2-582718d2ddb1",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration",
+ "service": "App Services",
+ "severity": "低",
+ "text": "確保與互聯網位址的出站通信具有穩定的IP",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
- "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "使用應用服務訪問限制、服務終結點或專用終結點的組合來控制入站網路訪問。對於 Web 應用本身和 SCM 網站,可能需要和配置不同的訪問限制。",
+ "guid": "0725769e-e669-41a4-a34a-c932223ece80",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
"severity": "高",
- "text": "您應該對發往後端伺服器的流量進行加密。",
+ "text": "應控制入站網路訪問",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "使用 Web 應用程式防火牆(如應用程式閘道或 Azure Front Door)防範惡意入站流量。 請務必監控 WAF 的日誌。",
+ "guid": "b123071a-5416-4415-a33e-a3ad2c2de732",
+ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints",
+ "service": "App Services",
"severity": "高",
- "text": "您應該使用 Web 應用程式防火牆。",
+ "text": "在應用服務前面使用 WAF",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
- "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
- "service": "App Gateway",
- "severity": "中等",
- "text": "將 HTTP 重定向到 HTTPS",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "確保僅鎖定對 WAF 的訪問,從而無法繞過 WAF。 結合使用訪問限制、服務終結點和專用終結點。",
+ "guid": "165c3acb-ef4a-4be1-b8d3-9fda47768314",
+ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions",
+ "service": "App Services",
+ "severity": "高",
+ "text": "避免繞過 WAF",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
- "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "在應用服務配置中將最低 TLS 策略設置為 1.2。",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.MinTlsVersion>=1.2) | distinct id,compliant",
+ "guid": "c115775c-2ea5-45b4-9ad4-8408ee72734b",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
+ "service": "App Services",
"severity": "中等",
- "text": "使用閘道管理的 Cookie 將流量從使用者工作階段定向到同一伺服器進行處理",
- "waf": "操作"
+ "text": "將最低 TLS 策略設置為 1.2",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
- "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "將應用服務配置為僅使用 HTTPS。 這會導致應用服務從 HTTP 重定向到 HTTPS。 強烈建議在代碼或 WAF 中使用 HTTP 嚴格傳輸安全性 (HSTS),這會通知瀏覽器只能使用 HTTPS 訪問網站。",
+ "graph": "where (type=='microsoft.web/sites' and (kind == 'app' or kind == 'app,linux' )) | extend compliant = (properties.httpsOnly==true) | distinct id,compliant",
+ "guid": "475ba18f-dbf5-490c-b65d-e8e03f9bcbd4",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https",
+ "service": "App Services",
"severity": "高",
- "text": "在計劃的服務更新期間啟用連接耗盡,以防止與後端池的現有 membr 的連接丟失",
+ "text": "僅使用 HTTPS",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
- "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
- "service": "App Gateway",
- "severity": "低",
- "text": "創建自訂錯誤頁面以顯示個人化的用戶體驗",
- "waf": "操作"
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "不要在 CORS 配置中使用通配符,因為這允許所有源訪問服務(從而破壞 CORS 的目的)。具體而言,僅允許您希望能夠訪問服務的源。",
+ "guid": "68266abc-a264-4f9a-89ae-d9c55d04c2c3",
+ "link": "https://learn.microsoft.com/azure/app-service/app-service-web-tutorial-rest-api",
+ "service": "App Services",
+ "severity": "高",
+ "text": "不得將通配符用於 CORS",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
- "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "不得在生產環境中啟用遠端調試,因為這會在服務上打開其他埠,從而增加攻擊面。請注意,該服務會在 48 小時後自動轉為遠端調試。",
+ "graph": "appserviceresources | where type =~ 'microsoft.web/sites/config' | extend compliant = (properties.RemoteDebuggingEnabled == false) | distinct id,compliant",
+ "guid": "d9bd3baf-cda3-4b54-bb2e-b03dd9a25827",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings",
+ "service": "App Services",
+ "severity": "高",
+ "text": "關閉遠端調試",
+ "waf": "安全"
+ },
+ {
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "啟用 Defender for App Service。 這(除其他威脅外)檢測與已知惡意IP位址的通信。 在操作過程中查看 Defender for App Service 中的建議。",
+ "guid": "18d2ddb1-0725-4769-be66-91a4834ac932",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-app-service-introduction",
+ "service": "App Services",
"severity": "中等",
- "text": "編輯 HTTP 請求和回應標頭,以便更輕鬆地在用戶端和伺服器之間進行路由和資訊交換",
+ "text": "啟用 Defender for Cloud - Defender for App Service",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
- "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "Azure 在其網路上提供 DDoS 基本保護,可以通過智慧 DDoS 標準功能進行改進,該功能可以瞭解正常的流量模式並檢測異常行為。DDoS 標準適用於虛擬網路,因此必須為應用前面的網路資源(例如應用程式閘道或 NVA)配置它。",
+ "guid": "223ece80-b123-4071-a541-6415833ea3ad",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "App Services",
"severity": "中等",
- "text": "配置 Front Door,通過快速全域故障轉移優化全球 Web 流量路由和頂級最終使用者性能和可靠性",
- "waf": "性能"
+ "text": "在 WAF VNet 上啟用 DDOS 保護標準",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
- "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "如果使用 Azure 容器註冊表中儲存的映像,請使用其專用終結點和應用設置“WEBSITE_PULL_IMAGE_OVER_VNET”通過虛擬網络從 Azure 容器註冊表拉取這些映射。",
+ "guid": "2c2de732-165c-43ac-aef4-abe1f8d39fda",
+ "link": "https://learn.microsoft.com/azure/app-service/configure-custom-container#use-an-image-from-a-network-protected-registry",
+ "service": "App Services",
"severity": "中等",
- "text": "使用傳輸層負載平衡",
- "waf": "性能"
+ "text": "通過虛擬網路拉取容器",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
- "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "按照參與的滲透測試規則對 Web 應用程式進行滲透測試。",
+ "guid": "eb2eb03d-d9a2-4582-918d-2ddb10725769",
+ "link": "https://learn.microsoft.com/azure/security/fundamentals/pen-testing",
+ "service": "App Services",
"severity": "中等",
- "text": "根據主機名或域名為單個閘道上的多個 Web 應用程式配置路由",
+ "text": "進行滲透測試",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
- "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
- "service": "App Gateway",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "部署根據 DevSecOps 實踐驗證和掃描漏洞的受信任代碼。",
+ "guid": "19aed9c5-5d04-4c2c-9919-ca0b2c12159e",
+ "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/devsecops-in-azure",
+ "service": "App Services",
"severity": "中等",
- "text": "集中管理 SSL 證書,以減少後端伺服器場的加密和解密開銷",
+ "text": "部署經過驗證的代碼",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Application Delivery Networking",
- "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
- "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
- "service": "App Gateway",
- "severity": "低",
- "text": "使用應用程式閘道對 WebSocket 和 HTTP/2 協定提供本機支援",
+ "arm-service": "microsoft.web/sites",
+ "checklist": "Azure App Service Review",
+ "description": "使用最新版本的受支援平臺、程式設計語言、協定和框架。",
+ "guid": "114b933d-f574-4ecc-ad9b-d3bafcda3b54",
+ "link": "https://learn.microsoft.com/azure/app-service/overview-patch-os-runtime",
+ "service": "App Services",
+ "severity": "高",
+ "text": "使用最新的平臺、語言、協定和框架",
"waf": "安全"
},
{
@@ -5896,3101 +5821,3176 @@
"waf": "卓越運營"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
- "service": "Azure MySQL",
- "severity": "中等",
- "text": "利用靈活伺服器",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a95b86ad-8840-48e3-9273-4b875ba18f20",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models",
+ "service": "Azure Monitor",
+ "text": "Azure Monitor 中的數據收集規則 -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
- "service": "Azure MySQL",
- "severity": "高",
- "text": "利用區域適用的可用區",
- "waf": "可靠性"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "45901365-d38e-443f-abcb-d868266abca2",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
+ "service": "Azure Backup",
+ "text": "檢查未找到底層數據源的備份實例",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.DBforMySQL/servers",
- "checklist": "MySQL Review Checklist",
- "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
- "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
- "service": "Azure MySQL",
- "severity": "中等",
- "text": "將數據傳入複製用於跨區域災難恢復方案",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "64f9a19a-f29c-495d-94c6-c7919ca0f6c5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
+ "service": "VM",
+ "text": "刪除或存檔未關聯的服務(磁碟、網卡、IP 位址等)",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "69bad37a-ad53-4cc7-ae1d-76667357c449",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
+ "service": "Azure Backup",
+ "text": "考慮在網站恢復存儲和非任務關鍵型應用程式的備份之間取得良好的平衡",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "674b5ed8-5a85-49c7-933b-e2a1a27b765a",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
+ "service": "Azure Monitor",
+ "text": "檢查 40 個不同 Log Analytics 工作區之間的支出和節省機會 - 對非生產工作區使用不同的保留和數據收集 - 創建每日上限以實現意識和層大小調整 - 如果確實設置了每日上限,除了在達到上限時創建警報外,請確保還創建警報規則,以便在達到某個百分比(例如 90%)時收到通知。- 如果可能,考慮工作空間改造 - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/understand-work-scopes",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Insights/components",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "91be1f38-8ef3-494c-8bd4-63cbbac75819",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Azure Monitor",
+ "text": "強制執行清除日誌策略和自動化(如果需要,可以將記錄移至冷存儲)",
+ "training": "https://www.youtube.com/watch?v=nHQYcYGKuyw",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6aae01e6-a84d-4e5d-b36d-1d92881a1bd5",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "VM",
+ "text": "檢查磁碟是否確實需要,如果不是:刪除。如果需要,請尋找較低的儲存層或使用備份 -",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/manage-automation",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Storage/storageAccounts",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d1e44a19-659d-4395-afd7-7289b835556d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations",
+ "service": "Storage",
+ "text": "考慮使用自定義規則將未使用的存儲移動到較低層 - https://learn.microsoft.com/azure/storage/blobs/lifecycle-management-policy-configure",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d0102cac-6aae-401e-9a84-de5de36d1d92",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "VM",
+ "text": "確保 advisor 配置為適合 VM 大小調整",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "description": "通過在成本分析系統中搜索計量類別許可證進行檢查",
+ "guid": "59ae568b-a38d-4498-9e22-13dbd7bb012f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations",
+ "service": "VM",
+ "text": "在所有 Windows VM 上運行腳本 https://learn.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing?ref=andrewmatveychuk.com#convert-an-existing-vm-using-azure-hybrid-benefit-for-windows-server - 如果頻繁創建 Windows VM,請考慮實施策略",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7b95e06e-158e-42ea-9992-c2de6e2065b3",
+ "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
+ "service": "VM",
+ "text": "如果您已經擁有許可證,也可以將其置於 AHUB https://learn.microsoft.com/azure/virtual-machines/linux/azure-hybrid-benefit-linux?tabs=rhelpayg%2Crhelbyos%2CrhelEnablebyos%2Crhelcompliance",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "75c1e945-b459-4837-bf7a-e7c6d3b475a5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
+ "service": "VM",
+ "text": "使用靈活性選項(不超過 4-5 個系列)整合保留的 VM 系列",
+ "training": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c7acbe49-bbe6-44dd-a9f2-e87778468d55",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations",
+ "service": "VM",
+ "text": "利用 Azure 預留實例:此功能允許將 VM 預留 1 年或 3 年,與 PAYG 價格相比,可顯著節省成本。",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a6bcca2b-4fea-41db-b3dd-95d48c7c891d",
+ "link": "https://learn.microsoft.com/azure/active-directory-domain-services/overview",
+ "service": "VM",
+ "text": "只能保留較大的磁碟 => 1 TiB -",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cb1f7d57-59ae-4568-aa38-d4985e2213db",
+ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain",
+ "service": "VM",
+ "text": "調整大小優化后",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Sql/servers",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d7bb012f-7b95-4e06-b158-e2ea3992c2de",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "service": "Azure SQL",
+ "text": "檢查是否適用並強制執行策略/更改 https://learn.microsoft.com/azure/azure-sql/azure-hybrid-benefit?view=azuresql&tabs=azure-portalhttps://learn.microsoft.com/azure/cost-management-billing/scope-level/create-sql-license-assignments?source=recommendations",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6e2065b3-a76a-4f4a-991e-8839ada46667",
+ "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
+ "service": "VM",
+ "text": "虛擬機 + 許可證部分折扣 (ahub + 3YRI) 約為 70% 的折扣",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "應用與存儲相關的 Microsoft 雲安全基準中的指導",
- "guid": "d237de14-3b16-4c21-b7aa-9b64604489a8",
- "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "請考慮「存儲的 Azure 安全基線”",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ccbd9792-a6bc-4ca2-a4fe-a1dbf3dd95d4",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "VM",
+ "text": "考慮使用 VMSS 來滿足需求,而不是按比例調整",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "默認情況下,Azure 儲存具有公共IP位址,並且可通過Internet訪問。專用終結點允許僅向需要訪問的 Azure 計算資源安全地公開 Azure 存儲,從而消除對公共 Internet 的暴露",
- "guid": "f42d78e7-9d17-4a73-a22a-5a67e7a8ed4b",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints",
- "service": "Azure Storage",
- "severity": "高",
- "text": "考慮將專用終結點用於 Azure 存儲",
- "waf": "安全"
+ "arm-service": "microsoft.containerservice/managedClusters",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c1b1cd52-1e54-4a29-a9de-39ac0e7c28dc",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "AKS",
+ "text": "使用 AKS 自動縮放程式符合群集使用方式(確保 Pod 要求與縮放程式符合)",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "新創建的存儲帳戶是使用ARM部署模型創建的,因此 RBAC、審核等都已啟用。確保訂閱中沒有具有經典部署模型的舊存儲帳戶",
- "guid": "30e37c3e-2971-41b2-963c-eee079b598de",
- "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "確保較舊的存儲帳戶未使用“經典部署模型”",
- "waf": "安全"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "44be3b1a-27f8-4b9e-a1be-1f38df03a822",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
+ "service": "Azure Backup",
+ "text": "將恢復點移至保管庫存檔(如果適用)(驗證)",
+ "training": "https://azure.microsoft.com/pricing/reservations/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "利用 Microsoft Defender 瞭解可疑活動和錯誤配置。",
- "guid": "fc5972cd-4cd2-41b0-a803-7f5e6b4bfd3d",
- "link": "https://learn.microsoft.com/azure/storage/common/azure-defender-storage-configure",
- "service": "Azure Storage",
- "severity": "高",
- "text": "為所有存儲帳戶啟用 Microsoft DefenderEnable Defender for all of your storage accounts",
- "waf": "安全"
+ "arm-service": "Microsoft.Databricks/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cd463cbb-bc8a-4c29-aebc-91a43da1dae2",
+ "link": "https://learn.microsoft.com/azure/databricks/clusters/cluster-config-best-practices#automatic-termination",
+ "service": "Databricks",
+ "text": "請考慮盡可能使用帶回退功能的現成 VM。考慮群集的自動終止。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "軟刪除機制允許恢復意外刪除的 Blob。",
- "guid": "503547c1-447e-4c66-828a-7100f1ce16dd",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-overview",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "為 blob 啟用“軟刪除”",
- "waf": "安全"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "cc881470-607c-41cc-a0e6-14658dd458e9",
+ "link": "https://learn.microsoft.com/azure/governance/policy/how-to/guest-configuration-create",
+ "service": "Azure Functions",
+ "text": "功能 - 重用連接",
+ "training": "https://learn.microsoft.com/azure/cost-management-billing/reservations/reservation-apis?toc=%2Fazure%2Fcost-management-billing%2Ftoc.json",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。",
- "guid": "3f1d5e87-2e52-4e36-81cc-58b4a4b1510e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-blob-enable",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "禁用 blob 的“軟刪除”",
- "waf": "安全"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "27139b82-1102-4dbd-9eaf-11e6f843e52f",
+ "link": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "service": "Azure Functions",
+ "text": "函數 - 本地快取資料",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-compute-resources/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "容器的軟刪除使你能夠在刪除容器后恢復容器,例如從意外刪除操作中恢復。",
- "guid": "43a58a9c-2289-4c3d-9b57-d0c655462f2a",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-overview",
- "service": "Azure Storage",
- "severity": "高",
- "text": "為容器啟用“軟刪除”",
- "waf": "安全"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "4722d928-c1b1-4cd5-81e5-4a29b9de39ac",
+ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
+ "service": "Azure Functions",
+ "text": "函數 - 冷啟動 - 使用“從包運行”功能。這樣,代碼將下載為單個 zip 檔。例如,這可以顯著改進具有大量節點模組的 Javascript 函數。使用特定於語言的工具來減小包大小,例如,搖樹 Javascript 應用程式。",
+ "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "請考慮有選擇地禁用某些 blob 容器的「軟刪除」 例如,如果應用程式必須確保立即刪除已刪除的資訊,例如出於機密性、隱私或合規性原因。",
- "guid": "3e3453a3-c863-4964-ab65-2d6c15f51296",
- "link": "https://learn.microsoft.com/azure/storage/blobs/soft-delete-container-enable",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "禁用容器的“軟刪除”",
- "waf": "安全"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "0e7c28dc-9366-4572-82bf-f4564b0d934a",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "Azure Functions",
+ "text": "功能 - 保持功能溫暖",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "通過強制使用者在刪除之前先刪除刪除鎖,防止意外刪除存儲帳戶",
- "guid": "5398e6de-d227-4dd1-92b0-6c21d7999a64",
- "link": "https://learn.microsoft.com/azure/storage/common/lock-account-resource",
- "service": "Azure Storage",
- "severity": "高",
- "text": "在存儲帳戶上啟用資源鎖",
- "waf": "安全"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "359c363e-7dd6-4162-9a36-4a907ebae38e",
+ "link": "https://learn.microsoft.com/azure/governance/policy/overview",
+ "service": "Azure Functions",
+ "text": "使用具有不同功能的自動縮放時,可能會有一個資源驅動所有資源的所有自動縮放 - 請考慮將其移動到單獨的消耗計劃(並考慮更高的 CPU 計劃)",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "請考慮對 blob 使用“合法保留”或“基于時間的保留”策略,這樣就無法刪除 blob、容器或存儲帳戶。請注意,「不可能」實際上意味著「不可能」;存儲帳戶包含不可變 blob 後,「擺脫」該存儲帳戶的唯一方法是取消 Azure 訂閱。",
- "guid": "6f4389a8-f42c-478e-98c0-6a73a22a4956",
- "link": "https://learn.microsoft.com/azure/storage/blobs/immutable-storage-overview",
- "service": "Azure Storage",
- "severity": "高",
- "text": "考慮不可變的 blob",
- "waf": "安全"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ad53cc7d-e2e8-4aaa-a357-1549ab9153d8",
+ "link": "https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications-portal",
+ "service": "Azure Functions",
+ "text": "給定計劃中的函數應用都縮放在一起,因此縮放的任何問題都可能影響計劃中的所有應用。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "請考慮禁用對存儲帳戶的未受保護的 HTTP/80 訪問,以便對所有數據傳輸進行加密、完整性保護,並對伺服器進行身份驗證。",
- "guid": "e7a8dc4a-20e2-47c3-b297-11b1352beee0",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Azure Storage",
- "severity": "高",
- "text": "需要 HTTPS,即在儲存帳戶上禁用埠 80",
- "waf": "安全"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "9f89dc7b-44be-43b1-a27f-8b9e91be1f38",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups",
+ "service": "Azure Functions",
+ "text": "我需要為「等待時間」付費嗎?這個問題通常是在執行異步操作並等待結果的 C# 函數的上下文中提出的,例如 await Task.Delay(1000) 或 await client。GetAsync('http://google.com')。答案是肯定的 - GB 秒計算基於函數的開始和結束時間以及該時間段內的記憶體使用方式。在這段時間內實際發生的CPU活動未計入計算。此規則的一個例外是,如果使用的是持久函數。您無需為在業務流程協調程式函數中等待所花費的時間付費。在可能的情況下應用需求塑造技術(開發環境?)https://github.com/Azure-Samples/functions-csharp-premium-scaler",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "在儲存帳戶上配置自定義域(主機名)時,請檢查是否需要 TLS/HTTPS;如果是這樣,可能需要將 Azure CDN 放在存儲帳戶的前面。",
- "guid": "79b588de-fc49-472c-b3cd-21bf77036e5e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/storage-custom-domain-name",
- "service": "Azure Storage",
- "severity": "高",
- "text": "強制實施 HTTPS(禁用 HTTP)時,請檢查是否未對儲存帳戶使用自定義域 (CNAME)。",
- "waf": "安全"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "3da1dae2-cc88-4147-8607-c1cca0e61465",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "Front Door",
+ "text": "Frontdoor - 關閉預設主頁在應用的應用程式設置中,將 AzureWebJobsDisableHomepage 設置為 true。這將向PoP返回204(無內容),因此僅返回標頭數據。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "當用戶端使用SAS令牌訪問 blob 資料時,要求使用 HTTPS 有助於將憑據丟失的風險降至最低。",
- "guid": "6b4bed3d-5035-447c-8347-dc56028a71ff",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "將共享訪問簽名 (SAS) 令牌限製為僅 HTTPS 連接",
- "waf": "安全"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "8dd458e9-2713-49b8-8110-2dbd6eaf11e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
+ "service": "Front Door",
+ "text": "Frontdoor - 路由到不返回任何內容的內容。設置函數、函數代理,或在 WebApp 中添加返回 200 (OK) 且不發送內容或發送最少內容的路由。這樣做的好處是您可以在調用時註銷。",
+ "waf": "成本"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "在可能的情況下,AAD 令牌應優先於共用訪問簽名",
- "guid": "e1ce15dd-3f0d-45e7-92d4-1e3611cc57b4",
- "link": "https://learn.microsoft.com/azure/storage/common/authorize-data-access",
- "service": "Azure Storage",
- "severity": "高",
- "text": "使用 Azure Active Directory (Azure AD) 令牌進行 blob 訪問",
- "waf": "安全"
+ "checklist": "Cost Optimization Checklist",
+ "guid": "7e31c67d-68cf-46a6-8a11-94956d697dc3",
+ "link": "https://learn.microsoft.com/azure/architecture/best-practices/monitoring",
+ "service": "Storage",
+ "text": "考慮為使用較少的數據存檔層",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "將角色分配給使用者、組或應用程式時,請僅向該安全主體授予他們執行任務所需的許可權。限制對資源的訪問有助於防止無意和惡意濫用數據。",
- "guid": "a4b1410d-4395-48a8-a228-9b3d6b57cfc6",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "IaM 許可權中的最低特權",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "a2ed27b2-d186-4f1a-8252-bddde68a487c",
+ "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
+ "service": "VM",
+ "text": "檢查大小與層不匹配的磁碟大小(即 513 GiB 磁碟將支付 P30 (1TiB) 並考慮調整大小",
+ "waf": "成本"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "使用者委派 SAS 使用 Azure Active Directory (Azure AD) 憑據以及為 SAS 指定的許可權進行保護。使用者委派 SAS 在範圍和功能方面類似於服務 SAS,但比服務 SAS 具有安全優勢。",
- "guid": "55461e1a-3e34-453a-9c86-39648b652d6c",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#best-practices-when-using-sas",
- "service": "Azure Storage",
- "severity": "高",
- "text": "使用 SAS 時,首選「使用者委派 SAS」,而不是基於存儲帳戶密鑰的 SAS。",
- "waf": "安全"
+ "checklist": "Cost Optimization Checklist",
+ "guid": "dec4861b-c3bc-410a-b77e-26e4d5a3bec2",
+ "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
+ "service": "Storage",
+ "text": "盡可能考慮使用標準 SSD,而不是 Premium 或 Ultra",
+ "waf": "成本"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "存儲帳戶金鑰(“共用金鑰”)幾乎沒有審核功能。雖然可以監控誰/何時獲取密鑰副本,但一旦密鑰掌握在多個人手中,就不可能將使用方式歸因於特定使用者。僅依靠 AAD 身份驗證可以更輕鬆地將存儲存取許可權綁定到使用者。",
- "guid": "15f51296-5398-4e6d-bd22-7dd142b06c21",
- "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key",
- "service": "Azure Storage",
- "severity": "高",
- "text": "請考慮禁用存儲帳戶密鑰,以便僅支援 AAD 訪問(和使用者委派 SAS)。",
- "waf": "安全"
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c4e2436b-1336-4db5-9f17-960eee0bdf5c",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
+ "service": "Storage",
+ "text": "對於存儲帳戶,請確保所選層不會增加事務費用(移動到下一層可能會更便宜)",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "使用活動日誌數據來標識查看或更改存儲帳戶安全性的“時間”、“人員”、“內容”和“方式”(即存儲帳戶密鑰、訪問策略等)。",
- "guid": "d7999a64-6f43-489a-af42-c78e78c06a73",
- "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity",
- "service": "Azure Storage",
- "severity": "高",
- "text": "請考慮使用 Azure Monitor 審核存儲帳戶上的控制平面操作",
- "waf": "安全"
+ "arm-service": "Microsoft.RecoveryServices/vaults",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "c2efc5d7-61d4-41d2-900b-b47a393a040f",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
+ "service": "Site Recovery",
+ "text": "對於 ASR,如果 RPO/RTO 和複製輸送量允許,請考慮使用標準 SSD 磁碟",
+ "waf": "成本"
},
{
"arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "通過金鑰過期策略,您可以設置帳戶訪問金鑰輪換的提醒。如果指定的時間間隔已過且鍵尚未旋轉,則會顯示提醒。",
- "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#create-a-key-expiration-policy",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "使用存儲帳戶密鑰時,請考慮啟用“金鑰過期策略”",
- "waf": "安全"
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d3294798-b118-48b2-a5a4-6ceb544451e1",
+ "link": "https://learn.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery",
+ "service": "Storage",
+ "text": "存儲帳戶:檢查熱層和/或 GRS 必填",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS 過期策略指定 SAS 有效的建議時間間隔。SAS 過期策略適用於服務 SAS 或帳戶 SAS。當使用者生成的服務 SAS 或帳戶 SAS 的有效期間隔大於建議的時間間隔時,他們會看到警告。",
- "guid": "352beee0-79b5-488d-bfc4-972cd3cd21bf",
- "link": "https://learn.microsoft.com/azure/storage/common/sas-expiration-policy",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "考慮配置 SAS 過期策略",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "92d34429-3c76-4286-97a5-51c5b04e4f18",
+ "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
+ "service": "VM",
+ "text": "磁碟 - 驗證高級 SSD 磁碟在任何地方的使用方式:例如,非生產磁碟可以交換到標準 SSD 或按需高級 SSD",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "存儲存取策略提供了撤銷服務 SAS 許可權的選項,而無需重新生成儲存帳戶密鑰。",
- "guid": "77036e5e-6b4b-4ed3-b503-547c1347dc56",
- "link": "https://learn.microsoft.com/rest/api/storageservices/define-stored-access-policy",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "考慮將 SAS 連結到儲存存取策略",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "54387e5c-ed12-46cd-832a-f5b2fc6998a5",
+ "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview",
+ "service": "Synapse",
+ "text": "創建預算以管理成本並創建警報,自動通知利益相關者支出異常和超支風險。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "028a71ff-e1ce-415d-b3f0-d5e772d41e36",
- "link": "https://microsoft.github.io/code-with-engineering-playbook/continuous-integration/dev-sec-ops/secret-management/recipes/detect-secrets-ado/",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "請考慮配置應用程式的原始程式碼儲存庫,以檢測簽入的連接字串和存儲帳戶密鑰。",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "35e33789-7e31-4c67-b68c-f6a62a119495",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "Synapse",
+ "text": "將成本數據匯出到存儲帳戶以進行其他數據分析。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "理想情況下,應用程式應使用託管標識向 Azure 儲存進行身份驗證。如果無法做到這一點,請考慮在 Azure KeyVault 或等效服務中使用存儲憑據(連接字串、存儲帳戶密鑰、SAS、服務主體憑據)。",
- "guid": "11cc57b4-a4b1-4410-b439-58a8c2289b3d",
- "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-storage-keys",
- "service": "Azure Storage",
- "severity": "高",
- "text": "請考慮將連接字串儲存在 Azure KeyVault 中(在無法實現託管標識的情況下)",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "6d697dc3-a2ed-427b-8d18-6f1a1252bddd",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Synapse",
+ "text": "通過在不使用資源時暫停資源來控制專用 SQL 池的成本。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "在臨時 SAS 服務 SAS 或帳戶 SAS 上使用近期過期時間。這樣,即使 SAS 遭到入侵,它也只能在很短的時間內有效。如果無法引用存儲訪問策略,則此做法尤為重要。近期過期時間還通過限制可上傳到 blob 的時間來限制可寫入 blob 的數據量。",
- "guid": "27138b82-1102-4cac-9eae-01e6e842e52f",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
- "severity": "高",
- "text": "爭取縮短臨時 SAS 的有效期",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "e68a487c-dec4-4861-ac3b-c10ae77e26e4",
+ "link": "https://learn.microsoft.com/azure/virtual-machine-scale-sets/overview",
+ "service": "Synapse",
+ "text": "啟用無伺服器 Apache Spark 自動暫停功能,並相應地設置超時值。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "創建 SAS 時,請盡可能具體和嚴格。首選單個資源和操作的 SAS,而不是提供更廣泛訪問許可權的 SAS。",
- "guid": "4721d928-c1b1-4cd5-81e5-4a29a9de399c",
- "link": "https://learn.microsoft.com/rest/api/storageservices/delegate-access-with-shared-access-signature",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "將窄範圍應用於SAS",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "d5a3bec2-c4e2-4436-a133-6db55f17960e",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Synapse",
+ "text": "創建多個不同大小的 Apache Spark 池定義。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS 可以包含用戶端 IP 位址或位址範圍有權使用 SAS 請求資源的參數。",
- "guid": "fd7b28dc-9355-4562-82bf-e4564b0d834a",
- "link": "https://learn.microsoft.com/rest/api/storageservices/create-account-sas",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "盡可能考慮將SAS的範圍限定為特定的用戶端IP位址",
- "waf": "安全"
+ "arm-service": "Microsoft.Synapse/workspaces",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "ee0bdf5c-c2ef-4c5d-961d-41d2500bb47a",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-groups-in-the-azure-landing-zone-accelerator",
+ "service": "Synapse",
+ "text": "使用預購計劃購買為期一年的 Azure Synapse 提交單元 (SCU),以節省 Azure Synapse Analytics 成本。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "SAS 無法限制用戶端上傳的數據量;考慮到存儲量隨時間變化的定價模型,驗證用戶端是否惡意上傳了大量內容可能是有意義的。",
- "guid": "348b263e-6dd6-4051-8a36-498f6dbad38e",
- "service": "Azure Storage",
- "severity": "低",
- "text": "請考慮在用戶端使用SAS上傳檔后檢查上傳的數據。",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "393a040f-d329-4479-ab11-88b2c5a46ceb",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "VM",
+ "text": "將現成 VM 用於可中斷作業:這些 VM 可以以折扣價競標和購買,為非關鍵工作負載提供經濟高效的解決方案。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "使用「本地使用者帳戶」通過 SFTP 訪問 Blob 儲存時,“通常”RBAC 控制不適用。通過 NFS 或 REST 進行的 Blob 訪問可能比 SFTP 訪問更嚴格。遺憾的是,截至 2023 年初,本地使用者是 SFTP 端點當前支援的唯一身份管理形式",
- "guid": "ad53cc7c-e1d7-4aaa-a357-1449ab8053d8",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model",
- "service": "Azure Storage",
- "severity": "高",
- "text": "SFTP:限制 SFTP 訪問的「本地使用者」數量,並審核一段時間內是否需要訪問。",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "544451e1-92d3-4442-a3c7-628637a551c5",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "VM",
+ "text": "合理調整所有 VM 的大小",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "9f89dc7b-33be-42a1-a27f-7b9e91be1f38",
- "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-known-issues#authentication-and-authorization",
- "service": "Azure Storage",
- "severity": "中等",
- "text": "SFTP:SFTP 端點不支持類似 POSIX 的 ACL。",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "b04e4f18-5438-47e5-aed1-26cd032af5b2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "VM",
+ "text": "將 VM 大小與規範化大小和最新大小交換",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "存儲支援 CORS(跨域資源分享),即一種 HTTP 功能,使來自不同域的 Web 應用程式能夠放寬同源策略。啟用 CORS 時,請將 CorsRules 保留為最低許可權。",
- "guid": "cef39812-bd46-43cb-aac8-ac199ebb91a3",
- "link": "https://learn.microsoft.com/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services",
- "service": "Azure Storage",
- "severity": "高",
- "text": "避免過於寬泛的 CORS 策略",
- "waf": "安全"
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "fc6998a5-35e3-4378-a7e3-1c67d68cf6a6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "調整 VM 大小 - 從低於 5% 的監視使用率開始,然後工作到 40%",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "靜態數據始終在伺服器端加密,此外也可能在用戶端加密。伺服器端加密可能使用平臺管理的金鑰(預設)或客戶管理的金鑰進行。用戶端加密可以通過讓用戶端按 blob 向 Azure 儲存提供加密/解密金鑰,或者完全在用戶端處理加密來實現。因此,完全不依賴 Azure 存儲來保證機密性。",
- "guid": "3d90cae2-cc88-4137-86f7-c0cbafe61464",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
- "service": "Azure Storage",
+ "arm-service": "Microsoft.Compute/virtualMachines",
+ "checklist": "Cost Optimization Checklist",
+ "guid": "2a119495-6d69-47dc-9a2e-d27b2d186f1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "VM",
+ "text": "容器化應用程式可以提高 VM 密度並節省擴展成本",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "成本"
+ },
+ {
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "65285269-440b-44be-9d3e-0844276d4bdc",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy",
+ "service": "Redis",
"severity": "高",
- "text": "確定應如何加密靜態數據。了解數據的線程模型。",
- "waf": "安全"
+ "text": "為 Azure Cache for Redis 啟用區域冗餘。Azure Cache for Redis 支持高級層和企業層中的區域冗餘配置。區域冗餘緩存可以將其節點放置在同一區域的不同 Azure 可用性區域中。它消除了作為單點故障的數據中心或可用區中斷,並提高了緩存的整體可用性。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "8dd457e9-2713-48b8-8110-2cac6eae01e6",
- "link": "https://learn.microsoft.com/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json",
- "service": "Azure Storage",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "bc178bdc-5a06-4ca7-8443-51e19dd34429",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#persistence",
+ "service": "Redis",
"severity": "中等",
- "text": "確定應使用哪種/是否應使用平臺加密。",
- "waf": "安全"
+ "text": "為 Azure Cache for Redis 實例配置數據持久性。由於緩存數據存儲在記憶體中,因此多個節點的罕見和計劃外故障可能會導致所有數據被丟棄。為了避免完全丟失數據,Redis 持久性允許您定期拍攝記憶體中數據的快照,並將其存儲到存儲帳戶中。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "guid": "e842e52f-4721-4d92-ac1b-1cd521e54a29",
- "link": "https://learn.microsoft.com/azure/storage/blobs/encryption-customer-provided-keys",
- "service": "Azure Storage",
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "eb722823-7a15-41c5-ab4e-4f1814387e5c",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-high-availability#storage-account-for-persistence",
+ "service": "Redis",
"severity": "中等",
- "text": "確定應使用哪種/是否應使用用戶端加密。",
- "waf": "安全"
+ "text": "使用異地冗餘存儲帳戶保留 Azure Cache for Redis 數據,或在異地冗餘不可用的情況下使用區域冗餘",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Blob Storage Review",
- "description": "利用 Resource Graph 資源管理器(資源 | where type == 'microsoft.storage/storageaccounts' | where properties['allowBlobPublicAccess'] == true)查找允許匿名 blob 訪問的存儲帳戶。",
- "guid": "659ae558-b937-4d49-a5e1-112dbd7ba012",
- "link": "https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#allow-or-disallow-public-read-access-for-a-storage-account",
- "service": "Azure Storage",
- "severity": "高",
- "text": "考慮是否需要公共 blob 訪問,或者是否可以對某些存儲帳戶禁用公共 blob 訪問。",
- "waf": "安全"
+ "arm-service": "microsoft.cache/redis",
+ "checklist": "Redis Resiliency checklist",
+ "guid": "a8c26c9b-32ab-45bd-bc69-98a135e33789",
+ "link": "https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-geo-replication",
+ "service": "Redis",
+ "severity": "中等",
+ "text": "為高級 Azure Cache for Redis 實例配置被動異地複製。異地複製是一種用於連結兩個或多個 Azure Cache for Redis 實例的機制,通常跨越兩個 Azure 區域。異地複製主要用於跨區域災難恢復。兩個高級層緩存實例通過異地複製進行連接,從而提供對主緩存的讀取和寫入,並將數據複製到輔助緩存。",
+ "waf": "可靠性"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "70c15989-c726-42c7-b0d3-24b7375b9201",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/considerations-recommendations",
- "service": "Entra",
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "6ad48408-ee72-4734-a476-ba28fdcf590c",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot",
+ "service": "Bot service",
"severity": "中等",
- "text": "使用一個 Entra 租戶來管理 Azure 資源,除非你對多租戶有明確的法規或業務要求。",
- "waf": "操作"
+ "text": "遵循 Azure 機器人服務中的可靠性支持建議",
+ "waf": "可靠性"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "6309957b-821a-43d1-b9d9-7fcf1802b747",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/automation",
- "service": "Entra",
- "severity": "低",
- "text": "使用多租戶自動化方法管理 Microsoft Entra ID 租戶。",
- "waf": "操作"
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "e65de8e1-3f9c-4cbd-9682-66abca264f9a",
+ "link": "https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-concept-regionalization",
+ "service": "Bot service",
+ "severity": "中等",
+ "text": "部署具有本地數據駐留和區域合規性的機器人",
+ "waf": "可靠性"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "78e11934-499a-45ed-8ef7-aae5578f0ecf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/multi-tenant/lighthouse",
- "service": "Entra",
- "severity": "高",
- "text": "使用具有相同 ID 的 Azure Lighthouse 進行多租戶管理。",
- "training": "https://learn.microsoft.com/azure/lighthouse/concepts/cross-tenant-management-experience",
- "waf": "操作"
+ "arm-service": "Microsoft.BotService/botServices",
+ "checklist": "Azure Bot Service",
+ "guid": "19bfe9d5-5d04-4c3c-9919-ca1b2d1215ae",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-bot#cross-region-disaster-recovery-in-multi-region-geography",
+ "service": "Bot service",
+ "severity": "中等",
+ "text": "Azure 機器人服務在全域和區域服務的主動-主動模式下運行。發生中斷時,無需檢測錯誤或管理服務。Azure 機器人服務在多區域地理體系結構中自動執行自動故障轉移和自動恢復。對於歐盟機器人區域服務,Azure 機器人服務在歐洲境內提供兩個完整區域,並提供主動/主動複製,以確保冗餘。對於全球機器人服務,所有可用的區域/地理位置都可以作為全球足跡。",
+ "waf": "可靠性"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "5d82e6df-6f61-42f2-82e2-3132d293be3d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations",
- "service": "Entra",
- "severity": "高",
- "text": "如果向合作夥伴授予管理租戶的訪問許可權,請使用 Azure Lighthouse。",
- "waf": "成本"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f00a69de-7076-4734-a734-6e4552cad9e1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-latest-version-for-customer-managed-certificates",
+ "service": "Front Door",
+ "severity": "中等",
+ "text": "如果將客戶管理的 TLS 證書用於 Azure Front Door,請使用“最新”證書版本。降低手動證書續訂導致的中斷風險",
+ "waf": "操作"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "348ef254-c27d-442e-abba-c7571559ab91",
- "link": "https://learn.microsoft.com/azure/role-based-access-control/overview",
- "service": "Entra",
- "severity": "高",
- "text": "強制實施與雲操作模型相符的 RBAC 模型。跨管理組和訂閱確定範圍和分配。",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant",
+ "guid": "553585a6-abe0-11ed-afa1-0242ac120002",
+ "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2",
+ "service": "App Gateway",
+ "severity": "中等",
+ "text": "確保使用應用程式閘道 v2 SKU",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "12e7f983-f630-4472-8dd6-9c5b5c2622f5",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts",
- "service": "Entra",
- "severity": "高",
- "text": "僅對所有帳戶類型使用身份驗證類型「工作或學校帳戶」。避免使用 Microsoft 帳戶",
- "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')",
+ "guid": "4e35fbf5-0ae2-48b2-97ce-753353edbd1a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "Load Balancer",
+ "severity": "中等",
+ "text": "請確保對 Azure 負載均衡器使用標準 SKU",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4b69bad3-3aad-45e8-a68e-1d76667313b4",
- "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal",
- "service": "Entra",
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "9432621a-8397-4654-a882-5bc856b7ef83",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-standard-availability-zones",
+ "service": "Load Balancer",
"severity": "中等",
- "text": "僅使用組來分配許可權。如果已建立組管理系統,則將本地組添加到僅 Entra ID 組。",
- "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
+ "text": "確保負載均衡器前端IP位址是區域冗餘的(除非需要區域前端)。",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "53e8908a-e28c-484c-93b6-b7808b9fe5c4",
- "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview",
- "service": "Entra",
- "severity": "高",
- "text": "對有權訪問 Azure 環境的任何用戶強制實施 Microsoft Entra ID 條件訪問策略。",
- "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant",
+ "guid": "dfc50f87-3800-424c-937b-ed5f186e7c15",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet",
+ "service": "App Gateway",
+ "severity": "中等",
+ "text": "應用程式閘道 v2 應部署在IP前綴等於或大於 /24 的子網中",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1049d403-a923-4c34-94d0-0018ac6a9e01",
- "link": "https://learn.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks",
- "service": "Entra",
- "severity": "高",
- "text": "對有權訪問 Azure 環境的任何使用者強制實施多重身份驗證。",
- "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "description": "一般而言,反向代理(尤其是 WAF)的管理更接近應用程式,而不是網路,因此它們與應用程式屬於同一訂閱。如果應用程式閘道和 WAF 由一個團隊管理,則在連接訂閱中集中管理應用程式閘道和 WAF 可能是可以的。",
+ "guid": "48b662d6-d15f-4512-a654-98f6dfe237de",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
+ "severity": "中等",
+ "text": "部署 Azure 應用程式閘道 v2 或合作夥伴 NVA,用於在登陸區域虛擬網路中代理入站 HTTP(S) 連接,並與其保護的應用一起使用。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "14658d35-58fd-4772-99b8-21112df27ee4",
- "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
- "service": "Entra",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f109e1f3-c79b-4f14-82de-6b5c22314d08",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "App Gateway",
"severity": "中等",
- "text": "強制實施 Microsoft Entra ID 特權標識管理 (PIM) 以建立零長期訪問許可權和最低特權。",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "8b9fe5c4-1049-4d40-9a92-3c3474d00018",
- "link": "https://learn.microsoft.com/en-us/entra/identity/domain-services/overview",
- "service": "Entra",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant",
+ "guid": "135bf4ac-f9db-461f-b76b-2ee9e30b12c0",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant",
+ "service": "App Gateway",
"severity": "中等",
- "text": "如果計劃從 Active Directory 域服務切換到 Entra 域服務,請評估所有工作負載的相容性。",
- "training": "https://learn.microsoft.com/learn/modules/implement-hybrid-identity-windows-server/",
- "waf": "安全"
+ "text": "配置自動縮放,最小實例數為 2。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "可靠性"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1cf0b8da-70bd-44d0-94af-8d99cfc89ae1",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor",
- "service": "Entra",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant",
+ "guid": "060c6964-52b5-48db-af8b-83e4b2d85349",
+ "link": "https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2",
+ "service": "App Gateway",
"severity": "中等",
- "text": "將 Microsoft Entra ID 日誌與平臺為中心的 Azure Monitor 集成。Azure Monitor 允許圍繞 Azure 中的日誌和監視數據提供單一事實來源,為組織提供雲原生選項,以滿足日誌收集和保留方面的要求。",
- "waf": "安全"
+ "text": "跨可用性區域部署應用程式閘道",
+ "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "waf": "可靠性"
},
{
- "ammp": true,
- "checklist": "Azure Landing Zone Review",
- "guid": "984a859c-773e-47d2-9162-3a765a917e1f",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access",
- "service": "Entra",
- "severity": "高",
- "text": "實施緊急訪問或打破玻璃帳戶,以防止租戶範圍的帳戶鎖定。",
- "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "e79d17b7-3b22-4a5a-97e7-a8ed4b30e38c",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Front Door",
+ "severity": "中等",
+ "text": "將 Azure Front Door 與 WAF 策略結合使用,以交付並幫助保護跨多個 Azure 區域的全球 HTTP/S 應用。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "35037e68-9349-4c15-b371-228514f4cdff",
- "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices",
- "service": "Entra",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3f29812b-2363-4cef-b179-b599de0d5973",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "Front Door",
"severity": "中等",
- "text": "請勿使用本地同步帳戶進行 Microsoft Entra ID 角色分配,除非你有特別需要它的方案。",
- "training": "https://learn.microsoft.com/learn/modules/design-identity-security-strategy/",
+ "text": "使用 Front Door 和應用程式閘道幫助保護 HTTP/S 應用時,請在 Front Door 中使用 WAF 策略。鎖定應用程式閘道以僅接收來自 Front Door 的流量。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "d5d1e4e6-1465-48d3-958f-d77249b82111",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy",
+ "ammp": true,
+ "arm-service": "microsoft.network/trafficManagerProfiles",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "cd4cd21b-0881-437f-9e6c-4cfd3e504547",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "Traffic Manager",
+ "severity": "高",
+ "text": "使用流量管理器交付跨 HTTP/S 以外的協定的全域應用。",
+ "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "waf": "可靠性"
+ },
+ {
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3b4b3e88-a459-4ed5-a22f-644dfbc58204",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
"service": "Entra",
- "severity": "中等",
- "text": "使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對應用程式的訪問許可權時,請將其作為平臺資源進行管理,因為每個租戶只能有一個實例。",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "severity": "低",
+ "text": "如果使用者只需要存取內部應用程式,Microsoft Entra ID 應用程式代理是否被視為 Azure 虛擬桌面 (AVD) 的替代方案?",
+ "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "e8bbac75-7155-49ab-a153-e8908ae28c84",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/network-topology-and-connectivity",
- "service": "VNet",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "01ca7cf1-5754-442d-babb-8ba6772e5c30",
+ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
+ "service": "Entra",
"severity": "中等",
- "text": "對於需要最大靈活性的網路方案,請使用中心輻射型網路拓撲。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "text": "若要減少為網路中的傳入連接打開的防火牆埠數,請考慮使用 Microsoft Entra ID 應用程式代理為遠端使用者提供對內部應用程式的安全和經過身份驗證的訪問。",
+ "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "7dd61623-a364-4a90-9eca-e48ebd54cd7d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology",
- "service": "VNet",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "ae248989-b306-4591-9186-de482e3f0f0e",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "Front Door",
"severity": "高",
- "text": "在中心虛擬網路中部署共用網路服務,包括 ExpressRoute 閘道、VPN 閘道和 Azure 防火牆或合作夥伴 NVA。如有必要,還可以部署 DNS 服務。",
- "waf": "成本"
+ "text": "在「預防」模式下部署 Front Door 的 WAF 策略,以便 Web 應用程式防火牆採取適當的措施來允許或拒絕流量。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "143b16c3-1d7a-4a9b-9470-4489a8042d88",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
- "service": "VNet",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "062d5839-4d36-402f-bfa4-02811eb936e9",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
+ "service": "Front Door",
"severity": "高",
- "text": "對應用程式登陸區域中的所有公共IP位址使用 DDoS 網路或IP保護計畫。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "避免結合使用 Azure 流量管理器和 Azure Front Door。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e2e8abac-3571-4559-ab91-53e89f89dc7b",
- "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/nva-ha",
- "service": "NVA",
- "severity": "中等",
- "text": "部署合作夥伴網路技術或 NVA 時,請遵循合作夥伴供應商的指導。",
- "waf": "可靠性"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "ce463dbb-bc8a-4c2a-aebc-92a43da1dae2",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager#to-enable-transit-routing-between-expressroute-and-azure-vpn",
- "service": "ExpressRoute",
- "severity": "低",
- "text": "如果需要在中心輻射型方案中在 ExpressRoute 和 VPN 閘道之間傳輸,請使用 Azure 路由伺服器。",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5efeb96a-003f-4b18-8fcd-b4d84459c2b2",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
+ "service": "Front Door",
+ "severity": "高",
+ "text": "在 Azure Front Door 和源上使用相同的功能變數名稱。主機名不匹配可能會導致細微的錯誤。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualHubs",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "91b9d7d5-91e1-4dcb-8f1f-fa7e465646cc",
- "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1",
- "service": "ARS",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant",
+ "guid": "0b5a380c-4bfb-47bc-b1d7-dcfef363a61b",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
+ "service": "Front Door",
"severity": "低",
- "text": "如果使用路由伺服器,請對路由伺服器子網使用 /27 前置綴。",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "cc881471-607c-41cc-a0e6-14658dd558f9",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-faq#can-i-create-a-peering-connection-to-a-vnet-in-a-different-region",
- "service": "VNet",
- "severity": "中等",
- "text": "對於跨 Azure 區域具有多個中心輻射型拓撲的網路體系結構,請在中心 VNet 之間使用全域虛擬網路對等互連將區域相互連接。",
- "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-virtual-networks/",
+ "text": "當 Azure Front Door 源組中只有一個源時,禁用運行狀況探測。",
"waf": "性能"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "4722d929-c1b1-4cd6-81f5-4b29bade39ad",
- "link": "https://learn.microsoft.com/azure/azure-monitor/insights/network-insights-overview",
- "service": "VNet",
- "severity": "中等",
- "text": "使用用於網路的 Azure Monitor 監視 Azure 上網路的端到端狀態。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
- "waf": "操作"
- },
- {
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant",
- "guid": "0e7c28ec-9366-4572-83b0-f4664b1d944a",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5567048e-e5d7-4206-9c55-b5ed45d2cc0c",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
+ "service": "Front Door",
"severity": "中等",
- "text": "如果一個區域中有超過 400 個分支網路,請部署一個額外的中心,以繞過 VNet 對等互連限制 (500) 和可通過 ExpressRoute 播發的最大前綴數 (1000)。",
+ "text": "為 Azure Front Door 選擇良好的運行狀況探測終結點。請考慮構建用於檢查應用程式的所有依賴項的運行狀況終結點。",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant",
- "guid": "3d457936-e9b7-41eb-bdff-314b26450b12",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits",
- "service": "VNet",
- "severity": "中等",
- "text": "將每個路由表的路由數限制為 400 個。",
- "waf": "可靠性"
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId",
+ "guid": "a13f72f3-8f5c-4864-95e5-75bf37fbbeb1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
+ "service": "Front Door",
+ "severity": "低",
+ "text": "將 HEAD 運行狀況探測與 Azure Front Door 配合使用,以減少 Front Door 發送到應用程式的流量。",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)",
- "guid": "c76cb5a2-abe2-11ed-afa1-0242ac120002",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering",
- "service": "VNet",
+ "ammp": true,
+ "arm-service": "Microsoft.Network/loadBalancers",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant",
+ "guid": "97a2fd46-64b0-1dfa-b72d-9c8869496d75",
+ "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
+ "service": "Load Balancer",
"severity": "高",
- "text": "配置 VNet 對等互連時,請使用「允許流量流向遠端虛擬網路」設置。",
+ "text": "使用 Azure NAT 閘道而不是負載均衡器出站規則來提高 SNAT 可伸縮性",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "de0d5973-cd4c-4d21-a088-137f5e6c4cfd",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-macsec",
- "service": "ExpressRoute",
- "severity": "中等",
- "text": "使用 ExpressRoute Direct 時,請配置 MACsec,以便加密組織路由器和 MSEE 之間的第二層級別的流量。該圖顯示了流中的此加密。",
- "waf": "安全"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId",
+ "guid": "af95c92d-d723-4f4a-98d7-8722324efd4d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
+ "service": "Front Door",
+ "severity": "高",
+ "text": "將託管 TLS 證書與 Azure Front Door 配合使用。降低運營成本和因證書續訂而導致的停機風險。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "ed301d6e-872e-452e-9611-cc58b5a4b151",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/site-to-site-vpn-private-peering",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "189ea962-3969-4863-8f5a-5ad808c2cf4b",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code",
+ "service": "Front Door",
"severity": "中等",
- "text": "對於無法使用MACsec的情況(例如,不使用ExpressRoute Direct),請使用 VPN 閘道通過 ExpressRoute 專用對等互連建立 IPsec 隧道。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
- "waf": "安全"
+ "text": "將 Azure Front Door WAF 配置定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "558fd772-49b8-4211-82df-27ee412e7f98",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "ExpressRoute",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2e30abab-5478-417c-81bf-bf1ad4ed1ed4",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-end-to-end-tls",
+ "service": "Front Door",
"severity": "高",
- "text": "確保在 Azure 區域和本地位置之間不使用重疊的 IP 位址空間。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "text": "將端到端 TLS 與 Azure Front Door 配合使用。使用 TLS 建立從用戶端到 Front Door 的連接,以及從 Front Door 到源的連接。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr",
- "guid": "3f630472-2dd6-49c5-a5c2-622f54b69bad",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "10aa45af-166f-44c4-9f36-b6d592dac2ca",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-http-to-https-redirection",
+ "service": "Front Door",
"severity": "中等",
- "text": "使用專用 Internet 的位址分配範圍中的 IP 位址 (RFC 1918)。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "text": "將 HTTP 到 HTTPS 重定向與 Azure Front Door 配合使用。通過自動將舊用戶端重定向到 HTTPS 請求來支持它們。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant",
- "guid": "33aad5e8-c68e-41d7-9667-313b4f5664b5",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
- "service": "VNet",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "28b9ee82-b2c7-45aa-bc98-6de6f59a095d",
+ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf",
+ "service": "Front Door",
"severity": "高",
- "text": "確保不會浪費IP位址空間,不要創建不必要的大型虛擬網路(例如/16)。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
- "waf": "性能"
+ "text": "啟用 Azure Front Door WAF。保護您的應用程式免受一系列攻擊。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "f348ef25-4c27-4d42-b8bb-ac7571559ab9",
- "link": "https://learn.microsoft.com/azure/site-recovery/concepts-on-premises-to-azure-networking#retain-ip-addresses",
- "service": "VNet",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "2902d8cc-1b0c-4495-afad-624ab70f7bd6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf",
+ "service": "Front Door",
"severity": "高",
- "text": "請勿對生產網站和災難恢復網站使用重疊的IP位址範圍。",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "可靠性"
- },
- {
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "153e8908-ae28-4c84-a33b-6b7808b9fe5c",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-getstarted-portal",
- "service": "DNS",
- "severity": "中等",
- "text": "對於只需要在 Azure 中進行名稱解析的環境,請使用 Azure 專用 DNS 進行解析,並使用委託區域進行名稱解析(例如“azure.contoso.com”)。",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "操作"
+ "text": "通過在檢測模式下配置 WAF,為工作負載優化 Azure Front Door WAF,以減少和修復誤報檢測。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "41049d40-3a92-43c3-974d-00018ac6a9e0",
- "link": "https://learn.microsoft.com/azure/dns/dns-private-resolver-overview",
- "service": "DNS",
- "severity": "中等",
- "text": "對於需要跨 Azure 和本地進行名稱解析且沒有現有企業 DNS 服務(如 Active Directory)的環境,請使用 Azure DNS 專用解析程式將 DNS 請求路由到 Azure 或本地 DNS 伺服器。",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-dns-private-resolver/",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "17ba124b-127d-42b6-9322-388d5b2bbcfc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "Front Door",
+ "severity": "高",
+ "text": "啟用在 Azure Front Door WAF 策略中啟用的請求正文檢查功能。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "1e6a83de-5de3-42c1-a924-81607d5d1e4e",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances",
- "service": "DNS",
- "severity": "低",
- "text": "需要並部署自己的 DNS(例如 Red Hat OpenShift)的特殊工作負載應使用其首選的 DNS 解決方案。",
- "waf": "操作"
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "49a98f2b-ec22-4a87-9415-6a10b00d6555",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets",
+ "service": "Front Door",
+ "severity": "高",
+ "text": "啟用 Azure Front Door WAF 預設規則集。默認規則集檢測並阻止常見攻擊。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Network/dnsZones",
- "checklist": "Azure Landing Zone Review",
- "guid": "614658d3-558f-4d77-849b-821112df27ee",
- "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration",
- "service": "DNS",
+ "ammp": true,
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "147a13d4-2a2f-4824-a524-f5855b52b946",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules",
+ "service": "Front Door",
"severity": "高",
- "text": "啟用 Azure DNS 的自動註冊,以自動管理虛擬網路中部署的虛擬機的 DNS 記錄的生命週期。",
- "training": "https://learn.microsoft.com/learn/paths/az-104-manage-virtual-networks/",
- "waf": "操作"
+ "text": "啟用 Azure Front Door WAF 機器人保護規則集。機器人規則可檢測好的和壞的機器人。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "Azure Landing Zone Review",
- "guid": "ee1ac551-c4d5-46cf-b035-d0a3c50d87ad",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-overview",
- "service": "Bastion",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d7dcdcb9-0d99-44b9-baab-ac7570ede79a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions",
+ "service": "Front Door",
"severity": "中等",
- "text": "使用 Azure Bastion 安全地連接到網路。",
+ "text": "使用最新的 Azure Front Door WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/bastionHosts",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant",
- "guid": "6eab9eb6-762b-485e-8ea8-15aa5dba0bd0",
- "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet",
- "service": "Bastion",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "b9620385-1cde-418f-914b-a84a06982ffc",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting",
+ "service": "Front Door",
"severity": "中等",
- "text": "在子網 /26 或更大的情況下使用 Azure Bastion。",
+ "text": "向 Azure Front Door WAF 添加速率限制。速率限制可阻止客戶端在短時間內意外或有意發送大量流量。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "1d7aa9b6-4704-4489-a804-2d88e79d17b7",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
- "service": "WAF",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6dc36c52-0124-4ffe-9eaf-23ec1282dedb",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits",
+ "service": "Front Door",
"severity": "中等",
- "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為登陸區域的入站 HTTP/S 連接提供全域保護。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "對 Azure Front Door WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可防止可能使基礎結構不堪重負的極大量請求。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "3b22a5a6-7e7a-48ed-9b30-e38c3f29812b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "388a3d0e-0a43-4367-90b2-3dd2aeece5ee",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic",
+ "service": "Front Door",
"severity": "低",
- "text": "使用 Azure Front Door 和 Azure 應用程式閘道幫助保護 HTTP/S 應用時,請在 Azure Front Door 中使用 WAF 策略。鎖定 Azure 應用程式閘道,以便僅接收來自 Azure Front Door 的流量。",
- "training": "https://learn.microsoft.com/learn/paths/secure-application-delivery/",
+ "text": "如果您不希望來自所有地理區域的流量,請使用地理篩檢程式來阻止來自非預期國家/地區的流量。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "2363cefe-179b-4599-be0d-5973cd4cd21b",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
- "service": "WAF",
- "severity": "高",
- "text": "當入站 HTTP/S 連接需要 WAF 和其他反向代理時,請將它們部署在登陸區域虛擬網路中,並將它們與它們要保護和向 Internet 公開的應用一起部署。",
- "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "00acd8a9-6975-414f-8491-2be6309893b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location",
+ "service": "Front Door",
+ "severity": "中等",
+ "text": "使用 Azure Front Door WAF 對流量進行地理篩選時,指定未知 (ZZ) 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "088137f5-e6c4-4cfd-9e50-4547c2447ec6",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/applicationgatewaywebapplicationfirewallpolicies' | mv-expand properties.managedRules.managedRuleSets | project id, rulesettype = properties_managedRules_managedRuleSets.ruleSetType | extend compliant1 = (rulesettype == 'Microsoft_BotManagerRuleSet') | project id, compliant1 | summarize compliant = max(compliant1) by id",
+ "guid": "2f8e81eb-8e68-4026-8b1f-70f9b05f7cf9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/bot-protection",
+ "service": "App Gateway",
"severity": "高",
- "text": "使用 Azure DDoS 網路或 IP 保護計劃來幫助保護虛擬網路中的公共 IP 位址終結點。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "啟用 Azure 應用程式閘道 WAF 機器人保護規則集。機器人規則可檢測好的和壞的機器人。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "b034c01e-110b-463a-b36e-e3346e57f225",
- "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/default-outbound-access",
- "service": "VNet",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "8ea8e0d4-84e8-4b33-aeab-493f6391b4d6",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection",
+ "service": "App Gateway",
"severity": "高",
- "text": "在即將到來的重大更改之前,規劃如何管理網路出站流量配置和策略。2025 年 9 月 30 日,新部署的預設出站訪問將停用,僅允許顯式訪問配置。",
- "waf": "可靠性"
+ "text": "啟用在 Azure 應用程式閘道 WAF 策略中啟用的請求正文檢查功能。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "guid": "b1c82a3f-2320-4dfa-8972-7ae4823c8930",
- "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures",
- "service": "VNet",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a4dd86d3-5ffa-408c-b660-cce073d085b8",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#tune-your-waf",
+ "service": "App Gateway",
"severity": "高",
- "text": "添加診斷設置以保存所有受保護的公共IP位址(DDoS IP或網路保護)的 DDoS 相關日誌。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "在檢測模式下針對工作負載優化 Azure 應用程式閘道 WAF。減少誤報檢測。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3c5a808d-c695-4c14-a63c-c7ab7a510e41",
- "link": "https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#corp",
- "service": "Policy",
+ "ammp": true,
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "graph": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode",
+ "guid": "baf8e317-2397-4d49-b3d1-0dcc16d8778d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
+ "service": "App Gateway",
"severity": "高",
- "text": "確保存在策略分配,以拒絕直接綁定到虛擬機的公共IP位址。 如果特定 VM 上需要公共 IP,請使用排除項。",
+ "text": "在「預防」模式下部署應用程式閘道的 WAF 策略。",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "359c373e-7dd6-4162-9a36-4a907ecae48e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
- "severity": "中等",
- "text": "使用 ExpressRoute 作為到 Azure 的主要連接。 使用 VPN 作為備用連接源。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "性能"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "description": "可以使用 AS 路徑預置和連接權重來影響從 Azure 到本地的流量,並使用自己的路由器中的所有 BGP 屬性來影響從本地到 Azure 的流量。",
- "guid": "f29812b2-363c-4efe-879b-599de0d5973c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-routing",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "43fae595-8a32-4299-a69e-0f32c454dcc9",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview",
+ "service": "App Gateway",
"severity": "中等",
- "text": "使用多個 ExpressRoute 線路或多個本地位置時,請使用 BGP 屬性來優化路由。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "可靠性"
+ "text": "向 Azure 應用程式閘道 WAF 添加速率限制。速率限制可阻止客戶端在短時間內意外或有意發送大量流量。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant",
- "guid": "d4cd21b0-8813-47f5-b6c4-cfd3e504547c",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways?source=recommendations#gwsku",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "041e0ad8-7b12-4694-a0b7-a0e25ee2470f",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/rate-limiting-overview#rate-limiting-details",
+ "service": "App Gateway",
"severity": "中等",
- "text": "根據頻寬和性能要求為 ExpressRoute/VPN 閘道選擇正確的 SKU。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "性能"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant",
- "guid": "7025b442-f6e9-4af6-b11f-c9574916016f",
- "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost",
- "service": "ExpressRoute",
- "severity": "高",
- "text": "確保僅在達到與其成本相符的頻寬時才使用無限數據的 ExpressRoute 線路。",
- "waf": "成本"
- },
- {
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id",
- "guid": "f4e7926a-ec35-476e-a412-5dd17136bd62",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local",
- "service": "ExpressRoute",
- "severity": "高",
- "text": "如果線路對等互連位置支援本地 SKU 的 Azure 區域,則利用 ExpressRoute 的本地 SKU 來降低線路成本。",
- "waf": "成本"
+ "text": "對 Azure 應用程式閘道 WAF 速率限制使用高閾值。高速率限制閾值可避免阻止合法流量,同時仍可防止可能使基礎結構不堪重負的極大量請求。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant",
- "guid": "2447ec66-138a-4720-8f1c-e16ed301d6e8",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways",
- "service": "ExpressRoute",
- "severity": "中等",
- "text": "在受支援的 Azure 區域中部署區域冗餘 ExpressRoute 閘道。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "可靠性"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "99937189-ff78-492a-b9ca-18d828d82b37",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#geo-filtering-best-practices",
+ "service": "App Gateway",
+ "severity": "低",
+ "text": "如果您不希望來自所有地理區域的流量,請使用地理篩檢程式來阻止來自非預期國家/地區的流量。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "72e52e36-11cc-458b-9a4b-1511e43a58a9",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "349a15c1-52f4-4319-9078-3895d95ecafd",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/geomatch-custom-rules",
+ "service": "App Gateway",
"severity": "中等",
- "text": "對於需要頻寬高於 10 Gbps 或專用 10/100 Gbps 埠的方案,請使用 ExpressRoute Direct。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "性能"
+ "text": "使用 Azure 應用程式閘道 WAF 對流量進行地理篩選時,指定未知 (ZZ) 位置。避免在IP位址無法進行地理匹配時意外阻止合法請求。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "c2299c4d-7b57-4d0c-9555-62f2b3e4563a",
- "link": "https://learn.microsoft.com/azure/expressroute/about-fastpath",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "6c19dfd5-a61c-436c-9001-491b9b3d0228",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#use-the-latest-ruleset-versions",
+ "service": "App Gateway",
"severity": "中等",
- "text": "如果需要低延遲,或者從本地到 Azure 的輸送量必須大於 10 Gbps,請啟用 FastPath 以從數據路徑繞過 ExpressRoute 閘道。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "性能"
+ "text": "使用最新的 Azure 應用程式閘道 WAF 規則集版本。規則集更新會定期更新,以考慮當前的威脅形勢。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant",
- "guid": "4d873974-8b66-42d6-b15f-512a65498f6d",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway",
- "service": "VPN",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f84106a2-2e9e-42ac-add6-d3416ecfed53",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "App Gateway",
"severity": "中等",
- "text": "使用區域冗餘 VPN 閘道將分支或遠端位置連接到 Azure(如果可用)。",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "可靠性"
+ "text": "添加診斷設置以保存 Azure 應用程式閘道 WAF 紀錄。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.network/virtualNetworkGateways",
- "checklist": "Azure Landing Zone Review",
- "guid": "45866df8-cf85-4ca9-bbe2-65ec1478919e",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable",
- "service": "VPN",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "4cea4050-7946-4a7c-89e6-b021b73c352d",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
+ "service": "Front Door",
"severity": "中等",
- "text": "在本地使用冗餘 VPN 設備(主動/主動或主動/被動)。",
- "training": "https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/",
- "waf": "可靠性"
+ "text": "添加診斷設置以保存 Azure Front Door WAF 紀錄。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "718cb437-b060-2589-8856-2e93a5c6633b",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about",
- "service": "ExpressRoute",
- "severity": "高",
- "text": "如果使用 ExpressRoute Direct,請考慮使用到本地 Azure 區域的 ExpressRoute 本地線路來節省成本。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "成本"
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "92664c60-47e3-4591-8b1b-8d557656e686",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#send-logs-to-microsoft-sentinel",
+ "service": "App Gateway",
+ "severity": "中等",
+ "text": "將 Azure 應用程式閘道 WAF 紀錄發送到 Microsoft Sentinel。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "8042d88e-79d1-47b7-9b22-a5a67e7a8ed4",
- "link": "https://learn.microsoft.com/azure/architecture/framework/services/networking/expressroute/reliability",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "845f5f91-9c21-4674-a725-5ce890850e20",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
+ "service": "Front Door",
"severity": "中等",
- "text": "當需要流量隔離或專用頻寬時,例如用於分離生產環境和非生產環境,請使用不同的 ExpressRoute 線路。它將幫助您確保隔離的路由域並減輕嘈雜的鄰居風險。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "安全"
+ "text": "將 Azure Front Door WAF 日誌發送到 Microsoft Sentinel。",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b30e38c3-f298-412b-8363-cefe179b599d",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-monitoring-metrics-alerts",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ba0e9b26-6e0d-4ec8-8541-023c00afd5b7",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/best-practices#define-your-waf-configuration-as-code",
+ "service": "App Gateway",
"severity": "中等",
- "text": "使用內置的 Express Route Insights 監視 ExpressRoute 的可用性和利用率。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "text": "將 Azure 應用程式閘道 WAF 設定定義為代碼。通過使用代碼,您可以更輕鬆地採用新的規則集版本並獲得額外的保護。",
"waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "5bf68dc9-325e-4873-bf88-f8214ef2e5d2",
- "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f17ec301-8470-4afd-aabc-c1fdfe47dcc0",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/policy-overview",
+ "service": "App Gateway",
"severity": "中等",
- "text": "使用連接監視器監視整個網路的連接監視,尤其是本地和 Azure 之間的連接監視。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "text": "使用 WAF 策略而不是舊版 WAF 配置。",
"waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project cxId=id, gwId=tostring(properties.virtualNetworkGateway1.id), circuitId=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitId=tostring(id), circuitLocation=tostring(properties.serviceProviderProperties.peeringLocation)) on circuitId | distinct gwId, circuitLocation | summarize countErLocations=count() by id=gwId | extend compliant = (countErLocations >= 2)",
- "guid": "e0d5973c-d4cd-421b-8881-37f5e6c4cfd3",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#need-for-redundant-connectivity-solution",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "d4eb8667-f8cb-4cdd-94e6-2f967ba98f88",
+ "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-secured-hub-app-gateway",
+ "service": "App Gateway",
"severity": "中等",
- "text": "使用來自不同對等互連位置的 ExpressRoute 線路實現冗餘。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "可靠性"
+ "text": "篩選後端中的入站流量,以便它們僅接受來自應用程式閘道子網的連接,例如與 NSG 的連接。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "cf3fe65c-fec0-495a-8edc-9675200f2add",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-coexist-resource-manager",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/frontdoors",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "7d3df025-59a3-447d-ac25-3f5750d35de1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/origin-security?tabs=app-service-functions",
+ "service": "Front Door",
"severity": "中等",
- "text": "如果僅使用單個 ExpressRoute 線路,則使用網站到網站 VPN 作為 ExpressRoute 的故障轉移。",
- "waf": "可靠性"
+ "text": "確保源僅接收來自 Azure Front Door 實例的流量。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))",
- "guid": "72105cc8-aaea-4ee1-8c7a-ad25977afcaf",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "a66f0fd8-2ca4-422e-8df3-235148127ca2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/ssl-overview",
+ "service": "App Gateway",
"severity": "高",
- "text": "如果在 GatewaySubnet 中使用路由表,請確保傳播閘道路由。",
- "waf": "可靠性"
+ "text": "您應該對流向後端伺服器的流量進行加密。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "d581a947-69a2-4783-942e-9df3664324c8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "3dba65cb-834d-44d8-a3ca-a6aa2f1587be",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/overview",
+ "service": "App Gateway",
"severity": "高",
- "text": "如果使用 ExpressRoute,則本地路由應是動態的:如果連接失敗,它應收斂到線路的其餘連接。負載應在兩個連接之間共用,理想情況下為主動/主動,儘管也支持主動/被動。",
- "waf": "可靠性"
+ "text": "您應該使用 Web 應用程式防火牆。",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b258f058-b9f6-46cd-b28d-990106f0c3f8",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "0158fcb6-0bc1-4687-832f-cc7c359c22d2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/redirect-overview",
+ "service": "App Gateway",
"severity": "中等",
- "text": "確保 ExpressRoute 線路的兩個物理鏈路連接到網路中的兩個不同的邊緣設備。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "可靠性"
+ "text": "將 HTTP 重定向到 HTTPS",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "fe2a1b53-6fbd-4c67-b58a-85d7c7a0afcb",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-bfd",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "bb697864-1b4c-43af-8667-90cc69aaed5f",
+ "link": "https://learn.microsoft.com/azure/application-gateway/how-application-gateway-works#modifications-to-the-request",
+ "service": "App Gateway",
"severity": "中等",
- "text": "確保在客戶或供應商邊緣路由設備上啟用並配置雙向轉發檢測 (BFD)。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "可靠性"
+ "text": "使用閘道管理的 Cookie 將流量從使用者工作階段定向到同一伺服器進行處理",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "669b215a-ce43-4371-8f6f-11047f6490f1",
- "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "ff353ad8-15fb-4ae8-9fc5-a85a36d36a35",
+ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-http-settings",
+ "service": "App Gateway",
"severity": "高",
- "text": "將 ExpressRoute 閘道連接到來自不同對等互連位置的兩條或多條線路,以實現更高的復原能力。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "可靠性"
+ "text": "在計劃的服務更新期間啟用連接耗盡,以防止與後端池的現有成員的連接丟失",
+ "waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "3f79ed00-203b-4c95-9efd-691505f5a1f9",
- "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log",
- "service": "ExpressRoute",
- "severity": "中等",
- "text": "配置 ExpressRoute 虛擬網路閘道的診斷日誌和警報。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "c8741f03-45a4-4183-a6b8-139e0773b8b5",
+ "link": "https://learn.microsoft.com/azure/application-gateway/custom-error",
+ "service": "App Gateway",
+ "severity": "低",
+ "text": "創建自訂錯誤頁面以顯示個人化的用戶體驗",
"waf": "操作"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "5234c93f-b651-41dd-80c1-234177b91ced",
- "link": "https://learn.microsoft.com/azure/expressroute/virtual-network-connectivity-guidance",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "f850d46f-f5d7-4b17-b48c-a780741402e1",
+ "link": "https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url",
+ "service": "App Gateway",
"severity": "中等",
- "text": "請勿使用 ExpressRoute 線路進行 VNet 到 VNet 通信。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
- "waf": "性能"
+ "text": "編輯 HTTP 請求和回應標頭,以便更輕鬆地在用戶端和伺服器之間進行路由和資訊交換",
+ "waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "8ac6a9e0-1e6a-483d-b5de-32c199248160",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
- "service": "N/A",
- "severity": "低",
- "text": "請勿將 Azure 流量發送到混合位置進行檢查。 相反,請遵循“Azure 中的流量保留在 Azure 中”的原則,以便 Azure 中的資源之間的通信通過 Microsoft 主幹網络進行。",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "eadc3164-4a0f-461c-85f1-1a372c04dfd1",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "App Gateway",
+ "severity": "中等",
+ "text": "配置 Front Door 以優化全球 Web 流量路由和頂級最終使用者性能,並通過快速全域故障轉移實現可靠性",
"waf": "性能"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "e6c4cfd3-e504-4547-a244-7ec66138a720",
- "link": "https://learn.microsoft.com/azure/firewall/overview",
- "service": "Firewall",
- "severity": "高",
- "text": "使用 Azure 防火牆來管理到 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西流量篩選(如果組織需要)。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "29dcc19f-a8fa-4c35-8281-290577538793",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview",
+ "service": "App Gateway",
+ "severity": "中等",
+ "text": "使用傳輸層負載均衡",
+ "waf": "性能"
+ },
+ {
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "276898c1-af5e-4819-9e8e-049c7801ab9d",
+ "link": "https://learn.microsoft.com/azure/application-gateway/multiple-site-overview",
+ "service": "App Gateway",
+ "severity": "中等",
+ "text": "根據主機名或域名為單個閘道上的多個 Web 應用程式配置路由",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a4b1511-e43a-458a-ac22-99c4d7b57d0c",
- "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview",
- "service": "Firewall",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "5fe365b6-58e8-47ed-a8cf-5163850380a2",
+ "link": "https://learn.microsoft.com/azure/application-gateway/create-ssl-portal",
+ "service": "App Gateway",
"severity": "中等",
- "text": "創建全域 Azure 防火牆策略以管理全球網路環境中的安全狀況,並將其分配給所有 Azure 防火牆實例。通過 Azure 基於角色的訪問控制將增量防火牆策略委派給本地安全團隊,從而允許使用精細策略來滿足特定區域的要求。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "集中管理 SSL 證書,以減少後端伺服器場的加密和解密開銷",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "655562f2-b3e4-4563-a4d8-739748b662d6",
- "link": "https://learn.microsoft.com/azure/firewall-manager/deploy-trusted-security-partner",
- "service": "Firewall",
+ "arm-service": "microsoft.network/applicationGateways",
+ "checklist": "Azure Application Delivery Networking",
+ "guid": "fa64b4dd-35c2-4047-ac5c-45dfbf8b0db9",
+ "link": "https://learn.microsoft.com/azure/application-gateway/application-gateway-websocket",
+ "service": "App Gateway",
"severity": "低",
- "text": "如果組織想要使用此類解決方案來幫助保護出站連接,請在 Firewall Manager 中配置受支援的合作夥伴 SaaS 安全提供者。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
+ "text": "使用應用程式閘道獲得對 WebSocket 和 HTTP/2 協定的本機支援",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant",
- "guid": "14d99880-2f88-47e8-a134-62a7d85c94af",
- "link": "https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules",
- "service": "Firewall",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "cb26b2ba-a9db-45d1-8260-d9c6ec1447d9",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/single-tenant-overview-compare",
+ "service": "IoT Hub DPS",
"severity": "高",
- "text": "使用應用程式規則篩選目標主機名上的出站流量,以查找受支持的協定。 使用基於 FQDN 的網路規則和具有 DNS 代理的 Azure 防火牆來篩選通過其他協定流向 Internet 的傳出流量。",
- "waf": "安全"
+ "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant",
- "guid": "c10d51ef-f999-455d-bba0-5c90ece07447",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features",
- "service": "Firewall",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "f6dd7977-1123-4f39-b488-f91415a8430a",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
+ "service": "IoT Hub DPS",
"severity": "高",
- "text": "使用 Azure 防火牆高級版啟用其他安全功能。",
- "waf": "安全"
+ "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant",
- "guid": "e9c8f584-6d5e-473b-8dc5-acc9fbaab4e3",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps-signature-rules",
- "service": "Firewall",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "8aed4fbf-0830-4883-899d-222a154af478",
+ "link": "https://learn.microsoft.com/en-us/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
+ "service": "IoT Hub DPS",
"severity": "高",
- "text": "將 Azure 防火牆威脅情報模式配置為「警報」和「拒絕」以獲得額外保護。",
- "waf": "安全"
+ "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant",
- "guid": "b9d0dff5-bdd4-4cd8-88ed-5811610b2b2c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#idps",
- "service": "Firewall",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "da0f033e-d180-4f36-9aa4-c468dba14203",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "IoT Hub DPS",
"severity": "高",
- "text": "將 Azure 防火牆 IDPS 模式配置為「拒絕」以獲得額外保護。",
- "waf": "安全"
+ "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant",
- "guid": "a3784907-9836-4271-aafc-93535f8ec08b",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview",
- "service": "Firewall",
+ "arm-service": "Microsoft.Devices/provisioningServices",
+ "checklist": "Device Provisioning Service Review",
+ "guid": "62711604-c9d1-4b0a-bdb7-5fda54a4f6c1",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "IoT Hub DPS",
+ "severity": "中等",
+ "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼",
+ "waf": "操作"
+ },
+ {
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "ac1d6380-f866-4bbd-a9b4-b1ee5d7908b8",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#availability-zones",
+ "service": "IoT",
"severity": "高",
- "text": "對於未連接到虛擬 WAN 的 VNet 中的子網,請附加路由表,以便將 Internet 流量重定向到 Azure 防火牆或網路虛擬設備。",
- "waf": "安全"
+ "text": "利用可用區(如果區域適用)(這是自動啟用的)",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "715d833d-4708-4527-90ac-1b142c7045ba",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-structured-logs",
- "service": "Firewall",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "35f651e8-0124-4ef7-8c57-658e38609e6e",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
"severity": "中等",
- "text": "添加診斷設置,使用「特定於資源」的目標表保存所有 Azure 防火牆部署的日誌。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "操作"
+ "text": "請注意 Microsoft 發起的故障轉移。Microsoft 在極少數情況下會執行這些操作,以將所有IoT中心從受影響的區域故障轉移到相應的異地配對區域。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "e960fc6b-4ab2-4db6-9609-3745135f9ffa",
- "link": "https://learn.microsoft.com/azure/firewall-manager/migrate-to-policy",
- "service": "Firewall",
- "severity": "重要",
- "text": "從 Azure 防火牆經典規則(如果存在)遷移到防火牆策略。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "操作"
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "4ed3e490-dc06-4a1e-b467-5d0239d85540",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#cross-region-dr",
+ "service": "IoT",
+ "severity": "高",
+ "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant",
- "guid": "22d6419e-b627-4d95-9e7d-019fa759387f",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size",
- "service": "Firewall",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "a11ecab0-db47-46f7-9aa7-17764e7e45a1",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#microsoft-initiated-failover",
+ "service": "IoT",
"severity": "高",
- "text": "對 Azure 防火牆子網使用 /26 前置綴。",
- "waf": "安全"
+ "text": "瞭解如何觸發手動故障轉移。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "828cec2e-af6c-40c2-8fa2-1b681ee63eb7",
- "link": "https://learn.microsoft.com/azure/firewall-manager/rule-hierarchy",
- "service": "Firewall",
+ "arm-service": "Microsoft.Devices/IotHubs",
+ "checklist": "IoT Hub Review",
+ "guid": "f9db8dfb-1194-460b-aedd-34dd6a69db22",
+ "link": "https://learn.microsoft.com/azure/iot-hub/iot-hub-ha-dr#failback",
+ "service": "IoT",
+ "severity": "高",
+ "text": "瞭解如何在故障轉移後進行故障回復。",
+ "waf": "可靠性"
+ },
+ {
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "388c3e25-e800-4ad2-9df3-f3d6ae1050b7",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview",
+ "service": "Azure MySQL",
"severity": "中等",
- "text": "根據防火牆策略中的規則的使用頻率,將規則排列到規則集合組和規則集合中。",
- "waf": "性能"
+ "text": "利用靈活伺服器",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "0da83bb1-2f39-49af-b5c9-835fc455e3d1",
- "link": "https://learn.microsoft.com/azure/firewall/ip-groups",
- "service": "Firewall",
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "de3aad1e-8c38-4ec9-9666-7313c005674b",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#high-availability-within-and-across-availability-zones",
+ "service": "Azure MySQL",
+ "severity": "高",
+ "text": "利用區域適用的可用區",
+ "waf": "可靠性"
+ },
+ {
+ "arm-service": "Microsoft.DBforMySQL/servers",
+ "checklist": "MySQL Review Checklist",
+ "guid": "1e944a45-9c37-43e7-bd61-623b365a917e",
+ "link": "https://learn.microsoft.com/azure/mysql/flexible-server/overview#setup-hybrid-or-multi-cloud-data-synchronization-with-data-in-replication",
+ "service": "Azure MySQL",
"severity": "中等",
- "text": "使用IP組或IP前置綴來減少IP表規則的數量。",
- "waf": "性能"
+ "text": "將數據傳入複製用於跨區域災難恢復方案",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "c44c6f0e-1642-4a61-a17b-0922f835c93a",
- "link": "https://learn.microsoft.com/azure/firewall/tutorial-firewall-dnat",
- "service": "Firewall",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "6d8e32a8-3892-479d-a40b-10f6b4f6f298",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concepts-blue-green-deployment-strategies",
+ "service": "Spring Apps",
"severity": "中等",
- "text": "不要使用通配符作為DNAT的源IP,例如 *或 any,您應該為傳入的DNAT指定源IP。",
- "waf": "性能"
+ "text": "Azure Spring Apps 允許對每個應用進行兩次部署,其中只有一個部署接收生產流量。您可以使用藍綠部署策略實現零停機時間。藍綠部署僅在標準層和企業層中可用。可以使用 CI/CD 和 ADO/GitHub 操作自動執行部署",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7371dc21-251a-47a3-af14-6e01b9da4757",
- "link": "https://learn.microsoft.com/azure/firewall/integrate-with-nat-gateway",
- "service": "Firewall",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716",
+ "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region",
+ "service": "Spring Apps",
"severity": "中等",
- "text": "通過監控 SNAT 埠使用方式、評估 NAT 閘道設置並確保無縫故障轉移,防止 SNAT 埠耗盡。如果埠計數接近限制,則表明 SNAT 耗盡可能迫在眉睫。",
- "waf": "性能"
+ "text": "可以在多個區域中為應用程式創建 Azure Spring Apps 實例,並且流量管理器/Front Door 可以路由流量。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "346840b8-1064-496e-8396-4b1340172d52",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#tls-inspection",
- "service": "Firewall",
- "severity": "高",
- "text": "如果使用的是 Azure 防火牆高級版,請啟用 TLS 檢查。",
- "waf": "性能"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ff1ae6a7-9301-4feb-9d11-56cd72f1d4ef",
+ "link": "https://learn.microsoft.com/azure/reliability/reliability-spring-apps",
+ "service": "Spring Apps",
+ "severity": "中等",
+ "text": "在支持的區域中,Azure Spring Apps 可以部署為區域冗餘,這意味著實例會自動分佈在可用性區域之間。此功能僅在標準層和企業層中可用。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "39990a13-915c-45f9-a2d3-562d7d6c4b7c",
- "link": "https://learn.microsoft.com/azure/firewall/premium-features#web-categories",
- "service": "Firewall",
- "severity": "低",
- "text": "使用 Web 類別允許或拒絕對特定主題的出站訪問。",
- "waf": "性能"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "ffc735ad-fbb1-4802-b43f-ad6387c4c066",
+ "link": "https://learn.microsoft.com/azure/spring-apps/concept-understand-app-and-deployment",
+ "service": "Spring Apps",
+ "severity": "中等",
+ "text": "對應用使用1個以上的應用實例",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "6eff7e6c-6c4a-43d7-be3f-6641c2cb3d4a",
- "link": "https://learn.microsoft.com/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall",
- "service": "Firewall",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "7504c230-6035-4183-95a5-85762acc6075",
+ "link": "https://learn.microsoft.com/azure/spring-apps/diagnostic-services",
+ "service": "Spring Apps",
"severity": "中等",
- "text": "作為 TLS 檢查的一部分,請計劃從 Azure 應用閘道接收流量以進行檢查。",
- "waf": "性能"
+ "text": "使用日誌、指標和跟蹤監視 Azure Spring Apps。將 ASA 與應用程式見解集成,並跟蹤故障並創建工作簿。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "94f3eede-9aa3-4088-92a3-bb9a56509fad",
- "link": "https://learn.microsoft.com/azure/firewall/dns-details",
- "service": "Firewall",
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "1eb48d58-3eec-4ef5-80b0-d2b0dde3f0c6",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-configure-enterprise-spring-cloud-gateway",
+ "service": "Spring Apps",
"severity": "中等",
- "text": "啟用 Azure 防火牆 DNS 代理配置。",
- "waf": "安全"
+ "text": "在 Spring Cloud Gateway 中設置自動縮放",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "1dc04554-dece-4ffb-a49e-5c683e09f8da",
- "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics",
- "service": "Firewall",
- "severity": "高",
- "text": "將 Azure 防火牆與 Azure Monitor 集成,並啟用診斷日誌記錄以存儲和分析防火牆日誌。",
- "waf": "操作"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "97411607-b6fd-4335-99d1-9885faf4e392",
+ "link": "https://learn.microsoft.com/azure/spring-apps/how-to-setup-autoscale",
+ "service": "Spring Apps",
+ "severity": "低",
+ "text": "為具有標準使用量和專用計劃的應用啟用自動縮放。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "64e7000e-3c06-485e-b455-ced7f454cba3",
- "link": "https://learn.microsoft.com/azure/well-architected/service-guides/azure-firewall",
- "service": "Firewall",
- "severity": "低",
- "text": "實施防火牆規則的備份",
- "waf": "操作"
+ "arm-service": "Microsoft.AppPlatform/Spring",
+ "checklist": "Azure Spring Apps Review",
+ "guid": "dfcaffd1-d27c-4ef2-998d-64c1df3a7ac3",
+ "link": "https://learn.microsoft.com/azure/spring-apps/overview",
+ "service": "Spring Apps",
+ "severity": "中等",
+ "text": "使用企業計劃為關鍵任務應用提供 Spring Boot 的商業支援。使用其他層,您可以獲得 OSS 支援。",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/applicationGateways",
- "checklist": "Azure Landing Zone Review",
- "guid": "d301d6e8-72e5-42e3-911c-c58b5a4b1511",
- "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
- "service": "App Gateway",
- "severity": "高",
- "text": "不要中斷注入虛擬網路的 Azure PaaS 服務的控制平面通信,例如使用 0.0.0.0/0 路由或阻止控制平面流量的 NSG 規則。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure 事件中心提供靜態數據加密。如果使用自己的金鑰,則仍使用 Microsoft 管理的金鑰對數據進行加密,但此外,Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。",
+ "guid": "7aaf12e7-b94e-4f6e-847d-2d92981b1cd6",
+ "link": "https://learn.microsoft.com/azure/event-hubs/configure-customer-managed-key",
+ "service": "Event Hubs",
+ "severity": "低",
+ "text": "需要時,在靜態數據加密中使用客戶管理的金鑰選項",
+ "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "guid": "b3e4563a-4d87-4397-98b6-62d6d15f512a",
- "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure 事件中心命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施,可以將事件中心命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。如果事件中心命名空間需要最低版本的 TLS,則使用舊版本發出的任何請求都將失敗。",
+ "guid": "d2f54b29-769e-43a6-a0e7-828ac936657e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/transport-layer-security-configure-minimum-version",
+ "service": "Event Hubs",
"severity": "中等",
- "text": "通過專用終結點和 ExpressRoute 專用對等互連從本地訪問 Azure PaaS 服務。此方法可避免在公共 Internet 上傳輸。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/",
+ "text": "對請求強制實施傳輸層安全性 (TLS) 的最低要求版本",
+ "training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/virtualNetworks",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc",
- "guid": "4704489a-8042-4d88-b79d-17b73b22a5a6",
- "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview",
- "service": "VNet",
- "severity": "高",
- "text": "默認情況下,不要在所有子網上啟用虛擬網路服務終結點。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "創建事件中心命名空間時,會自動為命名空間創建名為 RootManageSharedAccessKey 的策略規則。此策略具有整個命名空間的管理許可權。建議您將此規則視為管理根帳戶,不要在應用程式中使用它。建議將 AAD 用作 RBAC 的身份驗證提供程式。",
+ "guid": "13b0f566-4b1e-4944-a459-837ee79d6c6d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies",
+ "service": "Event Hubs",
+ "severity": "中等",
+ "text": "避免在不必要的情況下使用root帳戶",
+ "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/azureFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7e7a8ed4-b30e-438c-9f29-812b2363cefe",
- "link": "azure/private-link/inspect-traffic-with-azure-firewall",
- "service": "Firewall",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure 資源的託管標識可以使用 Azure AD 憑據從 Azure 虛擬機 (VM)、函數應用、虛擬機規模集和其他服務中運行的應用程式授權訪問事件中心資源。通過將 Azure 資源的託管標識與 Azure AD 身份驗證結合使用,可以避免將憑據存儲在雲中運行的應用程式中。",
+ "guid": "3a365a5c-7acb-4e48-abd5-4cd79f2e8776",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest",
+ "service": "Event Hubs",
"severity": "中等",
- "text": "使用 FQDN 而不是 Azure 防火牆或 NVA 中的 IP 位址篩選流向 Azure PaaS 服務的出口流量,以防止數據外洩。如果使用專用連結,則可以阻止所有 FQDN,否則僅允許所需的 PaaS 服務。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn",
+ "text": "如果可能,應用程式應使用託管標識向 Azure 事件中心進行身份驗證。如果沒有,請考慮在 Azure Key Vault 或等效服務中擁有存儲憑據(SAS、服務主體憑據)",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "安全"
},
{
- "arm-service": "microsoft.network/expressRouteCircuits",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant",
- "guid": "f2aad7e3-bb03-4adc-8606-4123d342a917",
- "link": "https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway",
- "service": "ExpressRoute",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "創建許可權時,請對用戶端對 Azure 事件中心的訪問提供精細控制。Azure 事件中心中的許可權可以而且應該限定為單個資源級別,例如消費者組、事件中心實體、事件中心命名空間等。",
+ "guid": "8357c559-675c-45ee-a5b8-6ad8844ce3b2",
+ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs",
+ "service": "Event Hubs",
"severity": "高",
- "text": "至少對閘道子網使用 /27 前置綴。",
+ "text": "使用最低特權數據平面 RBAC",
+ "training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)",
- "guid": "11deb39d-8299-4e47-bbe0-0fb5a36318a8",
- "link": "https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags",
- "service": "NSG",
- "severity": "高",
- "text": "不要依賴使用 VirtualNetwork 服務標記的 NSG 入站預設規則來限制連接。",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "Azure 事件中心資源日誌包括操作日誌、虛擬網路和 Kafka 日誌。運行時審核日誌捕獲事件中心中所有數據平面訪問操作(例如發送或接收事件)的聚合診斷資訊。",
+ "guid": "b38b875b-a1cf-4104-a900-3a4d3ce474db",
+ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference",
+ "service": "Event Hubs",
+ "severity": "中等",
+ "text": "啟用記錄以進行安全調查。使用 Azure Monitor 捕獲指標和日誌,例如資源日誌、運行時審核日誌和 Kafka 紀錄",
+ "training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "872e52e3-611c-4c58-a5a4-b1511e43a58a",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-landing-zone-network-segmentation",
- "service": "NSG",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "默認情況下,Azure 事件中心具有公共IP位址,並且可通過Internet訪問。專用終結點允許虛擬網路和 Azure 事件中心之間的流量遍歷 Microsoft 主幹網路。除此之外,如果未使用公共終結點,則應禁用這些終結點。",
+ "guid": "5abca2a4-eda1-4dae-8cc9-5d48c6b791dc",
+ "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service",
+ "service": "Event Hubs",
"severity": "中等",
- "text": "使用 NSG 説明保護子網之間的流量,以及平台中的東西向流量(登陸區域之間的流量)。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "text": "請考慮使用專用終結點訪問 Azure 事件中心,並在適用時禁用公用網路訪問。",
+ "training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "a4d87397-48b6-462d-9d15-f512a65498f6",
- "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
- "service": "NSG",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "使用IP防火牆,可以將公共終結點進一步限製為僅一組IPv4位址或 CIDR(無類別域間路由)表示法的IPv4位址範圍。",
+ "guid": "a0e6c465-89e5-458b-a37d-3974d1112dbd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-ip-filtering",
+ "service": "Event Hubs",
"severity": "中等",
- "text": "使用 NSG 和應用程式安全組對登陸區域內的流量進行微分段,並避免使用中心 NVA 篩選流量流。",
- "training": "https://learn.microsoft.com/learn/paths/implement-network-security/",
+ "text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 事件中心命名空間",
+ "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "guid": "dfe237de-143b-416c-91d7-aa9b64704489",
- "link": "https://learn.microsoft.com/azure/network-watcher/vnet-flow-logs-overview",
- "service": "NSG",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "31d41e36-11c8-417b-8afb-c410d4391898",
+ "link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-AEH_v1.docx",
+ "service": "Event Hubs",
"severity": "中等",
- "text": "啟用 VNet 流日誌並將其饋送到流量分析中,以深入了解內部和外部流量流。",
- "training": "https://learn.microsoft.com/learn/modules/design-implement-network-monitoring/",
- "waf": "安全"
+ "text": "利用 FTA 彈性手冊",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Network/networkSecurityGroups",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type == 'microsoft.network/networksecuritygroups' | project id, rules = array_length(properties.securityRules) | project id, compliant = (rules < 900)",
- "guid": "0390417d-53dc-44d9-b3f4-c8832f359b41",
- "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
- "service": "NSG",
- "severity": "中等",
- "text": "由於規則限制為 1000 條,因此每個 NSG 實施的 NSG 規則不要超過 900 個。",
- "training": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "對於從門戶創建的新 EH 命名空間,在啟用區域的區域中具有高級、專用或標準 SKU,將自動啟用此功能。EH 元數據和事件數據本身都是跨區域複製的",
+ "guid": "f15bce21-9e4a-40eb-9787-9424d226786d",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-premium-overview#high-availability-with-availability-zones",
+ "service": "Event Hubs",
+ "severity": "高",
+ "text": "利用可用區(如果區域適用)",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "412e7f98-3f63-4047-82dd-69c5b5c2622f",
- "link": "https://learn.microsoft.com/azure/virtual-wan/scenario-any-to-any",
- "service": "VWAN",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "20b56c56-ad58-4519-8f82-735c586bb281",
+ "link": "https://learn.microsoft.com/azure/event-hubs/compare-tiers",
+ "service": "Event Hubs",
"severity": "中等",
- "text": "如果在虛擬 WAN 路由設計清單中明確描述了你的方案,請使用虛擬 WAN。",
- "training": "https://learn.microsoft.com/learn/modules/introduction-azure-virtual-wan/",
- "waf": "操作"
+ "text": "使用高級或專用 SKU 實現可預測的性能",
+ "waf": "可靠性"
+ },
+ {
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "啟用內置異地災難恢復功能后,可確保命名空間的整個配置(事件中心、消費者組和設置)從主命名空間持續複製到輔助命名空間,並允許隨時從主命名空間向輔助命名空間進行一次故障轉移。主動/被動功能旨在更輕鬆地從失敗的 Azure 區域中恢復和放棄,而無需更改應用程式配置",
+ "guid": "dc15a1c0-75ee-49f1-90ac-ccd579376bcd",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-geo-dr?tabs=portal",
+ "service": "Event Hubs",
+ "severity": "高",
+ "text": "使用主動被動配置規劃異地災難恢復",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "54b69bad-33aa-4d5e-ac68-e1d76667313b",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/virtual-wan-network-topology#virtual-wan-network-design-recommendationst",
- "service": "VWAN",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "description": "應用於無法容忍關閉區域中事件數據中斷或丟失的DR配置。對於這些情況,請遵循複製指南,不要使用內置的異地災難恢復功能(主動/被動)。使用「主動/主動」時,在不同區域和命名空間中維護多個事件中心,事件將在中心之間複製",
+ "guid": "6e31b67d-67ba-4591-89c0-9e805d597c7e",
+ "link": "https://learn.microsoft.com/azure/event-hubs/event-hubs-federation-overview",
+ "service": "Event Hubs",
"severity": "中等",
- "text": "使用每個 Azure 區域的虛擬 WAN 中心,透過通用的全球 Azure 虛擬 WAN 跨 Azure 區域將多個登陸區域連接在一起。",
- "waf": "性能"
+ "text": "對於業務關鍵型應用程式,請使用 Active Active 配置",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "graph": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant",
- "guid": "7d5d1e4e-6146-458d-9558-fd77249b8211",
- "link": "https://learn.microsoft.com/azure/virtual-wan/howto-firewall",
- "service": "VWAN",
+ "arm-service": "microsoft.eventhub/namespaces",
+ "checklist": "Azure Event Hub Review",
+ "guid": "9ced16ad-d186-4f0a-a241-a999a68af77c",
+ "link": "https://learn.microsoft.com/azure/architecture/serverless/event-hubs-functions/resilient-design",
+ "service": "Event Hubs",
"severity": "中等",
- "text": "對於出站 Internet 流量保護和篩選,請在安全中心部署 Azure 防火牆。",
- "training": "https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/",
- "waf": "安全"
+ "text": "設計可復原的事件中心",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "6667313b-4f56-464b-9e98-4a859c773e7d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/migrate-from-hub-spoke-topology",
- "service": "VWAN",
+ "checklist": "SAP Checklist",
+ "guid": "4620dc87-e948-4ce8-8426-f3e6e5d7bd85",
+ "link": "https://learn.microsoft.com/azure/sap/center-sap-solutions/overview",
+ "service": "SAP",
"severity": "中等",
- "text": "確保虛擬 WAN 網路體系結構與已確定的體系結構方案保持一致。",
- "waf": "可靠性"
+ "text": "Azure SAP 解決方案中心 (ACSS) 是一項 Azure 產品/服務,可使 SAP 成為 Azure 上的頂級工作負載。ACSS 是一種端到端解決方案,使你能夠在 Azure 上創建和運行 SAP 系統作為統一的工作負載,並為創新提供更無縫的基礎。可以利用新的和現有的基於 Azure 的 SAP 系統的管理功能。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-center-sap-solutions/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "261623a7-65a9-417e-8f34-8ef254c27d42",
- "link": "https://learn.microsoft.com/azure/virtual-wan/azure-monitor-insights",
- "service": "VWAN",
+ "checklist": "SAP Checklist",
+ "guid": "5d75e99d-624d-4afe-91d9-e17adc580790",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-platform-automation-and-devops",
+ "service": "SAP",
"severity": "中等",
- "text": "使用適用於虛擬 WAN 的 Azure Monitor 見解來監視虛擬 WAN 的端到端拓撲、狀態和關鍵指標。",
+ "text": "Azure 支援在Linux和 Windows 中自動執行 SAP 部署。SAP 部署自動化框架是一種開源編排工具,可以部署、安裝和維護 SAP 環境。",
+ "training": "https://github.com/Azure/sap-automation",
"waf": "操作"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "727c77e1-b9aa-4a37-a024-129d042422c1",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#is-branch-to-branch-connectivity-allowed-in-virtual-wan",
- "service": "VWAN",
+ "checklist": "SAP Checklist",
+ "guid": "d17f6f39-a377-48a2-931f-5ead3ebe33a8",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/data-platform",
+ "service": "SAP",
"severity": "中等",
- "text": "不要在虛擬 WAN 中禁用分支到分支流量,除非應明確阻止這些流。",
+ "text": "在符合 RTO 要求的任何時間點和時間範圍內對生產資料庫執行時間點恢復;時間點恢復通常包括操作員在DBMS層上或通過SAP刪除數據時出現的錯誤",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "d49ac006-6670-4bc9-9948-d3e0a3a94f4d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing-preference",
- "service": "VWAN",
+ "checklist": "SAP Checklist",
+ "guid": "c4b8e117-930b-4dbd-ae50-7bc5faf6f91a",
+ "service": "SAP",
"severity": "中等",
- "text": "使用 AS-Path 作為中心路由首選項,因為它比 ExpressRoute 或 VPN 更靈活。",
+ "text": "測試備份和恢復時間,以驗證它們是否滿足在災難發生后同時還原所有系統的 RTO 要求。",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "2586b854-237e-47f1-84a1-d45d4cd2310d",
- "link": "https://learn.microsoft.com/azure/virtual-wan/about-virtual-hub-routing#labels",
- "service": "VWAN",
- "severity": "中等",
- "text": "在虛擬 WAN 中配置基於標籤的傳播,否則虛擬中心之間的連接將受到損害。",
+ "checklist": "SAP Checklist",
+ "guid": "b651423c-8552-42db-a545-5cb50c05527a",
+ "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure",
+ "service": "SAP",
+ "severity": "高",
+ "text": "可以在配對區域之間複製標準存儲,但不能使用標準存儲來存儲資料庫或虛擬硬碟。您只能在使用的配對區域之間複製備份。對於所有其他數據,請使用本機 DBMS 功能(如 SQL Server Always On 或 SAP HANA 系統複製)運行複製。將 Site Recovery、rsync 或 robocopy 以及其他第三方軟體組合用於 SAP 應用程式層。",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
"waf": "可靠性"
},
{
- "arm-service": "microsoft.network/virtualWans",
- "checklist": "Azure Landing Zone Review",
- "guid": "9c75dfef-573c-461c-a698-68598595581a",
- "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-faq#what-is-the-recommended-hub-address-space-during-hub-creation",
- "service": "VWAN",
- "severity": "高",
- "text": "至少為虛擬中心分配一個 /23 前置綴,以確保有足夠的IP空間可用。",
+ "checklist": "SAP Checklist",
+ "guid": "aa208dca-784f-46c6-9014-cc919c542dc9",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "使用 Azure 可用性區域實現高可用性時,必須考慮 SAP 應用程式伺服器和資料庫伺服器之間的延遲。對於具有高延遲的區域,需要制定操作過程,以確保 SAP 應用程式伺服器和資料庫伺服器始終在同一區域中運行。",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5c986cb2-9131-456a-8247-6e49f541acdc",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "checklist": "SAP Checklist",
+ "guid": "ba07c007-1f90-43e9-aa4f-601346b80352",
+ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering",
+ "service": "SAP",
"severity": "高",
- "text": "戰略性地利用 Azure Policy,為環境定義控制,使用策略計劃對相關策略進行分組。",
- "waf": "安全"
+ "text": "設置從本地到主要和次要 Azure 災難恢復區域的 ExpressRoute 連接。此外,作為使用 ExpressRoute 的替代方法,請考慮設置從本地到主要和輔助 Azure 災難恢復區域的 VPN 連接。",
+ "training": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "d8a2adb1-17d6-4326-af62-5ca44e5695f2",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "中等",
- "text": "將法規和合規性要求映射到 Azure Policy 定義和 Azure 角色分配。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "d2b30195-b11d-4a8f-a672-28b2b4169a7c",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/disaster-recovery-guidance",
+ "service": "SAP",
+ "severity": "低",
+ "text": "跨區域複製證書、機密或密鑰等金鑰保管庫內容,以便解密DR區域中的數據。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "223ace8c-b123-408c-a501-7f154e3ab369",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "checklist": "SAP Checklist",
+ "guid": "05f1101d-250f-40e7-b2a1-b674ab50edbd",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-s4hana",
+ "service": "SAP",
"severity": "中等",
- "text": "在中間根管理組建立 Azure Policy 定義,以便可以在繼承的範圍內分配它們。",
- "waf": "安全"
- },
- {
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "3829e7e3-1618-4368-9a04-77a209945bda",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "高",
- "text": "如果需要,在最高適當級別管理策略分配,並在底層管理排除項。",
- "waf": "安全"
+ "text": "對等連接主虛擬網路和災難恢復虛擬網路。例如,對於 HANA 系統複製,需要將 SAP HANA DB 虛擬網路對等互連到災難恢復網站的 SAP HANA DB 虛擬網路。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "43334f24-9116-4341-a2ba-527526944008",
- "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services",
- "service": "Policy",
+ "checklist": "SAP Checklist",
+ "guid": "d3351bf7-628a-46de-917d-dfc11d3b6b40",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-service-levels",
+ "service": "SAP",
"severity": "低",
- "text": "使用 Azure Policy 控制使用者可以在訂閱/管理組級別預配哪些服務。",
- "waf": "安全"
+ "text": "如果將 Azure NetApp 檔案儲存用於 SAP 部署,則至少要在兩個區域的高級層中創建兩個 Azure NetApp 檔帳戶。",
+ "training": "https://learn.microsoft.com/training/modules/choose-service-level-azure-netapp-files-hpc-applications/2-identify-decision-criteria",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "be7d7e48-4327-46d8-adc0-55bcf619e8a1",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
+ "checklist": "SAP Checklist",
+ "guid": "726a1d3e-5508-4a06-9d54-93f4b50040c1",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
"severity": "高",
- "text": "盡可能使用內置策略,以最大程度地減少運營開銷。",
- "waf": "安全"
+ "text": "應使用本機資料庫複製技術來同步HA對中的資料庫。",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "description": "通過將「資源策略參與者」角色分配給特定範圍,可以將策略管理委派給相關團隊。例如,中心 IT 團隊可以監督管理組級別的策略,而應用程式團隊則處理其訂閱的策略,從而在遵守組織標準的情況下實現分散式治理。",
- "guid": "3f988795-25d6-4268-a6d7-0ba6c97be995",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy",
- "service": "Policy",
- "severity": "中等",
- "text": "在特定範圍內分配內置的「資源策略參與者」角色,以啟用應用程式級治理。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "6561f847-3db5-4ff8-9200-5ad3c3b436ad",
+ "link": "https://learn.microsoft.com/ja-jp/azure/virtual-network/virtual-networks-faq",
+ "service": "SAP",
+ "severity": "高",
+ "text": "主虛擬網路 (VNet) 的 CIDR 不應與DR網站的 VNet 的 CIDR 衝突或重疊",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "19048384-5c98-46cb-8913-156a12476e49",
- "link": "https://learn.microsoft.com/azure/governance/policy/overview",
- "service": "Policy",
- "severity": "中等",
- "text": "限制在根管理組範圍內執行的 Azure Policy 分配數,以避免在繼承的範圍內通過排除項進行管理。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "0258ed30-fe42-434f-87b9-58f91f908e0a",
+ "service": "SAP",
+ "severity": "高",
+ "text": "使用 Site Recovery 將應用程式伺服器複製到 DR 網站。Site Recovery 還可以説明將中心服務群集 VM 複製到DR網站。調用DR時,需要在DR網站上重新配置Linux Pacemaker群集(例如,替換VIP或SBD、運行 corosync.conf 等)。",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "5a917e1f-348e-4f25-9c27-d42e8bbac757",
- "link": "https://learn.microsoft.com/industry/release-plan/2023wave2/cloud-sovereignty/enable-data-sovereignty-policy-baseline",
- "service": "Policy",
- "severity": "中等",
- "text": "如果存在任何數據主權要求,則應部署 Azure 策略來強制實施這些要求。",
- "training": "https://learn.microsoft.com/learn/paths/secure-your-cloud-data/",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "高",
+ "text": "考慮 SAP 軟體針對單點故障的可用性。這包括應用程式中的單點故障,例如 SAP NetWeaver 和 SAP S/4HANA 架構中使用的 DBMS、SAP ABAP 和 ASCS + SCS。此外,還有其他工具,例如 SAP Web Dispatcher。",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "78b22132-b41c-460b-a4d3-df8f73a67dc2",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/sovereign-landing-zone",
- "service": "Policy",
- "severity": "中等",
- "text": "對於主權登陸區域,部署主權策略基線,並在正確的管理組級別進行分配。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations",
+ "service": "SAP",
+ "severity": "高",
+ "text": "對於 SAP 和 SAP 資料庫,請考慮實現自動故障轉移群集。在 Windows 中,Windows Server 故障轉移群集支援故障轉移。在 Linux 中,Linux Pacemaker 或第三方工具(如 SIOS Protection Suite 和 Veritas InfoScale)支援故障轉移。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "caeea0e9-1024-41df-a52e-d99c3f22a6f4",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline",
- "service": "Policy",
- "severity": "中等",
- "text": "對於主權登陸區域,將主權控制目標記錄到策略映射。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows",
+ "service": "SAP",
+ "severity": "高",
+ "text": "Azure 不支援主 VM 和輔助 VM 共用 DBMS 數據存儲的體系結構。對於 DBMS 層,常見的體系結構模式是同時複製資料庫,並使用與主虛擬機和輔助虛擬機使用的存儲堆疊不同的存儲堆疊。",
+ "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Authorization/policyDefinitions",
- "checklist": "Azure Landing Zone Review",
- "guid": "9b461617-db7b-4399-8ac6-d4eb7153893a",
- "link": "https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline#sovereignty-baseline-policy-initiatives",
- "service": "Policy",
- "severity": "中等",
- "text": "對於主權登陸區,請確保已制定“主權控制目標到策略映射”的管理流程。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general",
+ "service": "SAP",
+ "severity": "高",
+ "text": "DBMS 數據和事務/重做日誌檔存儲在 Azure 支援的塊存儲或 Azure NetApp 檔中。不支援將 Azure 檔案儲存或 Azure 高級檔儲存作為 DBMS 資料和/或使用 SAP 工作負載重做日誌檔的存儲。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "67e7a8ed-4b30-4e38-a3f2-9812b2363cef",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
- "severity": "中等",
- "text": "使用單個監視器日誌工作區集中管理平臺,但 Azure 基於角色的訪問控制 (Azure RBAC)、數據主權要求或數據保留策略要求使用單獨工作區的情況除外。",
- "training": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk",
+ "service": "SAP",
+ "severity": "高",
+ "text": "可以在 Windows 中將 Azure 共用磁碟用於 ASCS + SCS 元件和特定的高可用性方案。為 SAP 應用程式層元件和 DBMS 層單獨設置故障轉移群集。Azure 目前不支援將 SAP 應用程式層元件和 DBMS 層合併到一個故障轉移群集中的高可用性體系結構。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "5e6c4cfd-3e50-4454-9c24-47ec66138a72",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work",
- "service": "Monitor",
+ "checklist": "SAP Checklist",
+ "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections",
+ "service": "SAP",
"severity": "高",
- "text": "如果日誌保留要求超過 12 年,請將日誌匯出到 Azure 存儲。使用具有一次寫入、多次讀取策略的不可變存儲,使數據在使用者指定的時間間隔內不可擦除且不可修改。",
- "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
- "waf": "操作"
+ "text": "SAP 應用程式層元件 (ASCS) 和 DBMS 層的大多數故障轉移群集都需要故障轉移群集的虛擬 IP 位址。 Azure 負載均衡器應處理所有其他情況的虛擬IP位址。一個設計原則是每個集群配置使用一個負載均衡器。建議使用標準版本的負載均衡器(標準負載均衡器 SKU)。",
+ "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "e7d7e484-3276-4d8b-bc05-5bcf619e8a13",
- "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview",
- "service": "VM",
- "severity": "中等",
- "text": "使用 Azure Policy 監視 OS 等級虛擬機 (VM) 配置偏移。通過策略啟用 Azure Automanage 計算機配置審核功能可説明應用程式團隊工作負載立即使用功能,而無需付出任何努力。",
- "training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations",
+ "service": "SAP",
+ "severity": "高",
+ "text": "確保在負載均衡器上啟用了浮動IP",
+ "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f9887952-5d62-4688-9d70-ba6c97be9951",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations",
- "service": "VM",
- "severity": "中等",
- "text": "使用 Azure Update Manager 作為 Azure 中 Windows 和 Linux VM 的修補機制。",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability",
+ "service": "SAP",
+ "severity": "高",
+ "text": "在部署高可用性基礎結構之前,請根據所選的區域確定是使用 Azure 可用性集還是可用性區域進行部署。",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "c806c048-26b7-4ddf-b4c2-b4f0c476925d",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#update-management-considerations ",
- "service": "VM",
- "severity": "中等",
- "text": "使用 Azure Arc 將 Azure Update Manager 用作 Azure 外部的 Windows 和 Linux VM 的修補機制。",
- "training": "https://learn.microsoft.com/azure/update-manager/overview?tabs=azure-vms",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea",
+ "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1",
+ "service": "SAP",
+ "severity": "高",
+ "text": "如果要滿足 SAP 元件(中央服務、應用程式伺服器和資料庫)應用程式的基礎結構 SLA,則必須為所有元件選擇相同的高可用性選項(VM、可用性集、可用性區域)。",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/networkWatchers",
- "checklist": "Azure Landing Zone Review",
- "guid": "90483845-c986-4cb2-a131-56a12476e49f",
- "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview",
- "service": "Network Watcher",
- "severity": "中等",
- "text": "使用網路觀察程序主動監視流量流。",
- "training": "https://learn.microsoft.com/learn/modules/configure-network-watcher/",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "cbe05bbe-209d-4490-ba47-778424d11678",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "高",
+ "text": "不要在同一可用性集中混合使用不同角色的伺服器。將中央服務 VM、資料庫 VM、應用程式 VM 保留在自己的可用性集中",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "6944008b-e7d7-4e48-9327-6d8bdc055bcf",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor",
- "service": "Monitor",
+ "checklist": "SAP Checklist",
+ "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/co-location",
+ "service": "SAP",
"severity": "中等",
- "text": "使用 Azure Monitor 紀錄獲取見解和報告。",
- "waf": "操作"
+ "text": "除非使用鄰近放置組,否則無法在 Azure 可用性區域內部署 Azure 可用性集。",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "97be9951-9048-4384-9c98-6cb2913156a1",
- "link": "https://learn.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
- "service": "Monitor",
- "severity": "中等",
- "text": "使用 Azure Monitor 警報生成操作警報。",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "9674e7c7-7796-4181-8920-09f4429543ba",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview",
+ "service": "SAP",
+ "severity": "高",
+ "text": "創建可用性集時,請使用最大數量的容錯域和更新可用的域。例如,如果在一個可用性集中部署兩個以上的 VM,請使用最大數量的容錯域(三個)和足夠的更新域來限制潛在的物理硬體故障、網路中斷或電源中斷的影響,以及 Azure 計劃內維護。默認的容錯域數為 2,以後無法連線更改。",
+ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "fed3c55f-a67e-4875-aadd-3aba3f9fde31",
- "link": "https://learn.microsoft.com/azure/automation/how-to/region-mappings",
- "service": "Monitor",
- "severity": "中等",
- "text": "通過 Azure 自動化帳戶使用更改和清單跟蹤時,請確保已選擇受支持的區域,以便將 Log Analytics 工作區和自動化帳戶連結在一起。",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "severity": "高",
+ "text": "在可用性集部署中使用 Azure 鄰近放置組時,所有三個 SAP 元件(中央服務、應用程式伺服器和資料庫)都應位於同一鄰近放置組中。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "eba8cf22-45c6-4dc1-9b57-2cceb3b97ce5",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-redundancy",
- "service": "Backup",
- "severity": "低",
- "text": "使用 Azure 備份時,請使用正確的備份類型(GRS、ZRS 和 LRS)進行備份,因為預設設置為 GRS。",
+ "checklist": "SAP Checklist",
+ "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
+ "severity": "高",
+ "text": "每個 SAP SID 使用一個鄰近放置組。組不跨可用性區域或 Azure 區域",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "f541acdc-e979-4377-acdb-3751ab2ab13a",
- "link": "https://learn.microsoft.com/azure/governance/policy/concepts/guest-configuration",
- "service": "VM",
- "severity": "中等",
- "text": "使用 Azure 來賓策略通過 VM 擴展自動部署軟體配置,並強制實施合規的基線 VM 配置。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "bca3b10e-0ff5-4aec-ac16-4c4bd1a1c13f",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
+ "severity": "高",
+ "text": "根據操作系統的不同,使用以下服務之一來運行 SAP 中心服務群集。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "description": "使用 Azure Policy 的來賓配置功能來審核和修正電腦設置(例如 OS、應用程式、環境),以確保資源與預期配置保持一致,並且更新管理可以強制實施 VM 的修補程式管理。",
- "guid": "da6e55d7-d8a2-4adb-817d-6326af625ca4",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-operational-compliance#monitoring-for-configuration-drift",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "ed46b937-913e-4018-9c62-8393ab037e53",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-suse-multi-sid",
+ "service": "SAP",
"severity": "中等",
- "text": "通過 Azure Policy 監視 VM 安全配置偏移。",
- "waf": "安全"
+ "text": "Azure 目前不支援將 ASCS 和 DB HA 組合在同一 Linux Pacemaker 群集中;將它們分成單獨的集群。但是,最多可以將五個多個中心服務群集合併到一對 VM 中。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "2476e49f-541a-4cdc-b979-377bcdb3751a",
- "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "f656e745-0cfb-453e-8008-0528fa21c933",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery",
+ "service": "SAP",
"severity": "中等",
- "text": "使用 Azure Site Recovery 實現 Azure 到 Azure 虛擬機的災難恢復方案。這使您能夠跨區域複製工作負載。",
- "waf": "操作"
+ "text": "在可用性集或可用性區域中的高可用性對中部署兩個 VM。這些 VM 的大小應相同,並具有相同的存儲配置。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.RecoveryServices/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "f625ca44-e569-45f2-823a-ce8cb12308ca",
- "link": "https://learn.microsoft.com/azure/backup/backup-center-overview",
- "service": "Backup",
+ "checklist": "SAP Checklist",
+ "guid": "7f684ebc-95da-425e-b329-e782dbed050f",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-with-hana-ascs-ers-dialog-instance",
+ "service": "SAP",
"severity": "中等",
- "text": "使用 Azure 本機備份功能或與 Azure 相容的第三方備份解決方案。",
- "waf": "操作"
+ "text": "Azure 支援在 Red Hat Enterprise Linux (RHEL) 上運行的同一高可用性群集上安裝和配置 SAP HANA 和 ASCS/SCS 和 ERS 實例。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "可靠性"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "07991f7d-6598-4d90-9431-45c62605d3a5",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
+ "severity": "高",
+ "text": "在高級託管 SSD 上運行所有生產系統,並使用 Azure NetApp 檔或超級磁碟存儲。至少OS磁碟應位於高級層,以便您可以獲得更好的性能和最佳SLA。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "89cc5e11-aa4d-4c3b-893d-feb99215266a",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs",
- "service": "WAF",
+ "checklist": "SAP Checklist",
+ "guid": "73cdaecc-7d74-48d8-a040-88416eebc98c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-operations-storage",
+ "service": "SAP",
"severity": "高",
- "text": "添加診斷設置以保存來自應用程式交付服務(如 Azure Front Door 和 Azure 應用程式閘道)的 WAF 日誌。定期查看日誌,以檢查攻擊和誤報檢測。",
- "waf": "操作"
+ "text": "應僅在 SAP 認證的存儲類型上運行 Azure 上的 SAP HANA。請注意,某些卷必須在某些磁碟配置(如果適用)上運行。這些配置包括啟用寫入加速器和使用高級存儲。您還需要確保在儲存上運行的檔案系統與在電腦上運行的 DBMS 相容。",
+ "training": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "microsoft.network/frontdoorwebApplicationFirewalls",
- "checklist": "Azure Landing Zone Review",
- "guid": "7f408960-c626-44cb-a018-347c8d790cdf",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel",
- "service": "WAF",
- "severity": "中等",
- "text": "將 WAF 日誌從應用程式交付服務(如 Azure Front Door 和 Azure 應用程式閘道)發送到 Microsoft Sentinel。檢測攻擊並將 WAF 遙測集成到整個 Azure 環境中。",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "51904867-a70e-4fa0-b4ff-3e6292846d7c",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-overview-guide#storage",
+ "service": "SAP",
+ "severity": "高",
+ "text": "請考慮根據用於 SAP 工作負載的儲存類型配置高可用性。Azure Site Recovery 不支援 Azure 中提供的某些存儲服務,因此高可用性配置可能會有所不同。",
+ "training": "https://learn.microsoft.com/training/modules/implement-disaster-recovery-for-sap-workloads-azure/2-explore-disaster-recovery-sap-workloads",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "5017f154-e3ab-4369-9829-e7e316183687",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "1ac2d928-c9b7-42c6-ba18-23b1aea78693",
+ "link": "https://azure.microsoft.com/ja-jp/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"severity": "高",
- "text": "使用 Azure Key Vault 儲存機密和憑據。",
- "waf": "安全"
+ "text": "不同的本機 Azure 儲存服務(如 Azure 檔存儲、Azure NetApp 檔、Azure 共用磁碟)可能並非在所有區域都可用。因此,若要在故障轉移后在DR區域上設置類似的SAP,請確保在DR網站中提供相應的存儲服務。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "graph": "ResourceContainers | where type=='microsoft.resources/subscriptions'| parse id with '/subscriptions/' SubscriptionID| project subscriptionId, SubscriptionName = name| join kind=leftouter (Resources| where type == 'microsoft.keyvault/vaults'| project id, name, subscriptionId) on subscriptionId| join kind= leftouter (Resources| where type == 'microsoft.keyvault/vaults'| summarize ResourceCount = count() by subscriptionId) on subscriptionId| extend RCount = iff(isnull(ResourceCount), 0, ResourceCount)| project-away ResourceCount| extend compliant = (RCount <> 1)",
- "guid": "a0477a20-9945-4bda-9333-4f2491163418",
- "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "925d1f8c-01f3-4a67-948e-aabf0a1fad60",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/optimize-your-azure-costs-by-automating-sap-system-start-stop/ba-p/2120675",
+ "service": "SAP",
"severity": "中等",
- "text": "對不同的應用程式和區域使用不同的 Azure Key Vault,以避免事務規模限制並限制對機密的訪問。",
- "waf": "安全"
+ "text": "自動執行 SAP System Start-Stop 以管理成本。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "2ba52752-6944-4008-ae7d-7e4843276d8b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "中等",
- "text": "在啟用軟刪除和清除策略的情況下預配 Azure Key Vault,以允許對已刪除物件進行保留保護。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "71dc00cd-4392-4262-8949-20c05e6c0333",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "低",
+ "text": "如果將 Azure 高級存儲與 SAP HANA 配合使用,則可以使用 Azure 標準 SSD 儲存來選擇成本敏感的儲存解決方案。但是,請注意,選擇“標準 SSD”或“標準 HDD Azure”存儲將影響各個 VM 的 SLA。此外,對於具有較低 I/O 輸送量和低延遲的系統(例如非生產環境),可以使用較低系列的 VM。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "dc055bcf-619e-48a1-9f98-879525d62688",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "中等",
- "text": "遵循最低特權模型,將永久刪除密鑰、機密和證書的授權限制為專用的自定義 Microsoft Entra ID 角色。",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "9877f353-2591-4e8b-8381-e9043fed1010",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/hana-vm-premium-ssd-v1",
+ "service": "SAP",
+ "severity": "低",
+ "text": "作為成本較低的替代配置(多用途),可以為非生產 HANA 資料庫伺服器 VM 選擇低性能 SKU。但是,請務必注意,某些 VM 類型(如 E 系列)未經 HANA 認證(SAP HANA 硬體目錄),或者無法實現小於 1 毫秒的存儲延遲。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "6d70ba6c-97be-4995-8904-83845c986cb2",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
- "severity": "中等",
- "text": "使用公共證書頒發機構自動執行證書管理和續訂過程,以簡化管理。",
+ "checklist": "SAP Checklist",
+ "guid": "fda1dbf3-dc95-4d48-a7c7-91dca0f6c565",
+ "link": "https://learn.microsoft.com/azure/well-architected/sap/design-areas/security",
+ "service": "SAP",
+ "severity": "高",
+ "text": "對管理組、訂閱、資源組和資源強制實施 RBAC 模型",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "913156a1-2476-4e49-b541-acdce979377b",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "45911475-e39e-4530-accc-d979366bcda2",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"severity": "中等",
- "text": "建立金鑰和證書輪換的自動化流程。",
+ "text": "強制實施主體傳播,以便透過雲連接器將身份從 SAP 雲應用程式轉發到 SAP 本地(包括 IaaS)",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/2-explore-azure-virtual-machine-auth-access-control",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "cdb3751a-b2ab-413a-ba6e-55d7d8a2adb1",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5",
+ "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration",
+ "service": "SAP",
"severity": "中等",
- "text": "在保管庫上啟用防火牆和虛擬網路服務終結點或專用終結點,以控制對密鑰保管庫的訪問。",
+ "text": "使用 SAML 通過 Azure AD 實現 SAP SaaS 應用程式(如 SAP Analytics Cloud、SAP Cloud Platform、Business by Design、SAP Qualtrics 和 SAP C4C)的 SSO。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "17d6326a-f625-4ca4-9e56-95f2223ace8c",
- "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"severity": "中等",
- "text": "使用以平臺為中心的 Azure Monitor Log Analytics 工作區來審核 Key Vault 的每個實例中的密鑰、證書和機密使用方式。",
+ "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "b12308ca-5017-4f15-9e3a-b3693829e7e3",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1",
+ "service": "SAP",
"severity": "中等",
- "text": "委託 Key Vault 實例化和特權訪問,並使用 Azure Policy 強制實施一致的合規配置。",
+ "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "91163418-2ba5-4275-8694-4008be7d7e48",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial",
+ "service": "SAP",
"severity": "中等",
- "text": "每個應用程式、每個環境、每個區域使用 Azure Key Vault。",
+ "text": "可以使用SAP NetWeaver SSO 或合作夥伴解決方案將 SSO 實現到 SAP GUI。",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "25d62688-6d70-4ba6-a97b-e99519048384",
- "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317",
+ "service": "SAP",
"severity": "中等",
- "text": "如果要自帶密鑰,則並非所有考慮的服務都支援此功能。實施相關的緩解措施,使不一致之處不會妨礙預期的結果。選擇適當的區域對和災難恢復區域,以最大程度地減少延遲。",
+ "text": "對於 SAP GUI 和 Web 瀏覽器存取的 SSO,請實施 SNC/Kerberos/SPNEGO(簡單且受保護的 GSSAPI 協商機制),因為它易於配置和維護。對於使用 X.509 用戶端證書的 SSO,請考慮 SAP 安全登錄伺服器,它是 SAP SSO 解決方案的一個元件。",
+ "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on",
"waf": "安全"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "4ac6b67c-b3a4-4ff9-8e87-b07a7ce7bbdb",
- "link": "https://learn.microsoft.com/industry/sovereignty/key-management",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "6c8bcbf4-5bbe-4609-b8a0-3e97778424d6",
+ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/",
+ "service": "SAP",
"severity": "中等",
- "text": "對於 Sovereign Landing Zone,請使用 Azure Key Vault 託管 HSM 來儲存機密和憑據。",
+ "text": "對於 SAP GUI 和 Web 瀏覽器存取的 SSO,請實施 SNC/Kerberos/SPNEGO(簡單且受保護的 GSSAPI 協商機制),因為它易於配置和維護。對於使用 X.509 用戶端證書的 SSO,請考慮 SAP 安全登錄伺服器,它是 SAP SSO 解決方案的一個元件。",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "4e5695f2-223a-4ce8-ab12-308ca5017f15",
- "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports",
- "service": "Entra",
+ "checklist": "SAP Checklist",
+ "guid": "16785d6f-a96c-496a-b885-18f482734c88",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth",
+ "service": "SAP",
"severity": "中等",
- "text": "使用 Microsoft Entra ID 報告功能生成訪問控制審核報告。",
- "waf": "安全"
- },
- {
- "checklist": "Azure Landing Zone Review",
- "guid": "09945bda-4333-44f2-9911-634182ba5275",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/concept-cloud-security-posture-management",
- "service": "Defender",
- "severity": "高",
- "text": "為所有訂閱啟用Defender雲安全態勢管理。",
+ "text": "使用 OAuth for SAP NetWeaver 實現 SSO,以允許第三方或自定義應用程式訪問 SAP NetWeaver OData 服務。",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "36a72a48-fffe-4c40-9747-0ab5064355ba",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
- "service": "Defender",
- "severity": "高",
- "text": "在所有訂閱上為伺服器啟用Defender雲工作負載保護計劃。",
+ "checklist": "SAP Checklist",
+ "guid": "a747c350-8d4c-449c-93af-393dbca77c48",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "實現 SSO 到 SAP HANA",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "77425f48-ecba-43a0-aeac-a3ac733ccc6a",
- "link": "https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription",
- "service": "Defender",
- "severity": "高",
- "text": "在所有訂閱上為 Azure 資源啟用 Defender 雲工作負載保護計劃。",
+ "checklist": "SAP Checklist",
+ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "將 Azure AD 視為 RISE 上託管的 SAP 系統的標識提供者。有關詳細資訊,請參閱將服務與 Azure AD 集成。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "24d96b30-61ee-4436-a1cc-d6ef08bc574b",
- "link": "https://learn.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection",
- "service": "VM",
- "severity": "高",
- "text": "在 IaaS 伺服器上啟用端點保護。",
+ "checklist": "SAP Checklist",
+ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753",
+ "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "對於訪問 SAP 的應用程式,可能需要使用主體傳播來建立 SSO。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Compute/virtualMachines",
- "checklist": "Azure Landing Zone Review",
- "guid": "15833ee7-ad6c-46d3-9331-65c7acbe44ab",
- "link": "https://learn.microsoft.com/azure/security-center/",
- "service": "VM",
+ "checklist": "SAP Checklist",
+ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial",
+ "service": "SAP",
"severity": "中等",
- "text": "通過 Azure Monitor 紀錄和 Defender for Cloud 監視基本作業系統修補偏移。",
+ "text": "如果使用的是需要 SAP Identity Authentication Service (IAS) 的 SAP BTP 服務或 SaaS 解決方案,請考慮在 SAP Cloud Identity Authentication Services 和 Azure AD 之間實現 SSO 以存取這些 SAP 服務。此集成允許 SAP IAS 充當代理標識提供者,並將身份驗證請求轉發到 Azure AD,作為中央使用者存儲和標識提供者。",
"waf": "安全"
},
{
- "arm-service": "Microsoft.Insights/components",
- "checklist": "Azure Landing Zone Review",
- "guid": "e5f8d79f-2e87-4768-924c-516775c6ea95",
- "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
- "service": "Monitor",
+ "checklist": "SAP Checklist",
+ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial",
+ "service": "SAP",
"severity": "中等",
- "text": "將預設資源配置連接到集中式 Azure Monitor Log Analytics 工作區。",
+ "text": "實現 SSO 到 SAP BTP",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "1761e147-f65e-4d09-bbc2-f464f23e2eba",
- "link": "https://learn.microsoft.com/industry/sovereignty/transparency-logs",
- "service": "Entra",
+ "checklist": "SAP Checklist",
+ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8",
+ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial",
+ "service": "SAP",
"severity": "中等",
- "text": "對於 Sovereign Landing Zone,請在 Entra ID 租戶上啟用透明度日誌。",
+ "text": "如果使用的是 SAP SuccessFactors,請考慮使用 Azure AD 自動使用者預配。通過此整合,當你向 SAP SuccessFactors 添加新員工時,可以在 Azure AD 中自動建立使用者帳戶。 (可選)可以在 Microsoft 365 或 Azure AD 支援的其他 SaaS 應用程式中建立使用者帳戶。 使用將電子郵件地址寫回 SAP SuccessFactors。",
"waf": "安全"
},
{
- "checklist": "Azure Landing Zone Review",
- "guid": "d21a922d-5ca7-427a-82a6-35f7b21f1bfc",
- "link": "https://learn.microsoft.com/azure/security/fundamentals/customer-lockbox-overview",
- "service": "Entra",
+ "checklist": "SAP Checklist",
+ "guid": "6ba28021-4591-4147-9e39-e5309cccd979",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups",
+ "service": "SAP",
"severity": "中等",
- "text": "對於 Sovereign Landing Zone,請在 Entra ID 租戶上啟用客戶密碼箱。",
- "waf": "安全"
+ "text": "對 SAP 訂閱強制實施現有管理組策略",
+ "training": "https://learn.microsoft.com/training/modules/enterprise-scale-organization/4-management-group-subscription-organization",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Landing Zone Review",
- "guid": "b03ed428-4617-4067-a787-85468b9ccf3f",
- "link": "https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "高",
- "text": "啟用到存儲帳戶的安全傳輸。",
- "waf": "安全"
+ "text": "將緊密耦合的應用程式集成到同一個 SAP 訂閱中,以避免額外的路由和管理複雜性",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.Storage/storageAccounts",
- "checklist": "Azure Landing Zone Review",
- "guid": "159aac9f-863f-4f48-82cf-00c28fa97a0e",
- "link": "https://learn.microsoft.com/azure/storage/blobs/data-protection-overview#recommendations-for-basic-data-protection",
- "service": "Storage",
+ "checklist": "SAP Checklist",
+ "guid": "9cb107d5-325a-4e52-9ba3-4d4685e2213a",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
"severity": "高",
- "text": "為存儲帳戶啟用容器軟刪除,以恢復已刪除的容器及其內容。",
- "waf": "安全"
+ "text": "利用訂閱作為縮放單元並擴展我們的資源,請考慮按環境部署訂閱,例如。沙箱、非生產、生產",
+ "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.KeyVault/vaults",
- "checklist": "Azure Landing Zone Review",
- "guid": "108d5099-a11d-4445-bd8b-e12a5e95412e",
- "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/development-strategy-development-lifecycle#automated-builds",
- "service": "Key Vault",
+ "checklist": "SAP Checklist",
+ "guid": "ce7bb122-f7c9-45f0-9e15-4e3aa3592829",
+ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview",
+ "service": "SAP",
"severity": "高",
- "text": "使用 Key Vault 機密可避免對敏感資訊(如憑據、虛擬機、用戶密碼)、證書或密鑰進行硬編碼。",
+ "text": "確保在訂閱預配過程中增加配額(例如,訂閱中可用的 VM 核心總數)",
+ "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "32e42e36-11c8-418b-8a0b-c510e43a18a9",
- "service": "AVS",
- "severity": "高",
- "text": "確保在本機 Azure 的標識訂閱中部署了 ADDS 域控制器",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "ce4fab2f-433a-4d59-a5a9-3d1032e03ebc",
+ "link": "https://learn.microsoft.com/rest/api/reserved-vm-instances/quotaapi?branch=capacity",
+ "service": "SAP",
+ "severity": "低",
+ "text": "配額 API 是一個 REST API,可用於查看和管理 Azure 服務的配額。如有必要,請考慮使用它。",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "75089c20-990d-4927-b105-885576f76fc2",
- "service": "AVS",
- "severity": "中等",
- "text": "確保將 ADDS 網站和服務配置為將來自基於 Azure 的資源(包括 Azure VMware 解決方案)的身份驗證請求保留到 Azure 本地",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "cbfad17b-f240-42bf-a1d8-f4f4cee661c8",
+ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal",
+ "service": "SAP",
+ "severity": "高",
+ "text": "如果部署到可用性區域,請確保在配額獲得批准后,VM 的區域部署可用。提交支援請求,其中包含所需的訂閱、VM 系列、CPU 數量和可用性區域。",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "de3aad1e-7c28-4ec9-9666-b7570449aa80",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "e6e20617-3686-4af4-9791-f8935ada4332",
+ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/",
+ "service": "SAP",
"severity": "高",
- "text": "確保 vCenter 已連接到 ADDS,以啟用基於「指定用戶帳戶」的身份驗證",
- "waf": "安全"
+ "text": "確保所需的服務和功能在所選部署區域內可用,例如。ANF、區域等",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cd289ced-6b17-4db8-8554-61e2aee3553a",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization",
+ "service": "SAP",
"severity": "中等",
- "text": "確保從 vCenter 到 ADDS 的連接使用安全協定 (LDAPS)",
- "waf": "安全"
+ "text": "利用 Azure 資源標記進行成本分類和資源分組(:BillTo、部門(或營業單位)、環境(生產、階段、開發)、層(Web 層、應用層)、應用程式擁有者、ProjectName)",
+ "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b9d37dac-43bc-46cd-8d79-a9b24604489a",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
+ "severity": "高",
+ "text": "使用 Azure 備份服務幫助保護 HANA 資料庫。",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-backup-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "可靠性"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction",
+ "service": "SAP",
"severity": "中等",
- "text": "vCenter IdP 中的 CloudAdmin 帳戶僅用作緊急帳戶 (break-glass)",
- "waf": "安全"
+ "text": "如果為 HANA、Oracle 或 DB2 資料庫部署 Azure NetApp 檔,請使用 Azure 應用程式一致性快照工具( AzAcSnap )來創建應用程式一致性快照。AzAcSnap 還支援 Oracle 資料庫。請考慮在中央 VM 上使用 AzAcSnap,而不是在單個 VM 上使用 AzAcSnap。",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "53d88e89-d17b-473b-82a5-a67e7a9ed5b3",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "42d37218-a3a7-45df-bff6-1173e7f249ea",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"severity": "高",
- "text": "確保 NSX-Manager 與外部身份提供程式 (LDAPS) 集成",
- "waf": "安全"
+ "text": "確保操作系統和 SAP 系統之間的時區匹配。",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae0e37ce-e297-411b-b352-caaab79b198d",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "c3c7abc0-716c-4486-893c-40e181d65539",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid",
+ "service": "SAP",
"severity": "中等",
- "text": "是否已創建 RBAC 模型以在 VMware vSphere 中使用",
- "waf": "安全"
+ "text": "不要將不同的應用程式服務分組到同一個集群中。例如,不要將DRBD和中央服務集群組合在同一集群上。但是,可以使用同一個 Pacemaker 群集來管理大約五個不同的中心服務(多 SID 群集)。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ab81932c-9fc9-4d1b-a780-36f5e6bfbb9e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "a491dfc4-9353-4213-9217-eef0949f9467",
+ "link": "https://azure.microsoft.com/pricing/offers/dev-test/",
+ "service": "SAP",
+ "severity": "低",
+ "text": "請考慮在暫停模型中運行開發/測試系統,以節省和優化 Azure 運行成本。",
+ "waf": "成本"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54",
+ "link": "https://learn.microsoft.com/azure/lighthouse/overview",
+ "service": "SAP",
"severity": "中等",
- "text": "RBAC 許可權應授予 ADDS 組,而不是特定使用者",
- "waf": "安全"
+ "text": "如果通過管理客戶的 SAP 資產與客戶合作,請考慮使用 Azure Lighthouse。Azure Lighthouse 允許託管服務提供者使用 Azure 本機標識服務對客戶的環境進行身份驗證。它將控制權交到客戶手中,因為他們可以隨時撤銷訪問許可權並審核服務提供者的行為。",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d503547c-c447-4e82-9128-a71f0f1cac6d",
- "service": "AVS",
- "severity": "高",
- "text": "Azure 中 Azure VMware 解決方案資源的 RBAC 許可權僅「鎖定」為一組有限的擁有者",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "4d116785-d2fa-456c-96ad-48408fe72734",
+ "link": "https://learn.microsoft.com/azure/update-manager/scheduled-patching?tabs=schedule-updates-single-machine%2Cschedule-updates-scale-overview",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "使用 Azure Update Manager 檢查單個 VM 或多個 VM 的可用更新狀態,並考慮計劃定期修補。",
+ "training": "https://learn.microsoft.com/training/modules/keep-your-virtual-machines-updated/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "fd9f0df4-68dc-4976-b9a9-e6a79f7682c5",
- "service": "AVS",
- "severity": "高",
- "text": "確保所有自定義角色的範圍都具有 CloudAdmin 允許的授權",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "76c8bcbf-45bb-4e60-ad8a-03e97778424d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/lama-installation",
+ "service": "SAP",
+ "severity": "低",
+ "text": "使用 SAP Landscape Management (LaMa) 優化和管理 SAP Basis 運營。使用適用於 Azure 的 SAP LaMa 連接器重新置放、複製、克隆和刷新 SAP 系統。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-remote-management/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ef1d5e8-32e4-42e3-911c-818b0a0bc510",
- "link": "https://github.com/Azure/AzureCAT-AVS/tree/main/networking",
- "service": "AVS",
- "severity": "高",
- "text": "是否為手頭的客戶用例選擇了正確的 Azure VMware 解決方案連接模型",
- "waf": "性能"
+ "checklist": "SAP Checklist",
+ "guid": "14591147-5e39-4e53-89cc-cd979366bcda",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "使用用於 SAP 解決方案的 Azure Monitor 監視 Azure 上的 SAP 工作負載(SAP HANA、高可用性 SUSE 群集和 SQL 系統)。請考慮使用 SAP 解決方案管理器補充用於 SAP 解決方案的 Azure Monitor。",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eb710a37-cbc1-4055-8dd5-a936a8bb7cf5",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap",
+ "service": "SAP",
"severity": "高",
- "text": "確保使用「連接監視器」監視從本地到 Azure 的 ExpressRoute 或 VPN 連接",
+ "text": "運行適用於 SAP 的 VM 擴展檢查。適用於 SAP 的 VM 擴展使用虛擬機 (VM) 的分配託管標識來訪問 VM 監視和配置數據。該檢查可確保 SAP 應用程式中的所有性能指標都來自適用於 SAP 的基礎 Azure 擴展。",
+ "training": "https://learn.microsoft.com/training/modules/configure-azure-enhanced-monitoring-extension-for-sap/?source=recommendations",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "976e24f2-a7f8-426c-9253-2a92a2a7ed99",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12",
+ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment",
+ "service": "SAP",
"severity": "中等",
- "text": "確保創建從 Azure 本機資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視 Azure VMware 解決方案後端 ExpressRoute 連接",
+ "text": "使用 Azure Policy 進行訪問控制和合規性報告。Azure Policy 提供了強制實施組織範圍設置的功能,以確保一致的策略遵守和快速違規檢測。",
+ "training": "https://learn.microsoft.com/learn/paths/architect-infrastructure-operations/",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f41ce6a0-64f3-4805-bc65-3ab50df01265",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431",
+ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview",
+ "service": "SAP",
"severity": "中等",
- "text": "確保創建從本地資源到 Azure VMware 解決方案虛擬機的連接監視器,以監視端到端連接",
+ "text": "使用 Azure 網路觀察程式中的連接監視器監視 SAP 資料庫和應用程式伺服器的延遲指標。或者使用 Azure Monitor 收集和顯示網路延遲度量。",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "563b4dc7-4a74-48b6-933a-d1a0916a6649",
- "service": "AVS",
- "severity": "高",
- "text": "使用路由伺服器時,請確保從路由伺服器到 ExR 閘道再到本地的路由不超過 1000 個(ARS 限制)。",
+ "checklist": "SAP Checklist",
+ "guid": "73686af4-6791-4f89-95ad-a43324e13811",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "在預配的 Azure 基礎結構上對 SAP HANA 執行質量檢查,以驗證預配的 VM 是否符合 Azure 上的 SAP HANA 最佳做法。",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6128a71f-0f1c-4ac6-b9ef-1d5e832e42e3",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "616785d6-fa96-4c96-ad88-518f482734c8",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones",
+ "service": "SAP",
"severity": "高",
- "text": "是否為在 Azure 門戶中管理 Azure VMware 解決方案資源的角色實現了 Privileged Identity Management(不允許長期許可權)",
- "waf": "安全"
+ "text": "對於每個 Azure 訂閱,請在區域部署之前對 Azure 可用性區域運行延遲測試,以選擇用於在 Azure 上部署 SAP 的低延遲區域。",
+ "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c4e2436b-b336-4d71-9f17-960eee0b9b5c",
- "service": "AVS",
- "severity": "高",
- "text": "應為 Azure VMware 解決方案 PIM 角色實現 Privileged Identity Management 審核報告",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e",
+ "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "運行復原報告,確保整個預配的 Azure 基礎結構(計算、資料庫、網路、存儲、Site Recovery)的配置符合適用於 Azure 的 Cloud Adaption Framework 定義的配置。",
+ "training": "https://learn.microsoft.com/training/paths/azure-well-architected-framework/",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "78c447a8-26b2-4863-af0f-1cac599ef1d5",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97",
+ "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview",
+ "service": "SAP",
"severity": "中等",
- "text": "如果使用 Privileged Identity Management,請確保使用有效的 SMTP 記錄創建啟用了 Entra ID 的有效帳戶,以便 Azure VMware 解決方案自動主機更換通知。(需要長期許可)",
+ "text": "使用適用於 SAP 的 Microsoft Sentinel 解決方案實施威脅防護。使用此解決方案監視 SAP 系統,並檢測整個業務邏輯和應用程式層的複雜威脅。",
+ "training": "https://learn.microsoft.com/training/modules/plan-microsoft-sentinel-deployment-sap/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8defc4d7-21d3-41d2-90fb-707ae9eab40e",
- "service": "AVS",
- "severity": "高",
- "text": "將 CloudAdmin 帳戶的使用限制為僅緊急訪問",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c",
+ "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "Azure 標記可用於對資源進行邏輯分組和跟蹤,自動執行其部署,最重要的是,提供對所發生成本的可見性。",
+ "training": "https://learn.microsoft.com/training/modules/analyze-costs-create-budgets-azure-cost-management/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d329f798-bc17-48bd-a5a0-6ca7144351d1",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "04b8e5e5-13cb-4b22-af62-5a8ecfcf0337",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-test-latency?tabs=windows",
+ "service": "SAP",
+ "severity": "低",
+ "text": "對延遲敏感型應用程式使用虛擬機間延遲監視。",
+ "waf": "性能"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage",
+ "service": "SAP",
"severity": "中等",
- "text": "在 vCenter 中創建自定義 RBAC 角色,以在 vCenter 中實施最小特權模型",
- "waf": "安全"
+ "text": "使用 Azure Site Recovery 監視來維護 SAP 應用程式伺服器的災難恢復服務的運行狀況。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-storage/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9dd24429-eb72-4281-97a1-51c5bb4e4f18",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring",
+ "service": "SAP",
"severity": "中等",
- "text": "是定義為定期輪換 cloudadmin (vCenter) 和管理員 (NSX) 憑據的過程",
- "waf": "安全"
+ "text": "從防病毒掃描中排除所有資料庫檔系統和可執行程式。包含它們可能會導致性能問題。請與資料庫供應商聯繫,瞭解排除清單中的規範性詳細資訊。例如,Oracle 建議從防病毒掃描中排除 /oracle}sapdata。",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "586cb291-ec16-4a1d-876e-f9f141acdce5",
- "service": "AVS",
- "severity": "高",
- "text": "使用集中式識別提供者用於在 Azure VMware 解決方案上運行的工作負載 (VM)",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "c027f893-f404-41a9-b33d-39d625a14964",
+ "link": "https://sapit-forme-prod.authentication.eu11.hana.ondemand.com/login",
+ "service": "SAP",
+ "severity": "低",
+ "text": "請考慮在遷移後收集非 HANA 資料庫的完整資料庫統計資訊。例如,實施SAP 註釋1020260 - 交付 Oracle 統計資訊。",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "79377bcd-b375-41ab-8ab0-ead66e15d3d4",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm",
+ "service": "SAP",
"severity": "中等",
- "text": "是否在 NSX-T 中實施了東西向流量篩選",
- "waf": "安全"
+ "text": "請考慮將 Oracle 自動儲存管理 (ASM) 用於使用 Azure 上的 SAP 的所有 Oracle 部署。",
+ "training": "https://learn.microsoft.com/training/paths/administer-infrastructure-resources-in-azure/?source=recommendations",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a2adb1c3-d232-46af-825c-a44e1695fddd",
- "service": "AVS",
- "severity": "高",
- "text": "Azure VMware 解決方案上的工作負載不會直接向 Internet 公開。流量由 Azure 應用程式閘道、Azure 防火牆或第三方解決方案進行篩選和檢查",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "對於運行 Oracle 的 Azure 上的 SAP,SQL 腳本集合可説明你診斷性能問題。 自動工作負載存儲庫 (AWR) 報告包含用於診斷 Oracle 系統中問題的寶貴資訊。我們建議您在多個工作階段期間運行 AWR 報告,並為其選擇高峰時間,以確保分析的廣泛覆蓋範圍。",
+ "training": "https://learn.microsoft.com/ja-jp/azure/well-architected/oracle-iaas/performance-efficiency",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "eace4cb1-deb4-4c65-8c3f-c14eeab36938",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
"severity": "高",
- "text": "對 Azure VMware 解決方案和基於 Azure VMware 解決方案的工作負載的入站 Internet 請求實施審核和日誌記錄",
- "waf": "安全"
+ "text": "使用 Azure Site Recovery 監視來維護 SAP 應用程式伺服器的災難恢復服務的運行狀況。",
+ "training": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "29e3eec2-1836-487a-8077-a2b5945bda43",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0",
+ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
+ "service": "SAP",
"severity": "中等",
- "text": "對來自 Azure VMware 解決方案或基於 Azure VMware 解決方案的工作負載的出站 Internet 連接實施會話監視,以識別可疑/惡意活動",
+ "text": "若要安全交付 HTTP/S 應用,請使用應用程式閘道 v2 並確保啟用 WAF 保護和策略。",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/",
"waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "334fdf91-c234-4182-a652-75269440b4be",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "中等",
- "text": "是否在 Azure 的 ExR/VPN 閘道子網上啟用了 DDoS 標準防護",
- "waf": "安全"
+ "text": "如果在遷移到 Azure 期間未更改虛擬機器的 DNS 或虛擬名稱,則後台 DNS 和虛擬名稱將連接 SAP 環境中的許多系統介面,並且客戶有時只會知道開發人員隨時間推移定義的介面。遷移后,當虛擬或 DNS 名稱更改時,各種系統之間會出現連接挑戰,建議保留 DNS 別名以防止出現此類困難。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3d3e0843-276d-44bd-a015-bcf219e4a1eb",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "service": "SAP",
"severity": "中等",
- "text": "使用專用特權訪問工作站 (PAW) 管理 Azure VMware 解決方案、vCenter、NSX Manager 和 HCX Manager",
- "waf": "安全"
+ "text": "使用不同的 DNS 區域來區分每個環境(沙箱、開發、預生產和生產)。具有自己的 VNet 的 SAP 部署除外;在這裡,私有 DNS 區域可能不是必需的。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9ccbd869-266a-4cca-874f-aa19bf39d95d",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "a3592829-e6e2-4061-9368-6af46791f893",
+ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview",
+ "service": "SAP",
"severity": "中等",
- "text": "為 Azure VMware 解決方案上運行的工作負載啟用高級威脅檢測(Microsoft Defender for Cloud,又名 ASC)",
- "waf": "安全"
+ "text": "本地和全域 VNet 對等互連提供連接,是確保跨多個 Azure 區域的 SAP 部署的登陸區域之間的連接的首選方法",
+ "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations",
+ "waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "44c7c891-9ca1-4f6d-9315-ae524ba34d45",
- "service": "AVS",
- "severity": "中等",
- "text": "使用適用於伺服器的 Azure ARC 使用 Azure 本機技術正確管理在 Azure VMware 解決方案上運行的工作負載(適用於 Azure VMware 解決方案的 Azure ARC 尚不可用)",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "41742694-3ff8-4ae7-b7d4-743176c8bcbf",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide",
+ "service": "SAP",
+ "severity": "高",
+ "text": "不支援在 SAP 應用程式和 SAP 資料庫伺服器之間部署任何 NVA",
+ "training": "https://me.sap.com/notes/2731110",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "85e12139-bd7b-4b01-8f7b-95ef6e043e2a",
- "service": "AVS",
- "severity": "低",
- "text": "確保 Azure VMware 解決方案上的工作負載在運行時使用足夠的數據加密(如來賓內磁碟加密和 SQL TDE)。(vSAN 靜態加密為預設加密)",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3",
+ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "在需要跨 Azure 區域和本地位置的全域傳輸連接的新網路、大型網路或全球網路中使用虛擬 WAN 進行 Azure 部署。使用此方法,無需手動設置 Azure 網路的可傳遞路由,並且可以遵循 Azure 部署上的 SAP 標準。",
+ "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a3592718-e6e2-4051-9267-6ae46691e883",
- "service": "AVS",
- "severity": "低",
- "text": "使用來賓內加密時,請盡可能將加密密鑰存儲在 Azure Key Vault 中",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "僅當使用合作夥伴 NVA 時,才考慮在區域之間部署網路虛擬設備 (NVA)。如果存在本機 NVA,則不需要區域或 VNet 之間的 NVA。部署合作夥伴網路技術和 NVA 時,請按照供應商的指南驗證與 Azure 網路衝突的配置。",
+ "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5ac94222-3e13-4810-9230-81a941741583",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "facc08c6-ea95-4641-91cd-fa09e573adbd",
+ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture",
+ "service": "SAP",
"severity": "中等",
- "text": "請考慮對 Azure VMware 解決方案上運行的工作負載使用擴展的安全更新支援(Azure VMware 解決方案符合 ESU 條件)",
- "waf": "安全"
+ "text": "虛擬 WAN 管理基於虛擬 WAN 的拓撲的分支 VNet 之間的連接(無需設置使用者定義的路由 [UDR] 或 NVA),同一虛擬中心中 VNet 到 VNet 流量的最大網路輸送量為每秒 50 G。如有必要,SAP 登陸區域可以使用 VNet 對等互連連接到其他登陸區域並克服此頻寬限制。",
+ "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3ef7ad7c-6d37-4331-95c7-acbe44bbe609",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "82734c88-6ba2-4802-8459-11475e39e530",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"severity": "高",
- "text": "確保使用適當的 vSAN 資料冗餘方法(RAID 規範)",
- "waf": "可靠性"
+ "text": "不建議將公共IP分配給運行SAP工作負載的 VM。",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d88408f3-7273-44c8-96ba-280214590146",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "9cccd979-366b-4cda-8750-ab1ab039d95d",
+ "link": "https://learn.microsoft.com/training/modules/protect-on-premises-infrastructure-with-azure-site-recovery/?source=recommendations",
+ "service": "SAP",
"severity": "高",
- "text": "確保允許失敗策略已到位,以滿足您的 vSAN 儲存需求",
- "waf": "可靠性"
+ "text": "配置 ASR 時,請考慮在 DR 端保留 IP 位址",
+ "training": "https://learn.microsoft.com/learn/paths/architect-network-infrastructure/",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d89f2e87-7784-424d-9167-85c6fa95b96a",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "54c7c892-9cb1-407d-9325-ae525ba34d46",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing",
+ "service": "SAP",
"severity": "高",
- "text": "確保已請求足夠的配額,確保已考慮增長和災難恢復要求",
- "waf": "可靠性"
+ "text": "避免對生產網站和DR網站使用重疊的IP位址範圍。",
+ "training": "https://learn.microsoft.com/training/modules/design-ip-addressing-for-azure/?source=recommendations",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5d38e53f-9ccb-4d86-a266-acca274faa19",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "6e154e3a-a359-4282-ae6e-206173686af4",
+ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet",
+ "service": "SAP",
"severity": "中等",
- "text": "確保瞭解對 ESXi 的訪問限制,其中存在可能影響第三方解決方案的訪問限制。",
+ "text": "雖然 Azure 確實可以説明您在 VNet 中創建多個委派子網,但 Azure NetApp 檔的 VNet 中只能存在一個委派子網。如果對 Azure NetApp 檔使用多個委託子網,則嘗試創建新卷將失敗。",
+ "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf39d95d-44c7-4c89-89ca-1f6d5315ae52",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "d8a03e97-7784-424d-9167-85d6fa96c96a",
+ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json",
+ "service": "SAP",
"severity": "中等",
- "text": "確保您制定了有關ESXi主機密度和效率的策略,並牢記請求新節點的提前期",
- "waf": "操作"
+ "text": "使用 Azure 防火牆管理發往 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東西向流量篩選(如果組織需要)",
+ "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ba34d45-85e1-4213-abd7-bb012f7b95ef",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure",
+ "service": "SAP",
"severity": "中等",
- "text": "確保 Azure VMware 解決方案的良好成本管理流程已到位 - 可以使用 Azure 成本管理",
- "waf": "成本"
+ "text": "當應用程式閘道充當 SAP Web 應用的反向代理時,應用程式閘道和 Web 應用程式防火牆存在限制,如應用程式閘道、SAP Web 調度程式和其他第三方服務之間的比較所示。",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/si/3362959506.html",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6e043e2a-a359-4271-ae6e-205172676ae4",
- "service": "AVS",
- "severity": "低",
- "text": "Azure 預留實例是否用於優化使用 Azure VMware 解決方案的成本",
- "waf": "成本"
+ "checklist": "SAP Checklist",
+ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "使用 Azure Front Door 和 WAF 策略跨 Azure 區域為與登陸區域的入站 HTTP/S 連接提供全域保護。",
+ "training": "https://learn.microsoft.com/training/paths/secure-application-delivery/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6691e883-5ac9-4422-83e1-3810523081a9",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview",
+ "service": "SAP",
"severity": "中等",
- "text": "使用其他 Azure 本機服務時,請考慮使用 Azure 專用連結",
+ "text": "使用 Azure Front Door 和應用程式閘道保護 HTTP/S 應用程式時,請利用 Azure Front Door 中的 Web 應用程式防火牆策略。鎖定應用程式閘道以僅接收來自 Azure Front Door 的流量。",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "db611712-6904-40b4-aa3d-3e0803276d4b",
- "service": "AVS",
- "severity": "高",
- "text": "確保所有必需的資源都駐留在同一個 Azure 可用性區域中",
- "waf": "性能"
+ "checklist": "SAP Checklist",
+ "guid": "5ada4332-4e13-4811-9231-81aa41742694",
+ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "使用 Web 應用程式防火牆在流量暴露於 Internet 時對其進行掃描。另一種選擇是將其與負載均衡器或具有內置防火牆功能(如應用程式閘道或第三方解決方案)的資源一起使用。",
+ "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "48b262d6-cc5f-4512-a253-98e6db9d37da",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde",
+ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
+ "service": "SAP",
"severity": "中等",
- "text": "為 Azure VMware 解決方案來賓 VM 工作負載啟用 Microsoft Defender for Cloud",
- "waf": "安全"
+ "text": "在需要跨 Azure 區域和本地位置的全域傳輸連接的新網路、大型網路或全球網路中使用虛擬 WAN 進行 Azure 部署。使用此方法,無需手動設置 Azure 網路的可傳遞路由,並且可以遵循 Azure 部署上的 SAP 標準。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "41741583-3ef7-4ad7-a6d3-733165c7acbe",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0",
+ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services",
+ "service": "SAP",
"severity": "中等",
- "text": "使用已啟用 Azure Arc 的伺服器管理 Azure VMware 解決方案來賓 VM 工作負載",
+ "text": "若要防止數據洩露,請使用 Azure 專用連結安全地訪問平臺即服務資源,例如 Azure Blob 存儲、Azure 檔存儲、Azure Data Lake Storage Gen2、Azure 數據工廠等。Azure 專用終結點還有助於保護 VNet 與 Azure 存儲、Azure 備份等服務之間的流量。VNet 與啟用專用終結點的服務之間的流量通過 Microsoft 全球網路傳輸,從而防止其暴露在公共 Internet 上。",
+ "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations",
"waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "88f03a4d-2cd4-463c-abbc-868295abc91a",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a",
+ "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat",
+ "service": "SAP",
"severity": "高",
- "text": "在 Azure VMware 解決方案上啟用診斷和指標日誌記錄",
- "waf": "操作"
+ "text": "請確保在 SAP 應用程式和 DBMS 層中使用的 VM 上啟用了 Azure 加速網路。",
+ "training": "https://learn.microsoft.com/training/paths/azure-fundamentals-describe-azure-architecture-services/?source=recommendations",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4ed90dae-2cc8-44c4-9b6b-781cbafe6c46",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "3ff8ae7d-7d47-4431-96c8-bcbf45bbe609",
+ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview",
+ "service": "SAP",
"severity": "中等",
- "text": "將Log Analytics代理部署到 Azure VMware 解決方案來賓 VM 工作負載",
- "waf": "操作"
+ "text": "請確保將 Azure 負載均衡器的內部部署設置為使用直接伺服器返回 (DSR)。此設置(啟用浮動IP)將減少內部負載均衡器配置用於 DBMS 層上的高可用性配置時的延遲。",
+ "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "589d457a-927c-4397-9d11-02cad6aae11e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "6791f893-5ada-4433-84e1-3811523181aa",
+ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works",
+ "service": "SAP",
"severity": "中等",
- "text": "確保已針對 Azure VMware 解決方案 VM 工作負載記錄並實施了備份策略和解決方案",
- "waf": "操作"
+ "text": "可以使用應用程式安全組 (ASG) 和 NSG 規則在 SAP 應用程式層和 DBMS 層之間定義網路安全存取控制清單。ASG 對虛擬機進行分組,以説明管理其安全性。",
+ "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ee29711b-d352-4caa-ab79-b198dab81932",
- "service": "AVS",
- "severity": "中等",
- "text": "使用 Microsoft Defender for Cloud 對 Azure VMware 解決方案上運行的工作負載進行合規性監視",
- "waf": "安全"
+ "checklist": "SAP Checklist",
+ "guid": "45bbe609-d8a0-43e9-9778-424d616785d6",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
+ "severity": "高",
+ "text": "不支援將 SAP 應用程式層和 SAP DBMS 放置在未對等互連的不同 Azure VNet 中。",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c9fc9d1b-b780-436f-9e6b-fbb9ed503547",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "fa96c96a-d885-418f-9827-34c886ba2802",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios",
+ "service": "SAP",
"severity": "中等",
- "text": "是否將適用的合規性基線添加到 Microsoft Defender for Cloud",
- "waf": "安全"
+ "text": "若要優化 SAP 應用程式的網路延遲,請考慮使用 Azure 鄰近放置組。",
+ "training": "https://learn.microsoft.com/azure/virtual-machines/co-location#planned-maintenance-and-proximity-placement-groups",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc447e82-6128-4a71-b0f1-cac6d9ef1d5e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "18c8b61c-855a-4405-b6ed-266455e4f4ce",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
"severity": "高",
- "text": "在選擇要用於 Azure VMware 解決方案部署的 Azure 區域時是否評估了數據駐留",
- "waf": "安全"
+ "text": "根本不支援在本地和 Azure 之間運行 SAP Application Server 層和 DBMS 層拆分。這兩個層都需要完全駐留在本地或 Azure 中。",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "832e42e3-611c-4818-a0a0-bc510e43a18a",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2",
+ "link": "https://me.sap.com/notes/2015553",
+ "service": "SAP",
+ "severity": "高",
+ "text": "不建議將資料庫管理系統 (DBMS) 和 SAP 系統的應用程式層託管在不同的 VNet 中,並將它們與 VNet 對等互連連接,因為層之間的過多網路流量可能會產生大量成本。建議使用 Azure 虛擬網路中的子網來分隔 SAP 應用程式層和 DBMS 層。",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity",
+ "waf": "成本"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "402a9846-d515-4061-aff8-cd30088693fa",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel",
+ "service": "SAP",
"severity": "高",
- "text": "數據處理影響(服務提供者/服務消費者模型)是否清晰且有據可查",
- "waf": "安全"
+ "text": "如果將負載均衡器與Linux客戶機作業系統配合使用,請檢查Linux網路參數 net.ipv4.tcp_timestamps是否設置為0。",
+ "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "547c1747-dc56-4068-a714-435cd19dd244",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "87585797-5551-4d53-bb7d-a94ee415734d",
+ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration",
+ "service": "SAP",
"severity": "中等",
- "text": "僅當出於合規性原因需要時,才考慮將CMK(客戶管理的密鑰)用於 vSAN。",
+ "text": "對於 SAP RISE/ECS 部署,虛擬對等互連是與客戶現有 Azure 環境建立連接的首選方式。SAP vnet 和客戶 vnet 都受網路安全組 (NSG) 保護,從而通過 VNet 對等互連在 SAP 和資料庫埠上進行通信",
"waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e43a18a9-cd28-49ce-b6b1-7db8255461e2",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "ff5136bd-dcf1-4d2b-ae52-39333efdf45a",
+ "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about",
+ "service": "SAP",
"severity": "高",
- "text": "創建儀錶板以啟用核心 Azure VMware 解決方案監視見解",
- "waf": "操作"
+ "text": "查看 Azure VM 的 SAP HANA 資料庫備份。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6b84ee5d-f47d-42d9-8881-b1cd5d1e54a2",
- "service": "AVS",
- "severity": "高",
- "text": "針對 Azure VMware 解決方案性能(CPU >80%、平均記憶體 >80%、vSAN >70%)自動警報的關鍵閾值創建警告警報",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "cafde29d-a0af-4bcd-87c0-0f299d63f0e8",
+ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "查看用於 SAP 的 Site Recovery 內置監視。",
+ "waf": "成本"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9659e396-80e7-4828-ac93-5657d02bff45",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "82d7b8de-d3f1-44a0-830b-38e200e82acf",
+ "link": "https://help.sap.com/docs/SAP_HANA_PLATFORM/c4d7c773af4a4e5dbebb6548d6e2d4f4/e3111d2ebb5710149510cc120646bf3f.html?locale=en-US",
+ "service": "SAP",
"severity": "高",
- "text": "確保創建嚴重警示以監控 vSAN 消耗量是否低於 75%,因為這是 VMware 的支援閾值",
+ "text": "查看監視 SAP HANA 系統環境指南。",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "64b0d934-a348-4726-be79-d6b5c3a36495",
- "service": "AVS",
- "severity": "高",
- "text": "確保為 Azure 服務運行狀況警報和通知配置警報",
+ "checklist": "SAP Checklist",
+ "guid": "c823873a-2bec-4c2a-b684-a1ce8ae80efd",
+ "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/oracle-database-backup-strategies",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "查看 Azure Linux VM 中的 Oracle 資料庫備份策略。",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b6abad38-aad5-43cc-99e1-d86667357c54",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "2943b6d8-1d31-4e19-ade7-78e6b26d1962",
+ "link": "https://learn.microsoft.com/sql/relational-databases/tutorial-use-azure-blob-storage-service-with-sql-server-2016?view=sql-server-ver16",
+ "service": "SAP",
"severity": "中等",
- "text": "將 Azure VMware 解決方案記錄設定為發送到 Azure 儲存帳戶或 Azure EventHub 進行處理",
+ "text": "查看 Azure Blob 儲存與 SQL Server 2016 的配合。",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9674c5ed-85b8-459c-9733-be2b1a27b775",
- "service": "AVS",
- "severity": "低",
- "text": "如果需要深入瞭解 VMware vSphere:解決方案中是否使用了 vRealize Operations 和/或 vRealize Network Insights?",
+ "checklist": "SAP Checklist",
+ "guid": "b82e650f-676d-417d-994d-fc33ca54ec14",
+ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/automated-backup?view=azuresql",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "查看 Azure VM 自動備份 v2 的使用方式。",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "a91be1f3-88f0-43a4-b2cd-463cbbbc8682",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "347c2dcc-e6eb-4b04-80c5-628b171aa62d",
+ "service": "SAP",
"severity": "高",
- "text": "確保虛擬機的 vSAN 儲存策略不是預設存儲策略,因為此策略應用厚置備",
+ "text": "使用進階磁碟時開啟M系列的寫入加速器(V1)",
"waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d9ef1d5e-832d-442e-9611-c818b0afbc51",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "b96512cf-996f-4b17-b9b8-6b16db1a2a94",
+ "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test",
+ "service": "SAP",
"severity": "中等",
- "text": "確保未將 vSphere 內容庫放置在 vSAN 上,因為 vSAN 是有限的資源",
- "waf": "操作"
+ "text": "測試可用性區域延遲。",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0e43a18a-9cd2-489b-bd6b-17db8255461e",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "9fd7ffd4-da11-49f6-a374-8d03e94c511d",
+ "link": "https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html",
+ "service": "SAP",
"severity": "中等",
- "text": "確保備份解決方案的數據存儲庫存儲在 vSAN 儲存之外。在 Azure 本機或磁碟池支持的數據存儲中",
- "waf": "操作"
+ "text": "為所有 SAP 元件啟動 SAP EarlyWatch Alert。",
+ "training": "https://help.sap.com/docs/SUPPORT_CONTENT/techops/3362700736.html",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "2aee3453-aec8-4339-848b-262d6cc5f512",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "b9b140cf-413a-483d-aad2-8802c4e3c017",
+ "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-general-update-march-2019/ba-p/377456",
+ "service": "SAP",
"severity": "中等",
- "text": "確保使用 Azure Arc for Servers 進行混合管理,確保在 Azure VMware 解決方案上運行的工作負載(Arc for Azure VMware 解決方案處於預覽狀態)",
- "waf": "操作"
+ "text": "使用 SAP ABAPMeter 報表 /SSA/CAT 查看 SAP 應用程式伺服器到資料庫伺服器的延遲。",
+ "training": "https://me.sap.com/notes/0002879613",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "925398e6-da9d-437d-ac43-bc6cd1d79a9b",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "62fbf0f8-51db-49e1-a961-bb5df7a35f80",
+ "service": "SAP",
"severity": "中等",
- "text": "確保使用 Azure Log Analytics 和 Azure Monitor 監視在 Azure VMware 解決方案上運行的工作負載",
- "waf": "操作"
+ "text": "查看使用 CCMS 的 SQL Server 性能監視。",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "24604489-a8f4-42d7-ae78-cb6a33bd2a09",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "35709da7-fc7d-4efe-bb20-2e91547b7390",
+ "link": "https://me.sap.com/notes/500235",
+ "service": "SAP",
"severity": "中等",
- "text": "在現有更新管理工具或 Azure 更新管理中包括在 Azure VMware 解決方案上運行的工作負載",
- "waf": "操作"
+ "text": "測試 SAP 應用程式層 VM 和 DBMS VM (NIPING) 之間的網路延遲。",
+ "training": "https://me.sap.com/notes/1100926/E",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "17e7a8d9-0ae0-4e27-aee2-9711bd352caa",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "9e9bb4c8-e934-4e4b-a13c-6f7c7c38eb43",
+ "link": "https://learn.microsoft.com/en-us/azure/sap/large-instances/hana-monitor-troubleshoot",
+ "service": "SAP",
"severity": "中等",
- "text": "使用 Azure Policy 在 Azure 管理、監視和安全解決方案中加入 Azure VMware 解決方案工作負載",
- "waf": "操作"
+ "text": "查看 SAP HANA Studio 警報。",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "aee3553a-fc83-4392-98b2-62d6cc5f5129",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "f1a92ab5-9509-4b57-86ff-b0ade361b694",
+ "link": "https://me.sap.com/notes/1969700",
+ "service": "SAP",
"severity": "中等",
- "text": "確保在 Azure VMware 解決方案上運行的工作負載已載入 Microsoft Defender for Cloud",
- "waf": "安全"
+ "text": "使用 HANA_Configuration_Minichecks 執行 SAP HANA 執行狀況檢查。",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "25398e6d-b9d3-47da-a43b-c6cd1d79a9b2",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "中等",
- "text": "確保備份不存儲在 vSAN 上,因為 vSAN 是有限的資源",
- "waf": "可靠性"
+ "text": "如果在 Azure、本地或其他雲環境中運行 Windows 和 Linux VM,則可以使用 Azure 自動化中的更新管理中心來管理作業系統更新,包括安全修補程式。",
+ "training": "https://learn.microsoft.com/azure/automation/update-management/overview",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "5e6bfbb9-ed50-4354-9cc4-47e826028a71",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "08951710-79a2-492a-adbc-06d7a401545b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations",
+ "service": "SAP",
"severity": "中等",
- "text": "是否考慮了所有災難恢復解決方案,並決定了最適合您業務的解決方案?[SRM/JetStream/Zerto/Veeam/...]",
- "waf": "可靠性"
+ "text": "定期查看 SAP 安全 OSS 說明,因為 SAP 會發佈高度關鍵的安全補丁或熱修復程式,需要立即採取行動來保護 SAP 系統。",
+ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "f0f1cac6-d9ef-41d5-b832-d42e3611c818",
- "service": "AVS",
- "severity": "中等",
- "text": "當災難恢復技術是本機 Azure IaaS 時,請使用 Azure Site Recovery",
- "waf": "可靠性"
+ "checklist": "SAP Checklist",
+ "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
+ "severity": "低",
+ "text": "對於 SQL Server 上的 SAP,可以禁用 SQL Server 系統管理員帳戶,因為 SQL Server 上的 SAP 系統不使用該帳戶。在禁用原始系統管理員帳戶之前,請確保具有系統管理員許可權的其他使用者可以訪問伺服器。",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b0afbc51-0e43-4a18-a9cd-289bed6b17db",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "service": "SAP",
"severity": "高",
- "text": "將自動恢復計劃與任一災難解決方案結合使用,盡可能避免手動任務",
- "waf": "可靠性"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "8255461e-2aee-4345-9aec-8339248b262d",
- "service": "AVS",
- "severity": "中等",
- "text": "使用地緣政治區域對作為輔助災難恢復環境",
- "waf": "可靠性"
+ "text": "禁用xp_cmdshell。SQL Server 功能xp_cmdshell啟用 SQL Server 內部作業系統命令行介面。這是安全審計中的潛在風險。",
+ "training": "https://me.sap.com/notes/3019299/E",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "6cc5f512-9253-498e-9da9-d37dac43bc6c",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"severity": "高",
- "text": "在區域之間使用 2 個不同的地址空間,例如:10.0.0.0/16 和 192.168.0.0/16 用於不同的區域",
- "waf": "可靠性"
+ "text": "加密 Azure 上的 SAP HANA 資料庫伺服器使用 SAP HANA 本機加密技術。此外,如果在 Azure 上使用 SQL Server,請使用透明數據加密 (TDE) 來保護數據和日誌檔,並確保備份也已加密。",
+ "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d1d79a9b-2460-4448-aa8f-42d78e78cb6a",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption",
+ "service": "SAP",
"severity": "中等",
- "text": "ExpressRoute Global Reach 是用於主 Azure VMware 解決方案私有雲和輔助 Azure VMware 解決方案私有雲之間的連接,還是通過網路虛擬設備完成路由?",
- "waf": "可靠性"
+ "text": "為所有 Azure 資源管理器和經典記憶體啟用了 Azure 儲存加密,並且無法禁用。由於預設情況下數據是加密的,因此無需修改代碼或應用程式即可使用 Azure 儲存加密。",
+ "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "33bd2a09-17e7-4a8d-a0ae-0e27cee29711",
- "service": "AVS",
- "severity": "中等",
- "text": "是否考慮了所有備份解決方案,並決定了最適合您業務的解決方案?[ MABS/CommVault/Metallic.io/Veeam/ .",
- "waf": "可靠性"
+ "checklist": "SAP Checklist",
+ "guid": "ce9bd3bb-0cdb-43b5-9eb2-ec14eeaa3592",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/overview",
+ "service": "SAP",
+ "severity": "高",
+ "text": "使用 Azure Key Vault 儲存機密和憑據",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bd352caa-ab79-4b18-adab-81932c9fc9d1",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "829e2edb-2173-4676-aff6-691b4935ada4",
+ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json",
+ "service": "SAP",
"severity": "中等",
- "text": "將備份解決方案部署在與 Azure VMware 解決方案私有雲相同的區域中",
- "waf": "可靠性"
+ "text": "建議在成功部署后鎖定 Azure 資源,以防止未經授權的更改。還可以使用自定義的 Azure 策略(自定義角色)在每個訂閱的基礎上強制實施 LOCK 約束和規則。",
+ "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bb77036f-5e6b-4fbb-aed5-03547cc447e8",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "2223ece8-1b12-4318-8a54-17415833fb4a",
+ "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview",
+ "service": "SAP",
"severity": "中等",
- "text": "在 vSan 外部的 Azure 本機組件上部署備份解決方案",
- "waf": "可靠性"
+ "text": "預配啟用軟刪除和清除策略的 Azure Key Vault,以允許對已刪除物件進行保留保護。",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "26028a71-f0f1-4cac-9d9e-f1d5e832d42e",
- "service": "AVS",
- "severity": "低",
- "text": "是否已制定請求還原由 Azure 平臺管理的 VMware 元件的流程?",
- "waf": "可靠性"
+ "checklist": "SAP Checklist",
+ "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy",
+ "service": "SAP",
+ "severity": "高",
+ "text": "根據現有要求、法規和合規性控制(內部/外部) - 確定所需的 Azure 策略和 Azure RBAC 角色",
+ "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4604489a-8f42-4d78-b78c-b7a33bd2a0a1",
- "service": "AVS",
- "severity": "低",
- "text": "對於手動部署,必須記錄所有配置和部署",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "高",
+ "text": "在 SAP 環境中啟用 Microsoft Defender for Endpoint 時,建議排除 DBMS 伺服器上的數據和日誌檔,而不是面向所有伺服器。排除目標檔時,請遵循 DBMS 供應商的建議。",
+ "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "7e7a8d90-ae0e-437c-be29-711bd352caaa",
- "service": "AVS",
- "severity": "低",
- "text": "對於手動部署,請考慮實施資源鎖,以防止對 Azure VMware 解決方案私有雲執行意外操作",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e",
+ "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks",
+ "service": "SAP",
+ "severity": "高",
+ "text": "委派具有 Microsoft Defender for Cloud 實時訪問許可權的 SAP 管理員自定義角色。",
+ "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b79b198d-ab81-4932-a9fc-9d1bb78036f5",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
"severity": "低",
- "text": "對於自動化部署,請部署最小的私有雲並根據需要進行擴展",
- "waf": "操作"
+ "text": "通過將第三方安全產品與 DIAG (SAP GUI)、RFC 和 SPNEGO for HTTPS 的安全網路通信 (SNC) 集成,對傳輸中的數據進行加密",
+ "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e6bfbb9e-d503-4547-ac44-7e826128a71f",
- "service": "AVS",
- "severity": "低",
- "text": "對於自動部署,請在開始部署之前請求或預留配額",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "eeaa3592-829e-42ed-a217-3676aff6691b",
+ "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal",
+ "service": "SAP",
+ "severity": "中等",
+ "text": "對於主體加密功能,預設使用 Microsoft 管理的金鑰,並在需要時使用客戶管理的密鑰。",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "0f1cac6d-9ef1-4d5e-a32e-42e3611c818b",
- "service": "AVS",
- "severity": "低",
- "text": "對於自動部署,請確保通過自動化或 Azure Policy 創建相關資源鎖,以便進行適當的治理",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "4935ada4-2223-4ece-a1b1-23181a541741",
+ "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices",
+ "service": "SAP",
+ "severity": "高",
+ "text": "對每個應用程式、每個環境、每個區域使用 Azure Key Vault。",
+ "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e2cc95d4-8c6b-4791-bca0-f6c56589e558",
- "service": "AVS",
- "severity": "低",
- "text": "為 ExR 授權金鑰實現人類可理解的名稱,以便輕鬆識別密鑰的目的/用途",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c",
+ "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios",
+ "service": "SAP",
+ "severity": "高",
+ "text": "若要控制和管理非 HANA Windows 和非 Windows 作業系統的磁碟加密密鑰和機密,請使用 Azure Key Vault。Azure Key Vault 不支援 SAP HANA,因此必須使用 SAP ABAP 或 SSH 密鑰等替代方法。",
+ "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "255461e2-aee3-4553-afc8-339248b262d6",
- "service": "AVS",
- "severity": "低",
- "text": "當使用單獨的服務原則部署 Azure VMware 解決方案和 ExpressRoute 時,請使用 Key Vault 儲存機密和授權密鑰",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "209d490d-a477-4784-84d1-16785d2fa56c",
+ "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles",
+ "service": "SAP",
+ "severity": "高",
+ "text": "為 Azure 上的 SAP 分支訂閱自定義基於角色的訪問控制 (RBAC) 角色,以避免與網路相關的意外更改",
+ "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "cc5f5129-2539-48e6-bb9d-37dac43bc6cd",
- "service": "AVS",
- "severity": "低",
- "text": "當需要在 Azure VMware 解決方案中/上部署許多資源時,定義用於在 IaC 中序列化操作的資源依賴項,因為 Azure VMware 解決方案僅支援有限數量的並行操作。",
- "waf": "操作"
+ "checklist": "SAP Checklist",
+ "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591",
+ "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/",
+ "service": "SAP",
+ "severity": "高",
+ "text": "將 DMZ 和 NVA 與 SAP 資產的其餘部分隔離,配置 Azure 專用連結,並安全地管理和控制 Azure 上的 SAP 資源",
+ "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1d79a9b2-4604-4489-a8f4-2d78e78cb7a3",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5",
+ "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations",
+ "service": "SAP",
"severity": "低",
- "text": "使用單個 Tier-1 閘道執行 NSX-T 分段的自動配置時,請使用 Azure 門戶 API 而不是 NSX-Manager API",
- "waf": "操作"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3bd2a0a1-7e7a-48d9-8ae0-e37cee29711b",
- "service": "AVS",
- "severity": "中等",
- "text": "打算使用自動橫向擴展時,請務必為運行 Azure VMware 解決方案的訂閱申請足夠的 Azure VMware 解決方案配額",
- "waf": "性能"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d352caaa-b79b-4198-bab8-1932c9fc9d1b",
- "service": "AVS",
- "severity": "中等",
- "text": "打算使用自動縮減時,請務必在執行此操作之前考慮存儲策略要求",
- "waf": "性能"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "b78036f5-e6bf-4bb9-bd50-3547cc447e82",
- "service": "AVS",
- "severity": "中等",
- "text": "擴展操作始終需要在單個 SDDC 中序列化,因為一次只能執行一個擴展操作(即使使用多個集群也是如此)",
- "waf": "性能"
+ "text": "請考慮在 Azure 上使用 Microsoft 反惡意軟體來保護虛擬機免受惡意檔、廣告軟體和其他威脅的侵害。",
+ "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bf15bce2-19e4-4a0e-a588-79424d226786",
- "service": "AVS",
- "severity": "中等",
- "text": "考慮並驗證體系結構中使用的第三方解決方案的縮放操作(支援與否)",
- "waf": "性能"
+ "checklist": "SAP Checklist",
+ "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676",
+ "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide",
+ "service": "SAP",
+ "severity": "低",
+ "text": "若要獲得更強大的保護,請考慮使用 Microsoft Defender for Endpoint。",
+ "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "d20b56c5-7be5-4851-a0f8-3835c586cb29",
- "service": "AVS",
- "severity": "中等",
- "text": "在自動化中為環境定義和強制實施橫向擴展/橫向擴展最大限制",
- "waf": "性能"
+ "checklist": "SAP Checklist",
+ "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525",
+ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape",
+ "service": "SAP",
+ "severity": "高",
+ "text": "通過中心虛擬網路傳遞所有流量,將 SAP 應用程式和資料庫伺服器與 Internet 或本地網路隔離開來,該中心虛擬網路通過虛擬網路對等互連連接到分支網路。對等互連虛擬網路保證 Azure 上的 SAP 解決方案與公共 Internet 隔離。",
+ "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "1dc15a1c-075e-4e9f-841a-cccd579376bc",
- "service": "AVS",
+ "checklist": "SAP Checklist",
+ "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b",
+ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance",
+ "service": "SAP",
+ "severity": "低",
+ "text": "對於面向 Internet 的應用程式(如 SAP Fiori),請確保根據應用程式要求分配負載,同時保持安全級別。對於第 7 層安全性,可以使用 Azure 市場中提供的第三方 Web 應用程式防火牆 (WAF)。",
+ "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations",
+ "waf": "安全"
+ },
+ {
+ "checklist": "SAP Checklist",
+ "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc",
+ "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions",
+ "service": "SAP",
"severity": "中等",
- "text": "實施監控規則以監控自動擴展操作,並監控成功和失敗,以啟用適當的(自動化)回應",
- "waf": "操作"
+ "text": "若要在用於 SAP 解決方案的 Azure Monitor 中啟用安全通信,可以選擇使用根證書或伺服器證書。我們強烈建議您使用根證書。",
+ "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations",
+ "waf": "安全"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c5972cd4-cd21-4b07-9036-f5e6b4bfd3d5",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "4238f409-2ea0-43be-a06b-2a993c98aa7b",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
"severity": "高",
- "text": "使用 MON 時,請注意同時配置的 VM 的限制(HCX 的 MON 限制 [400 - 標準,1000 - 大型設備])",
- "training": "https://learn.microsoft.com/learn/modules/configure-azure-ad-application-proxy/",
+ "text": "根據您的業務和 SLO 要求選擇正確的功能託管計劃",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "be1f38cf-03a8-422b-b463-cbbbc8ac299e",
- "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "a9808100-d640-4f77-ac56-1ec0600f6752",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans",
+ "service": "Azure Functions",
"severity": "高",
- "text": "使用 MON 時,不能在超過 100 個網路分機上啟用 MON",
- "training": "https://learn.microsoft.com/learn/paths/implement-applications-external-access-azure-ad/",
+ "text": "利用區域適用的可用區(不適用於消耗層)",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bc91a43d-90da-4e2c-a881-4706f7c1cbaf",
- "service": "AVS",
- "severity": "中等",
- "text": "如果使用 VPN 連接進行遷移,請相應地調整 MTU 大小。",
- "waf": "性能"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e614658d-d457-4e92-9139-b821102cad6e",
- "service": "AVS",
- "severity": "中等",
- "text": "對於連接到 Azure(500Mbps 或更低)的低連接區域,請考慮部署 HCX WAN 優化設備",
- "waf": "性能"
- },
- {
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "ae01e6e8-43e5-42f4-922d-928c1b1cd521",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "5969d03e-eacf-4042-b127-73c55e3575fa",
+ "link": "https://learn.microsoft.com/en-us/azure/reliability/reliability-functions?tabs=azure-portal#cross-region-disaster-recovery-and-business-continuity",
+ "service": "Azure Functions",
"severity": "中等",
- "text": "確保從本地裝置啟動遷移,而不是從雲端裝置啟動遷移(不要執行反向遷移)",
+ "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "e54a29a9-de39-4ac0-b7c2-8dc935657202",
- "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings",
- "service": "AVS",
- "severity": "中等",
- "text": "使用 Azure Netapp Files 擴展 Azure VMware 解決方案的儲存時,請考慮將其用作 VMware 資料儲存庫,而不是直接附加到 VM 。",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "47a0aae0-d8a0-43b1-9791-e934dee3754c",
+ "link": "https://learn.microsoft.com/en-us/azure/app-service/environment/intro",
+ "service": "Azure Functions",
+ "severity": "高",
+ "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "bff4564b-0d93-44a3-98b2-63e7dd60513a",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door",
- "service": "AVS",
- "severity": "中等",
- "text": "確保將專用 ExpressRoute 閘道用於外部資料儲存解決方案",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "17232891-f89f-4eaa-90f1-3b34bf798ed5",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/dedicated-plan#always-on",
+ "service": "Azure Functions",
+ "severity": "高",
+ "text": "確保為應用服務計劃上運行的所有函數應用啟用“始終開啟”",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "3649906e-bad3-48ea-b53c-c7de1d8aaab3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin",
- "service": "AVS",
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "40a325c2-7c0e-49e6-86d8-c273b4dc21ba",
+ "link": "https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations?tabs=azure-cli#shared-storage-accounts",
+ "service": "Azure Functions",
"severity": "中等",
- "text": "確保在用於外部數據存儲解決方案的 ExpressRoute 閘道上啟用了 FastPath",
+ "text": "將函數應用與其自己的存儲帳戶配對。盡量不要重用函數應用的存儲帳戶,除非它們緊密耦合",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "571549ab-8153-4d89-b89d-c7b33be2b1a2",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group",
- "service": "AVS",
- "severity": "高",
- "text": "如果使用延伸群集,請確保供應商支援所選的災難恢復解決方案",
- "waf": "可靠性"
+ "arm-service": "Microsoft.Web/sites",
+ "checklist": "Azure Function Review",
+ "guid": "bb42650c-257d-4cb0-822a-131138b8e6f0",
+ "link": "https://learn.microsoft.com/en-us/training/modules/deploy-azure-functions/",
+ "service": "Azure Functions",
+ "severity": "中等",
+ "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護函數應用代碼",
+ "waf": "操作"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "4c486b6d-8bdc-4059-acf7-5ee8a1309888",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#select-good-health-probe-endpoints",
- "service": "AVS",
- "severity": "高",
- "text": "如果使用延伸群集,請確保提供的 SLA 符合您的要求",
+ "checklist": "Identity Review Checklist",
+ "guid": "bb235c70-5e17-496f-bedf-a8a4c8cdec4c",
+ "link": "https://learn.microsoft.com/entra/identity-platform/msal-acquire-cache-tokens",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "使用長期可撤銷令牌,緩存令牌並使用 Microsoft 標識庫以靜默方式獲取令牌",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "9579d66b-896d-471f-a6ca-7be9955d04c3",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes",
- "service": "AVS",
- "severity": "高",
- "text": "如果使用延伸群集,請確保兩條 ExpressRoute 線路都連接到連接中心。",
+ "checklist": "Identity Review Checklist",
+ "guid": "503547c1-447e-4c66-828a-71f0f1ce16dd",
+ "link": "https://learn.microsoft.com/azure/active-directory-b2c/deploy-custom-policies-devops",
+ "service": "AAD B2C",
+ "severity": "中等",
+ "text": "請確保登錄使用者流已備份並具有復原能力。請確保用於登錄使用者的代碼已備份且可恢復。與外部進程的彈性介面",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "c49d987c-b3d1-4325-aa12-4b6e4d0685ed",
- "link": "https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity",
- "service": "AVS",
- "severity": "高",
- "text": "如果使用延伸群集,請確保兩條 ExpressRoute 線路都啟用了 GlobalReach。",
- "waf": "可靠性"
+ "checklist": "Identity Review Checklist",
+ "guid": "3e3553a4-c873-4964-ab66-2d6c15f51296",
+ "link": "https://learn.microsoft.com/entra/architecture/resilient-end-user-experience#use-a-content-delivery-network",
+ "service": "AAD B2C",
+ "severity": "中等",
+ "text": "自訂品牌資產應託管在CDN上",
+ "waf": "性能"
},
{
- "arm-service": "Microsoft.AVS/privateClouds",
- "checklist": "Azure VMware Solution Design Review",
- "guid": "dce9793b-7bcd-4b3b-91eb-2ec14eea6e59",
- "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates",
- "service": "AVS",
- "severity": "高",
- "text": "是否正確考慮了網站容災設置,並在需要時為您的業務進行了更改。",
+ "checklist": "Identity Review Checklist",
+ "guid": "5398e6df-d237-4de1-93b1-6c21d79a9b64",
+ "link": "https://learn.microsoft.com/entra/identity/monitoring-health/reference-sla-performance",
+ "service": "AAD B2C",
+ "severity": "低",
+ "text": "擁有多個標識提供者(即使用您的 Microsoft、Google、Facebook 帳戶登錄)",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3b7a56de-5020-4642-b3cb-c976e80b6d6d",
- "link": "https://learn.microsoft.com/azure/logic-apps/single-tenant-overview-compare",
- "service": "Logic Apps",
- "severity": "高",
- "text": "根據業務和 SLO 要求選擇正確的邏輯應用託管計劃",
+ "checklist": "Identity Review Checklist",
+ "guid": "604489a8-f42d-478e-98c0-7a73b22a4a57",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "中等",
+ "text": "遵循 VM 規則,實現 VM 級別的高可用性(高級磁碟,一個區域中的兩個或更多磁碟,位於不同的可用性區域)",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "3d7008bd-6bc1-4b03-8aa8-ec2a3b55786a",
- "link": "https://learn.microsoft.com/azure/logic-apps/set-up-zone-redundancy-availability-zones?tabs=standard#next-steps",
- "service": "Logic Apps",
- "severity": "高",
- "text": "使用區域冗餘和可用性區域保護邏輯應用免受區域故障的影響",
+ "checklist": "Identity Review Checklist",
+ "guid": "e7a8dd4a-30e3-47c3-b297-11b2362ceee0",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "中等",
+ "text": "不要複製!複製可能會產生目錄同步問題",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "1cda768f-a206-445d-8234-56f6a6e7286e",
- "link": "https://learn.microsoft.com/azure/logic-apps/business-continuity-disaster-recovery-guidance?toc=%2Fazure%2Freliability%2Ftoc.json&bc=%2Fazure%2Freliability%2Fbreadcrumb%2Ftoc.json",
- "service": "Logic Apps",
- "severity": "高",
- "text": "考慮為關鍵工作負載制定跨區域災難恢復策略",
+ "checklist": "Identity Review Checklist",
+ "guid": "79b598de-fc59-472c-b4cd-21b078036f5e",
+ "link": "https://azure.microsoft.com/blog/setting-up-active-directory-for-a-disaster-recovery-environment-2/",
+ "service": "Windows AD",
+ "severity": "中等",
+ "text": "對多區域具有主動-主動",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "82118ec5-ed6f-4c68-9471-eb0da98a1b34",
- "link": "https://learn.microsoft.com/azure/app-service/environment/intro",
- "service": "Logic Apps",
- "severity": "高",
- "text": "如果部署到獨立環境,請使用或遷移到應用服務環境 (ASE) v3",
+ "checklist": "Identity Review Checklist",
+ "guid": "6b4bfd3d-5035-447c-8447-ec66128a71f0",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
+ "severity": "中等",
+ "text": "將 Azure AD 域服務標記添加到其他區域和位置",
"waf": "可靠性"
},
{
- "arm-service": "Microsoft.Web/sites",
- "checklist": "Logic Apps checklist",
- "guid": "74275fa5-9e08-4c7e-b096-13b538fe1501",
- "link": "https://learn.microsoft.com/training/modules/deploy-azure-functions/",
- "service": "Logic Apps",
+ "checklist": "Identity Review Checklist",
+ "guid": "f1ce16dd-3f1d-45e8-92e4-2e3611cc58b4",
+ "link": "https://learn.microsoft.com/entra/identity/domain-services/tutorial-perform-disaster-recovery-drill",
+ "service": "Entra",
"severity": "中等",
- "text": "利用 Azure DevOps 或 GitHub 簡化 CI/CD 並保護邏輯應用代碼",
- "waf": "操作"
+ "text": "將副本集用於DR",
+ "waf": "可靠性"
}
],
"metadata": {
"name": "WAF checklist",
- "timestamp": "August 05, 2024"
+ "timestamp": "August 08, 2024"
},
"severities": [
{
diff --git a/spreadsheet/macrofree/checklist.en.master.xlsx b/spreadsheet/macrofree/checklist.en.master.xlsx
index 9bb2b309883cc86f44dd67a5542123760fd3ac54..8fd65efe1e9ef3d655b7c686e9c5e5939219b983 100644
GIT binary patch
literal 439831
zcmY(qby!sE_dZMs2uODgAi@xm5>i8>ba%IOcPk|&(%s!4-HkK~3?0%nbPe^6=kq>Zq0
zjT{_UJZx>`Cgjk2*f5aSI+fiTQ@&E>V~PuY&1{=saSd)@u>Ar(K0*T7d3p|!<+6m+
z&^07WoU&}%a&ip55}thx6&e}N`I@uoUCF*27+FJ#l@Fjq?9H_W2L!WY@Q(gztlpbu
zk+g7~NECIi&>Q9cq!?~DhYm4f&$hZo$hX17ZvHJ@mWn@`aRA_$q
zZ!47?^!C(+Cp4G&d!HgN`(XPMdq27EWrR1it_D9e88XSHGr+kh0L_&9l
zZ}GO&sEV{j`e^tcBJ|NNX2q1=2_wGSEdUJ&2XQ~(Wazag;wH?65pJdJB=Jip
z!IWy%sLG(7=IznNPMnq7`D#nb8>N|)|Ip%T->FiX8uATzL^G_c%QL8%4CV$s9WpL_
zW0$XnKP#CNcI8ZTYBJKI39_TDtfrPXDj)O+qJ8JNy6@zI;e}__+@RNhE3W+egA#(3
zyO$uYkqJm+Zz0+ue(g`o_O?wfcW{>K*Yel7KCCeByr|W6Uo$0QC#2pQz{z#R+di({
z@b#gQ`%FV^lx??gJNSdUO52&55j;e=$#-kP$V0G;xuhF?jkO)r0l3*3(Cy@(>ilZ0
zv9RUlS;>l$4GdD_C(R(>xhR@LuyiV$S}y$|Ak|HD;mvd-`OTN0t+DHl=|-Mjcdi;P
zbqSg2CR@w8LG_^3V1_~uksyJebPNa?_#&ZX~
z)r08$2vidB`b7|)P#KvVGe(G)*tbEa6$p_>^u0cuIk#Z#e1cYGWm&DgipKnU
z;``muXsLT}KrgWifeUX9(N8G+ffz>up+8_6ZjnPhzHGOejw|^`0SBIaI5aS;RjZ1zSzpj&m_q#7A^n3|Mkp!u&
z_-#>8-u_=h19NaDQFDl*_^ozvVVvDwzdVE^>1ed$4&x9@h+0H&PewGQuyrfu%Ap8Zq>i)`a3`J9`ZNXY`ku5R>6ZHzM?$xcPOH
zV2JGyn^&X#Z^vAkW?DoFCvgU-roW*;J-&jHrdG-7D5KukEqL4R@TD5>yf2f=Hu$a_x{JjFrM1)x!&-fGU&BO!t_;(RKczHRlmwV^E##
z6;3}iU|vemaQD~Su*eIVdAH$yN$uv$mQO@>)rtEVU-IqW`Xvr$u5H8%0?OB#ZCK8
zAKqii_);D%6l_C{qhNSDY5MRoHkmA*7W+VgXVRs6
z%#rD;NT$-<-z%{$F(cAjko+f?U<6&HT)d^!DqcF*9O{ST{$-Pmfan`Nq!2VldGjt7
z94EUmmi6E@eN9IOJ-No*GhFi;2^@+6ORrq~xLc&m)rmd)*;r0J{e%L}b&*bIoFd3#
zaN_svRK)yR?g-x|v5v0c-*sp|nk&`oSAC@0o&puK)n`=BFQ#WRD2Oz%@e7%%YSLO~
z(~dn!nWZY!irLR+hturc98hCdgN9wj3z7wZ{DH~>>Fq`7ra^7)iF)$+?0@p@gnoPu
z0knu{)|QF1ZhCj}%VH{@_fdA#|3dhy18rSmKol#;Nl
zL6fM-ToqoS%j-XN++^WBWshC`tG9Ns#IxSKS@oPWN4s^>B5z{ltp+bw8GnW~2{-Fn
zMN5nM``114jpXtXqfS@pb>k@CkY4kuhgsGM6z^|+
z8Gyz8cv`XIH@_^?-1z9DS>f)#`na|8-y
z^%B)sst)c?sK9sNN?VkwMyEGdYV9k_8fnX`sg^3nN8CCLXupF))$sO3R1Z2I&H>x?
z3OYTLc{BUY{3EB-}UfL*1?24g9?u
zE52gwZ_HfRJ((X#Bn~HxUe~f^U2Eup@|!hF9wo1){Qag4yk^>ptGv{~1};O_!I*hM
zy+~8OIQ#w`!%WS}$9{OFRTm(+C`>_JGRZcv9PqnJY;;#?w(8*4%
zVCH_KdVjCC5CfTg`_AF3pchp%=j@*C3n~8EtEr9r`0zoesR`zv8BjX?>b?pxnZYCh@{W@^NEGXF6ND`&eIRuQG;6{tX%A;
zdk6xOZRFa!kU@j@ZijNHI1SW27GSnyQW`5U@d;7!s-S?y?xBQ3<38KSn|G4Llm5tV
z*Y1Xhf@@1DvoDICoV^~e-#ySfwt$#-<_!oRd8T+EkJ%TU7-Z)^L7}~^R1=TP6nAR)
zFLF5dB3%5l$Ll&32||8+02JPlxn@4Z4y;b4KqjU=AKjsX8GDba85aH)7cm=d{^pQK
zgV`hh`L2l6)h*Y!Gg;DhLhsWFf13mQS@lNs?#s?Lu%oI@r9SZKR;wJ->DvF{&*O&c
z?S#LNt>};A`>O4X{eANGb8wt{hx+LqmJ-G9TX4OBpkAX8gFA)C1~-Lbh6byKwJ)CR
zway!j(w#g14uaN)W1U$4n(4Q*UguyVriwD}6n`zX)(4RO@r=bj&((69)t^t+#U2OS
z99HY3cy?^-woE4~>v~K#MLku?Cmj!ok82#>lV)x?BZpDC=2e~X`sdUW9YX|kx+XoZ
z=-Mu;t%F`3FDiDgl{xR0c~5HWyf(<-@i&t9xFDLvAc_=`f7*0$>Fm_@xyL$Ie^~#>
zrAl_EV=XFhHw+#+;2Aowj|Hz%S3NDbJ~F2_o}sdiN5{-g-Teh08(D+X<{0o;Ru7>>to^=C9-r*hUxgr$Eo$
zvaOH=&a{*VHUPpJtg=-q$}TA;FB)t~U(2o9_HVCfQ*IKr$OB4dpS=8Ey}PUUv^~Ge
z8dr8oJb8jQbyA9)(U>o!P{jv#gj=e2Sq)ECDBf$Zib3}3Ol3M+C`jXV?_%*s**Vq~
z49is?FZ<=M^-Xcmm~rV%u(aQ24m_MAy^8c&!UJ+>rH1&1wOO57JGR;I1(O5K-U%c7yQ>_KM@H&qaM>;LWNOb4u{{G^6
zWFdwrt7$A6^pb%JgPB61#^qk@t(-Vnje&g-k-3
z1ny`wS8aPMfaUOFt}5bSe|2lpQUq9^M8$;Hw{w
zfdT=HGO8aH-vq}Su{h9eA?yrpBhZk?qKC~kUTQLX!@de+!(EFx=kJpSIX>uhP1xJu~Ld4W@W%a_@~HyGh+0
zs@k`QbE)SC&uD7=6>5fM--^h!o*!a`L+I9L+kFPyi5wX+$^G{J+<84TcC=~CWb*GC
zS*={@AV!9K480>cr}}FXJ-IKhb>)80{qNF4{WT*VFgs(R}Kjm`$@7fprmPv=8
zJ9ALmVx73UsZOGmq8&2`n6_OUZnV0}h)5{#Ew}rV9ru3U^iSTDH)qy?NjX!5ddi+j
zG&DI+XnRBG>Y>)5m)XRK%4tC2u$uW=w9xJ+$JcvVWG&RcD+c1ngVp|;uRz@mhR(d0nfUg|FK$9F#
z69h=333K37?&}LPw4+*x-bT)~O(LuQA^h%XnwIM!vchlD+C}FUgwkw1yESIgL=^nd
zkEtdRq_bN3;G0IgA}s#1b$#cRto#KMmnR!|^M5Y332$`<2m5X3MA9lxJV<>$A{>R-
z(_|P6KxSstQ;N@_7$WEP3`iwcNi6=JEse$?78e>POZli7hqrE?>|-oGxhcM=6o+Ta
z5QjH*>D;&|4dN>sX*UbfI<6XvYy8|&P<6fiXiwqhRF>6{7VCe9q->|%b?
zj97;!NSe|S>Ud-cz;!CTiYFrJtMH@1N8w%Pg7lGf
zjgm^zSi`R;zs3qIGH2%rYl1d?k~;qiH#PN&i~cg1^RHG)qq=gt1Ea=9PB8!rsRA0;XyGSnE;(ti5d{!}XnIbGPZ
zBJ|fJ64lf3EvegXU$`{S!8$r^U8l!d5=_ewdn?jHR`=O~wc(LL?q|
zuqfmlp;?^fHKa9aB9*d?&bdfPiRC-F3=|Fh7fsjw#y=8g+?lZR!EnE|WcEjE3F-!f
zj&%T^IT0fy%D@{9WPI_}YlE?8ok^shlsrFIFhaL+pYzwPeNIx^W4427{7CwH^U?z&7
zFmz0U)EK8a)h~^gvn}c(7nF$=Ez(D*dO|=V?K^2-!8#U=p|Mgw
zo8pCx6=^k>w!=pqTUUkc#~5|**QB*q(^Xg6#tu#%)flZ$hb#R;3;
zF+-x^O~5JcD4B;E{f;43_LvrS@;buvFL_#UU)cYX?Z@-rvr>*i&OO^8RD6v2N@KMd
zm?q`Rc14R-(J#tJ@#cKVc}Rfh&AD#;s51jcl|uycH=Kxj-Q`mXdgC5<=R!%Oz_kLh
z0m?&{_))Qhf8lp8Zb;yI@VlofZ_l3iLF4{-QHIT-@0&C4FH?Dc6bmzv_LL&v#lQKX
z>&-ADg^9j8t5Eh8Gw(2N9KWvG{CwNudG30ta~WjFGUk2BWEE7s5a?~87r*t|pZ=Z&
zl(a3zU*|B9bE_M_?W~kK@y1dJ^0RB)c)W*M!`)M%Nj5Ckw06`+A1QMUrwL&<_Z{Fl
zBv-P;&znJs+pv&aq1X2RuA|cGTJd;R54dO}zCNjs2sGl^Y|PxWqZvv_P1Xpmt)Wa?
zVlWv2U6X#)CjpF9)&?^q6wRmSz3HrHp2_Z9n#Ic45wXt0puFW=o6VG2|Ho{K9;zmK
z>+aXr;Hnv)Ppy8Jla4r5XVCS_j*7{1XbuY|Q?s|8piKi~4M$DM-1eS*_}&Ymhd+qc
zRovEoX<*?PJH7Zv=aU&
zPCV3H00^Q#FyM1sXD|e#N(mTcpLAC3>)d+{xjmQ$4hiEA%-JmJ$+Wu`&3d0-{OW0k
zc9-XYo(fZ=p`&dwnuUNw$cME2uEWngfvSx{)00>aD;Xomxq`4buMT7xMs5L;?c&-P
zZt}Td559>&tBgF}VTq8YH}?bjLOcYRa&cwhfn;I-0*(<{avyRFDDhQ(4-P|sVWgR_?ev+-;4r96R4oe|1G
zn=xNv-ft@hSy~W6-p5nT+_VmmA4%c~w$0Ue*$z-*J*+Yb^ayK-CmG^UfPW4zMQAbf
zL^|?gY7%;r;H3aIu9S
zx}ZB#R`Fu}cVBq_qk$6Qi!OQo6tb8h(Wj#`(F5
zI>F*>B>saF{hFM(1|1!PNs-vG7!Hepv-9Gf%0!=9dO)mQ6G!G}E){;P$)c8eR|Ekt
z@>xYW$MoG{keFbc5{ECx;j^m;cYEu?s}tgQC2mJ}KQnX_4m(!%ie9-Jvv!6{nb`O?
zk4dmvHS0X((-HkCt2_cbyj1Tfbq_I}zB*Rtyfj8>Qw{I=y2%>c>d#Uh=4QU0iOA$;
z1b>}Z{YMd=jzA!yd5B|suw`7soSR&N`g}T)2Gy8S9CyiKGq;-NIY5eNWP=FW0q9K1
z>jTRQ^^emCf}I+;3%&kw_4Jeq-@php{4?^PSdW3%dj!L7=z-kzLW0t(!$x>mp!K=F
z%@NqvXQXoXCTtJ8D*t4sbr>k6vK&KD@#fY_|n?
z3Xwg`q54k(x=bV*FA$+P%yH=Gv_v@R8*tAJDSSphgc4t$ehKp3w1Okpd}t}D`MJX2BNIh{l__N9lkNC)+OS?2rRmyuobi64Vv&IeZuQ=m{1syKh$$v8EFU_9!DBF*IMu&zmW<2?zh5K4&@X*fy?M{HAO
zhtHZ(Q-~z}4hX{G!q3=;*F{S+c~>J&MPR3okZh2342^8yQC*zaUyQ^UDe3t#rtR$<
z$AbcwS`jdO+ym9My++|eKV|`=KPZ7dUrCk-@1IK@3MQfbBR~#9Yjr@o65qt@-L|&1
z4u*9+R*Y>}WjqjIU$
z-VHG|rct$XxOO<(M0c*wjRHm~1i
z?I;uZ!0XGHCRENu6dE@gqn#eakp~Z8(=+2Ua!W>nc!CI*@_NQbFwd>e^|Gd}Lag|Q
zFk2RqQ`7y6XAM$S;muKLjMJzWG-tFl=U(AeaGa+)v
z1%|*87BV>)3wH~ZCcO?fVwns5C%~^^zKzS2t|{*qQFyZvG$
z_{5X4SsH1I3`+v?tS?!NxNrQ&gEa1{O`hR_sC=o!+l}qiRj;@KR110<{LZ|CMPd!g
z;N>89BI*f1q#U|BF}ZB
zZYgxCdC$cfvGotp9dx2Ydz_z15uXRHz|MoFM>N{?r#Dw#I2DV9mEeLO;Zx)$tSGHyOAAcSs$r>vm$!DqcRr<^KW)8OHOe;7e~dKFAbVnj_Bg5n
zBq0;d>%1`NKPKm`L`QET3*HDpV{_2p*`>L#E!;jSXaVgs2(9y(Hpe%Qq3cBf{IFsB
zo+WBZQwZ9)i3#2)c33^OW2Dhrj`_+4aVX_F{g7ex*f*F~a}Ac(JO*#67neY(!IuIl
zb2V)&n`Kv}jY<2PNTcQxRr>I4+B2a&UMgWx%}uawjR<$6KgHAMmN~EKr%sn(DnTmE
zy<^O*A3TRp$L;J6{LJ?^x-?ivqd{3>o32J#7SZyaneRi;s;PD*{M4=X=~!k!JwU_Q
zyaS&Rnh_63C?$&275SU9XUmO}$At+znuH55E=7)tB%tSW4r+z&D_4|^is)f)-7MfA
zg8ShPenEAQE~NciK=^7Ebb=CTDlWGHm+}Uz4_#F@`=ooT1s;3`U
zn12QOyyA%8z5(@)^+lIOEGt^#qT5hi
zE>Ld*{wNaH^Vxn2p184t{>-sb!DL!Qtu(D?dxAELw^^Q?>zqcvbU(NneWidOHJs6~+=zoY(lHd)&!`k9px&&ET(%DZQcG%*59+G5sRt
z=BH+B7NXMN=q@b*srCQPJjVaB19s+)yq>7kB$fb_H1|h~71iAxO`MY^G=e`M$kcS3ynp}F<&_<
zdFW1xf%s4@>G1r2MHoDtquc$UlbdSO6o#M~Ns$=jD@MR_V{eMEM
z^w7#jKWWNGqw%ET0^3H(U#!N{i)W{D3O$Cj;YLin#u^J77)&#E=UBCR_bB09sqY-H
zGGPuVf3Ky$-?=Q&_$_AE!cntCvXE}Z#Jw*w@OW##Mv$~=gpe%meHU#&uA3@&ik6M2
zUaYltZ717JPm}6pcJcDx91{_(0
zI7R+P6D5AeB}-hYg@zrQ-XdxJtka)7syh2Mw_iA&)0F&-)E<)9zTN%)laYcy4V_Hq
zhPPS#MKR{9pVb9kJrGICo1~a&kA)%4?myN=Ty`~r&&r$pM-HRIu<|et!VsuAtDuy9
zTuchkOlxRzD+S4Y!~wtMxtQ(Rd8FMPf2x_JAg~+VQH3>ELS_9123HhqQM`>;Y`Bjf
zJw830Zof74V2tO!=SgvuaWQW*P}jMYD_5UIC%CX+I$$)~_3Tc|yKc8WFip412o(Sw
z4%Y0HP#U|t`Li&G!uVho;s^|s`8!lH`TdIFdcDEpo-7E2NTj(~pCirewmDs;h>U1I
zb3}*^oeH6iJO{w;&By9=(91*_p2aIx2Oe{G#@Q*r$)%=5C=(;D{E*_?@Khen^T(FX
zhez~=SRK8u!|Cpxx?oAxg*~#Xym2_z3a<*ugH%5?^+z{@t!ro)NXu8P@hVR{;i$4n
zWA;f0Fscb7Rk^vE{y!_w4E$9#zJ!{mwI`H#es*n4IBNE2z9LOFA$@IyK;1AVAZjMktY)CZYNhJbYTc>=P?zxky6V`s-E8_9DW$T#`SIwo
zRT}WhIGh|Yape}cEA@bOW7(gD4uyf_%}#)y5E>MAcSj}L0O#Wb0nT~uoLVyzOY)lA
z0C_70hdy!v+2=Z3z>9}xw;9!o69)O??((p^D-mp0k``m}9h`l&@>z!AVI=v&#}_#q
zL{sP=S845q}YU(KTkurmP7;2?mxeeqfHJ61lRrJxh#{*|^XSO|>>3e?@jb1+KTB59Nu
zH>RAAjL0_B(sv@9kKKThdN~NI&q=L|KBqC2A=;+NEF>a%S?cMU<~#;d(Hy>mF(qGZ
zw%~M)lbAMQjkS-Rs&&`a*6wpQ`xR~u8xIW#Cu=%;(;AAjE2CZx1cUxah>uf?Bg%pPCQ{Kf;5yaurCWh>IU
zR!Dvy*9GFjDk2cd*9#@!FR7dlSphU7zi>FPb1GFf+4P4a`-3;wKtmCeZ!>~qPT1H1
z!8A($@?TlLxa<%9xcKkc_poaQ;xMN?w12%n)-^7_or<&;mFo^|@${%|AQw#C#p^YU
zgr8tngv3IZaH__)D5u7m@12{Z09%y4@!l6NAvMhBlfM^V4Kx3~{A`nCw#1YIL|{d8
z&Rm2S5EgEhdRAFGU%2-Ly<-esyL2Dva=Wucy&bwcwb?_-Y`jd7FE6h^@+>|vPI5w!
zns1|b3FNj#R1@@mXvSM#>v*R9MxNEY_~&Ta_VS>02_wp`!FkCPk#kEEG@kGqn+jeX
z7emre%GFwM{7;G)oGMOqjE_s7KF%Tvsc5sejsmk8+?a|YLG8G3gNkqi5@GW
zA!=-T8irE+T}1nwME8tv@%I#hXy^+=oumJ>=V}*i6uBymmD~rs1GPlN9d51g*&v6W
z?$x+EZ>284ABka276QQ^d?8_SJ5Eusj>qGB-Mkp5D4}64C=z&gC{ijIu(!eER2Tvt
z&T%uZ>lr)D{igqE=R}Wui}cwZKlW%Vr?UFEWL{u~M)8TTzNmb#NNCnKtm%p?u
z?9Y%(gKt14lkgve?2JHfj(WvZARDXwz1yJa%?>tvF(X@b<5#N=O2o1Iq)up!pd<-#
z@7j|IBOKp&i3=sdDSFL5-p%MdyAoz}7c(q{Wv2~Ijf+T{PW(4X`iDW>l3L==hO!k1
zm$;y>3B$9M?W3`gb^J0GL}Y1{%V1`de;XSdjx~9{m1o9$B)(x>hxjQ?!+53wyeAdg
zx@}d8bJkHZVsL~}pKi}o_scx;X&5TT-w7W#+LD~*?e3{UA!E13Kb`dc6S`-gNv#
zXrc3rLy~P!d}6xOdUE93ofv!gWXsJ+p~^jV7q#E()p_^w9XHyAQhPt-yjwRN>u8v!
zE36Hx*oiE=Twl1_EBN9Iko;%QlG?Rr%Al8pV^{4YmhHF+HO&cjC7jvib58hiNvqD9
zj1=eFSyA%K#iSu~^(xhh-|8UTVx6XeP6tZ?Z1Z5lO|;wUW^p;btfs;B;fFW!oo(N2
z1Qys{s9-Hc7yj#v(gRtu*hK&S;z2ObW)^K_5q#u60s+h6c(7I*+(!+@^;&l^XNZ>9o^|
z^zFZ*`0DFBYs@(BjdvYKC`5UV32KU2dwsC~iPGHuyJ+^>R^L>Ip`*GrVeZI~Gp~ts
zrWc2EqJIV^65k6p&f#2FG(+=JVFO(cBWkCCcG(9pfI5J{XjDACSwPW!8yGScS!?<1
z`l+6{5rneFQyr_L;&V!z6ZU_-iR-*i#Q}#it|ALE0{H!8{WL
z12h^pvPd}?63plz#H62y_$trzYH}cst=WpjA=g0jV~F2YaVZSFF3xgqJnx)lAa3tb;*CV6SPi7Al80hbN0(!7z>4>Xmt;g>bp~ZBoH>${K15~{wj$);j&+VJJ+)~!
z?U%#53Yjky^^p4pu=Ha(UicGUh{SlmvKB@D>n2fq6XCoIAhj3NYa;Aw64WtPRH
z4ViGUtIHD_nR2oMeMwBs68qNzUErlt{-buAALF&y!a45z=<$rCGXBq7e*TV5q;Tix
zZ^__mw#yXlO=|WQEhw5CyqZ!>eGEJsfZiP-51Ud;{>UlJXaxZ=ciV#jFQX?(_4N0KFiLL+J1MY`3+DHi3#
zmn?YdIf`8FXo=q@Bjx#aE{0d<*=79`MEh>JN3@M`?4$Qu;DJwmIMzB<3sG6EZ7VKu
zJ9!dyg(o5NPw#=%=uqPR$>Qi7p-l7~*z;Y`)=c8r4)D7Mk&M&{9X}Dhu@F(+j2txT
zs@3e1J)VplVGCO#U+Tfh{zCGcQH3(alV2oJj}}+kJ}`Q;&JxU**!mgl@g=c|ILg&O
z(KZ$i9rA^yu6_f=cqG$oxE;MNIZ}6}Xja;h3N>zwJIK)Gipl4nYrB1G#yK(`3=N&r
zxwgv2)FulaDSphI%|uW7tC=0uwu2r7h}3Oe4g%FytqYogr0i!)**wdA7RV;EQ|>6C
zTjBe6lMg`uXV(e5>-~7Izp{=fnl}GqcRRu*twhkDYC>6*OO2`L?EvRw#<
z=u>2Bb!Hm4+G^RWbsWi8?vRlCnEu{Ny;BmI%%JQ@KTGZ|dt|p_%)9mGMmb2x^z)ty
zH!{h7Nra)c$WNX#B1!Oz-sVFxSOy8JwTEGK?xD_yYI`ebYCZjyqY~0>VQuhrGLx}J
z6HUAX1_y+CxZ~OBlQrpT?AOiaco>;uHG%Th0yXKb*hhU6Lc_pbRm8&YpLCa|Rh!U4aX~R&L3Vu_Iq^2al46Vi&dG|&c$(8FnzMgdc
z!efp?A3MRDvBxCjo+4r?@Yts*N1a2#jzbcA_JWM8}GLG+Q>m1zU-D=LL>h!~_)UYwRr+)X{^nhA5|C>1E2RNe
zTH?+w$JY-Iv3o@kj0&4jkznQ&txlWksUQXfv-@YTkj053?mXd$1P~;Cz`^?{$S9Ex
zf3IXqUw}%391G~nDZUy$Y#9#bKF3pWNqv8!db;;u8>b-*&I_QLah|?(J{A7K6oK83
zsI0*DT7pndA0O_JNWB_H&j6EA$}tj;sZ$
zYW7^>QGt)rTjp`ruI
zrc1~#H~+5tw{p9H(9*HDVZ?n1e$&Pu%befljhy|VKI5GPm9Z|@R=y7JRM*cjj_#>U
zy{$ifqS;C&3~t^Hdm+SckMa-HiE6D8Ny&o=O5~%LGI#!bg&jHrL6f|nfd54`Zy*z4
zCRvgZc?~nT^*FEGum`O0$_a-r-Md32V8<~OSoz;$;hP1S7N2X}H-DFd|Ed
zBF0K)Df5%l6!}{_NbA0SuBi%@1=BGmQ;nV=W7Tog!)1j|vd(qHY&R&4Lj1@YMp7QN
zu|B*MY+EF74ON8Cyp<5iY_91wg&;+u7a1xMe^4JN=%t7yYDThH
zz(FI={r8QN-OG<%MlK|4-_T?{e2u&L4*FZDQ4Gtnl&+%Nm`~oOTNT=^^LRBqgf1Q3
zA<~Ul6+kAptHbkxp>C@kEWc0rEw%8s^Y{W+v-6tS05EX=(&GaI=NvWz@h%^u!(gLC
zBIa{Z-#-zPFRVG!J}Myvy4?3L@mgx*Z~w>De#9Ae>~gTdf|~89&&lP>rwO2yls=)a
ziC^7(+ucUNWrN@*r3*XGPRwIs#Inh&yu9lJqJ$N*{E+Rl3AuLbfrCQnddm2+gOgH_
zjCvN_C)_|AOixwL6S=x|ptlWZ^XBmEiaZs9Jpwt{6+~NUsOB~uhL^g*8NO9o
z1+?!>6x_qOCQbaASi&M|!97jT8D1rjgZ^4`-OI`c5cXZ7GK;gj*(GR>H3DIYi##X(
zzt=zZ^78KQHP$sBn=rOvSbsLyN9rN|$eZ__(o^eOn$V0aD4A#GZ9;{{Wk$EF%g>6q
z!Lu2@GOU4HIXe$V*JXP~uSE0d#hM3rzQv0;L^k;BY`|sIBoZ6Z#oug7UYrkDEuE<0vV!70!a!7!0P+E;qOPGw8Y
zcdp$JyKH-vnY~t!N^~Bye-Jauzx~S}7L_>CPdUT3Uw--Hh&(mdOoxJ-N5kKt;0Fgu
zxDj)#oBNGElw*_UKheZLJ{y_MUN-kBcVyCERg=bEw(v>ve1PNxFmnZMk&oeF0NBr~
zu=>VNlIYo&6d$`MVlGX#LW}wJI9r!hr;UX64PePn|3Gi#=!*y-BF|Y`BM|imFB*LmV~|K5JX#2GBD}8at`GG!5M-20;0IZEgIMw
z1_x>DiF4}{+zt`x<^?NU*h(EgGU?GL>hf|R+QuNbKZ~>AhwA_nrwJxbLl(x;@}B3}
z!9-*A@dO-X=pfgAA6y%MfUtrq`@(Xf)>p-6MkA-%uM>>ik@5}2xtlP%g4J|1@$-Lu-0X@bXg=Z`_Kppexg9p@
zz`5?LLot00>U3VF_NFjj4+(6utLMD?W$(Bzx^?|
z@peXi^={GiVRQI~hilP&>|XcyIDvGpnKNmZzkC@&LL5)6)V%4ZSGC_deE3A+10>I1
zNEsxGu_~nM_-a)UhyP&@t8
zmKD1hM6XuvV3m%{9)o#6owfQta;rY%L(otC5v$Yju2~>K8OM=>1A|`;Wvh`eVB)!A{DX_U%?eG4VF$t_^j@PQ`
zKGcAUs)dnR9tta!W48oS6yX8NtF5^?RaP96LFZeMAM_FOo_03>kof^hMmU+Z+Zr-H
zoVY+2*KScRQispqUWlGig;9`5ti28--a>iS<-03dKei4G5G;*H3Z?+ad9Fy{s6F+t
z74XI?t?Jk<7NgHDar6#)$nhur@_Gv=b>Q4WqbdnjoH(zL9kaBmgxY=pRoKhlM!cb3b;MR&)Io2W_{b8z*rZofX{}krp0v9cu0#9{Wu>W@U;2QIE
z4U6FH=$pD|zBW-LP@*p@F86v;*6zuz_Tc^Yra
zASiBJDFG~zuj*)mXXFnrqMyXKp`?Otmu~NDP)Pw2cg2r+16k--u==(SI2X#;$c}c^
zk2I$t?zlG$G&LgL!~5XTZ7enR=QRjR8s|=nJYd8bw&b}iv%LRkXy8Lq9fKxA?C)ef
zd?TKH%GkA8FERizmFUXj(0g@|XWO>=)oPjQiD%DW!~FG>2>-RF`GMO4hA8sc`hS5|8jdw1$@{cd!h7h3pz{*_hPZqzNPUK(EdH{O>7
z{C$IqJVBMWO(e3rJQZ6!)_Oz^u@l6>a3xh7-!ZmD17I1I9St5v?juD5*x}*b@?$7(
z%YOP%_A`HV?oQ_b`b?Z&I{UJbWMltl+@FTHNW=!n2r$q4Y3O9lNP-<$8QSM^tU0``rf|7oU{l(3$DPSC!At3K1UDfAL$$o5AD*ZFyokr$Fr!hEbSPH;_zU}8
zRJgTZsQv1B4ZI82t-Bag@!=rf6!Wd>ZaSi%J9i++9i930F{ZRn*tnC;Q
z>SeHqiixTvF<>Tqh=$A=WQY6nmp1yk8wU*!AKT25T}Bt*`hBL!>cueasZhuCxa+UE
zc2Qg5%^2J@-ot^Zi+Tv&S?A(C6^W`8($RuAU1rf_8Wvt+Gy5$Zh*3bd>6#`8_knPO
zCtmc+w_seHt%N2f7E2GT#Qq}a6jf!u+9yh_iH=k9WMQO~#~4uI-el>HltI?S7C9^wH|NR`7*8VWw^M~B;~Gre_G53{8s${!f4gcozT4LTf6zC4T8N$
zAW$$tGo1c}MDiXZB02Z1WbzQ|XG|$kUfoYWR0HJbXtQ{L81F4MT;EFNd>i$a0?bTH
zP=23Q3*+^EM^aWM1>2gOq48`9+9EmPKOX;7Nt`s|wvfT!N?eh}djlII=484!Xuk#M
z<>?TP)DJj`sdMUtUe3zhX<;;OM^{}IjJ@u6n)tyutcAzxK`o2F%Yw5C1A7{C>C}?A
zrHUv^3m;ZZx2aCr@Rsd3Nu?R`prh^fV}-zmoWTW+
zR@RmzNeg3Rp|_^ds{Hi!rus@2aEVzIp2EpQpc#O>FHR@485~ybF%>PpGQ1uZ?iw0Q
zSj^KfrGkgaX>LWFtB{bXA+WOlXJ9gr32%P?VM_mc
zbiO*?BcqXoLE2Z*R>3Cik
z%)gZ$m?Js%Wt=V$b9@LzarSe~*Kk+gFg>+~a*w5|=IYUEV;4)*ibbAiwkD?dWq^~8
zhlTYnL!=El9LWN%`S_bvShtz_y!CL!onueHJ#Pm$*apU8$elZ()3W>yK6^iOMCs!2
zRHa`;P8p@?@iF3hD07rdQiuZ+|DWM6)8zd&eAY*87NX@$wnuzqB5xU%dbQIzYz}jW
zFL!4g9ZmG#CV;gz=&dCH76YAiIpAhy`mIAoeT8q+WfGRcx8stVH%kY!pQK#zxF2*I
zP|wHnQ%DO6ob{MRKa_l*@u=FZx=x(V(#8E6o>~(;Ubp6EJ0iF(F)Sv8xU@Zkk%FNs
zD{5uwY(ZeUuM1yS@B`yRNjfI@E0!RugEDOTPzViCOK+X25?2%Crc%wB@extay{gR8
z4)NpM@qB?sQn6vM7gxfjY;DCNv#W5Rr;gGCdkxS0{Fl6T_KZ65$NB@Rp50RCRXM+r
zP>dRpq5d@lkKu?lG`wagv&*S%YxMK|;8{Xfl=QV;I)3&4JTujcz-(VP42(zUbRa-M
zk@H-$+z@tmJtYrbB6)^dVf(AYK;Pwv*14?WhW>`m&1l3~!BXy(zEiKb8$BzPzlpPnK
zEde6>_fB-ZMOcZ7V}j8o0H%Ri6(>4?+BgCLbDR#K)O+w@Tmjm0{3}zrHU}<4>-u^6
zy9NTS(%Q%GE1MOEkKUd1>5Jb)pMCm7cpk0v~@}r{mKfyds|Z20D4dN&PHkj@XY_CMEs{ZYw0*PeQ^006aSLFga6^K}~!p
z%#QurdfJG&wT%&^ZpXq&n0N+9bhM=8{}D>7F+mtui30^cR9geA6?Y@94)`zg<64bB
zJ+}$5;=LYcowmx5n;Ug?9v}C1)dJXS&m%utd@k}ioOWMMHsczM>{_tPu}&9f
z%OF9Yfad9u@eu4vsN?>xGEI{!%8#!RNL;_kjwn_(nEWl
zsOi!@R-v6{;XxxJsmgM(%Ukat!Ri6nINb0i^tN1W~k)-w|!w!%vE0G2VqXe@&C3ZUc;5&Jf9XPEepB9VnqmH|vbCtyVef)yEDeI{L`7N
z;ugbKfx9@hh+x2t|K!!ab5q*@(`9J!n?rV6mBVB8&6S_x!&2szO{W7cT*i0ab^WK?
z=11SHAir7QoSUfiPO2+=Jw(hAFAsRQ*9;B~P>}PHfpPm?j9R-E)|OjC^zVYQO9tWW
zLGavTedzcETcv*`R@cj+KG}+1F7>Ub4r1DCZenqtvpbJjw)>~6v4$s`vB4WP)QZ{W
z%&x9p->&D8v1{R%+jb8F&z`kIopw(DGht2?+Hsrvln{cYvh!$EOvi!P2gF}dMqFE=
zx8~Dw%Aa~5gyGc_^B>f4z|>vYdg17{&of93s;pbjbD
z%R@b7B0>15>(akRA1`ZgRJ?lkkZ;KHX1a>gmm7Wf_(mVMQdeX7qiv(djpV}qRQgOx
zu#dW7d{AB6y+Qqx=0|Hs^2Zf{ns%rB*e9b8)DZP)LJhwI_fs^xcNX-0hT#LBeXL}5
z1;bif{5Sud8iC)_yP^+1hQ2%UB!6t_Nig~lObXXvTk-`Hf^W|3Q%D!>Q2XtN^V?a)
zYP;GEg-&+%cgq6r=I(A?Q}nwzm0l4+iLz!d{To>8<)gjQ+et2JX#v3J+N9IGMf!Zy
zsZ7)MvSaMoUJcUcLu%?wdPnNGr)VkFZ?^R4r<3_9x$6FE{#npPhyjQv!@@ZG!K3b2
z7K{u5QM^*h5a8AH=>HKwzxuXf0pvQ8iod!pxrXw1xVqEF-%?7=|0S(WT>i7Z|LX`8
z!;SBnu=#4arQ9u6ploYfTdd-HE1l(i$va5kL{U|JCucVi@>}HYK2pKBZiZ~)wPgXa
z--Zrx2$5v(i6D(8e&}JLM^-fC9g9#l3gNClMow%tHg_{)*69V8P1nMs6ecUDE9*!H
zQ4aGJb75^{QgA$v?6qFf*nOw+___3?r4mo4oDU;MXJM
zmH5xK!e2|sLeGNZ#Oay#UID4S$5-i_Q@AkNbh#^?2KyD_KlQpa-9F!2%oBRdW=D8C
zHw@}4z{_71g!gx+yG847xzXqmnfu*iKd&v5{@u*auo!K)kO*Zh>aaYa&>ce6_bA>f
z*+dcie1xR=g4ma~`Dy*^3+5#d@i^IR(vJ-_o%?r-4d-#9>GQd{t28&xQN)?Jj-_!=
zqEeTAww3>yL5H77a2E6)3?zfI7=A=)Slau-@fK$n{WvD}B2j0vINhFAFj9s;vXIeF
z4Z&{1?L!2^&?ilgJ%Q^GD*1`xEjmm9$DBJ3@bmyHTA6~fi(4sCv3GeWpNH01k^2L_bT1g(n)v?{^t5n>hsIm|)Jsign#
zr}-eODDDun9wer1$qme`*)M!Fq+aMdHdl_XQVTbZ@_($G#ymR&0lXjRvX+*#@Q}#~
zk5F#~2{LcNLyk492SkUF!S3|StcoO;EP?2{ukzn-elFhvS(vi3QPRZ$<4w7@Q37gT
zg=ZPO9;W1H+u}Tm&d);?I$wM%U$dy2t6$~L=B4C*UOf1YoObyw$h4Ug3`);r^C9tgPrN!vieA_!5{<)4!~Ia*lM|?AM*HN5Xi6U33AI9NB3Al?gi@gELO?Oq{0wbtJY|HE4HF;~7!6R)k%ubL}G1;?JO
zD2S|QSVE)ZlV-tHXoaItl8Vq7g!`|`R^f68OhviQ#+O!4Ii6%Mu@R9OnU*}$yAoJ4
zyBrWa#-H&-f(Niz&n^}P{+15l0z{ic3W^`0PRJkD^%u$P7TS)OCPd^_
zK&wjT2>CF_9h46EbCo}ko~prmkRH^wMCKkOOzgbv4*9ih?7Qhu
zrsjS&aOJOXsdsO@D+NIWD{JQ+bUEkH>^|5ueqHjY-8&~}_CwROW%(*n5xXI5cwW6;E?=YL}#rhMRC2U4%6x~>2wItq7o2B$(6E$#a2#MqXtPO2{z8nC$tZ9z8mX0
z$F7031fNcB68mgv=8A@0FRF~u_94q6S=fdz%mMzEzst@doJ^!^N2V!?mYy>*h*@{^
zoy_9^u%3VAN{4(Y4&0gx0QmnQ4Vm||Eh6V)x}?~+O7GSC?Y}*h>oZUgvOxPqh*PJ~
z?ZHcBBdeZ1hQfCvbHCO5AsXQF2uiuW(RjYN&_0*+@n*O?N~n0!m={$3b@$4D;XU~n
ztBLcZ+uP47b`%*y6}61_FLNV64Z#Z%Qe4AF)riBSfkN-{$5t_ew}Sjl
zg8pK{n`IF@7sDe1W5QGKFGC0n6Q_=%quti(BVB2h3gxmFUUpwf!g!0e-XXy(8I=jw
zWfh9U`yC0To!$A#OJpho1^(Zd0w1m+#fcfxrJcS`&MOk#3ewO9^*^}ZO_`rHShHcg`6m+5?P4>wQST)34+)$^@AwhNKmnmqQ_YMlj|+M^SbN;l%;bmrEI`gRx5{Ko
z8$76g!ZD_&Qa?l|(zc(v?%D=;lea<%D3r{|b^Kx0clv5Rc0?lefto2u)AH3-48?Fa
zAaqs*c-L6;)yP-VL!U>-TlWTrty$R<7nIMY6S3@p>an%5;2RBw;QO)QinD#ECpQ!-
zkQfHJ=>%=|#82p&-NNauocU4I0UO0y@G-PI56fR9?MhIvok$RY>T74Q^`5S%Bubu=
zgRN&u{q?SoUkUm*$j*eTXGlHLSgydY_LL)dKCZnU>Iy4BSAO(1GMXlReUPXrY1TqJ
z!kxE?8lW>GR(u0~5x`F9-7EM!-vQMyi05U0`&W+CmhY*#aBqHmdlarwAsWQ^yl~sN
z4lIVbtBMoNYGyt}$;wj)M!>FFpRHm;zwO5RmriJai{+5WX7K84STfw3EU*|7PS9t;9Rp9=76p9KT^qs_Adw|
zjzI-N^DUh{)Xy7kE;x&(9vkPg@~_;4GCu7bkp4+5F$OrCr`pl^q`zfll9s;Qz;E0v
z-M1{7lG2M$F_LAHg}FN9OyI_UW0B!_%`1jLn{NXuFOXC&aK@qnYU6>?)x75DTzra%
zs#)UELhrDCpJ<>OKH#BUl8Kw9Q)U4lVO$u!)-Hs7s@-RMn*y9WH+|4`w>QwUG}c58TTK`$^c8kN)^smfXhIK7$4}BFZG_j9*`Q=Rk(rvI%01
z1W#e0t=i(`ivyXh{%m9vC1(uICtLe}t)hQt&5%Ykgr=p}btl#|*ugXEQDCmfhll;0
zFCqIqvl007KN1KD*`I9@^&zv5i{PKXFnuj1$VQaF%RU*BIYpa#R!1LuW`4gskAX`7
zsXJ2LH{}O@n5QtsP1S{1X!&*PM-$rX1p@}r(N23`?QV&`tX&(Foz9o^KF5Fm
zP$RAiHG!bI38jEiPbLbUsObl&LZKpjCdAlZQiDM48*vy!#HB}_KN=L=}>;L
z+9K^n=lN~n5~VNRQW(6|v}DVeww9t8K}EnltC+mCuMDAd`_1AJS)XHsYRBd_dVg+u;Ga83(IR>azQpLyhcO=JL!<4HvW7m6!31YM~(2}~Qj{C(IYzr6e
ztsCPRD$bbK8F-ermdIT^rcBv0{yF7CMZ3H;W=tbG5@Lwc&Sx&aC}pgRD>PBpVkq^l
zc&jsk&;sXAeiCn6%o_P5Hb#!^_PH+a;f`no)B%+^l5IE=VtE&;h<8+QGtY8g`1(P7
zOf>D$MkaDf`$E%4ky}Y=&|*kWeNwCLYFUKppR}D98jhY9RsAz$>4_zMaX2F99IY|Vq3rjW<2!M(
z<6<7=@IO@`Asb5RE-oZ}SxW){e!iQIH|Pi{Nt`;#BoiphfNl4QzHA{-z7E%5_mJ%C
zsp#Z*jRZ{PWB)q4_R+WGf}i6PSPtKR2KfWh=I-$2@am`K{|S8c>lH6Ek6^C;;Nj392=f>QmL>xT!~YLirKBt8E;h}s9ok4y`E5*c{cXLg-A
zCI*7i$H5=?R)Z7!t*cXXzIwS#xv*s?>um$pcqVLBH{BUM#s<0mEf$D*nns*#6EK&|
zrEFOhJXorbI?UU8j;GDvw`{Nv)hhgTj##TD>TdKV8L)E*P@7~>j0A$EBw$XSq26AB
zy0H)|*j0{fglf1Vs6=-Z;khct{E0ZHe@5V=RkL*@_+ay?S=XZQVx;S-T1wF75#�
zoF0G0@?#TiL$2BI--VqrPEXo|VnE%SZ_ddvIeRl2Ca@#;xJ{;gvE(>|YkR@Rutq@w
za=mGae;}FqTglUOqtE_^1Vhc9MWO8nh6H1NnW^4>OBXQ#@%bw-&MolG^TAF{Gx0#q
zeE)WyM_8?A`P66iU$sh*&l(aR>6~&Cj`mWwE!eaE$rSO4E%^8m*aUi=ajLTJMbGM4
z5`=cXoU<6EyuBiyoP4GoX5SsdiDA$BFEt||*vJ`le!w;6D{E0hQMz>q*e=5x2t=+!
znlq|W_oHDu-aZ^|JQWqkwBDHNa;+P4AekX(XVw;ZnyWQd!Y9AAtc-u0Jeiy#`+$nBBFErtodJln9Ato6pd7(lV!=hKD&Vj%y7<#qMb*?|m6w
z=LwP9_{HP#7oR+Pw7?CsL^c?oym*6sRtYlFK0cx+RkBp+ZH}<_0C%l&^k#}(`P<}(
zSB-0crM2Y-kW(?JPJ
z@EOTJTV1zrRl?@`Dwdh7hbQ%{Oyg{Z_RT__sLSK+o5&Z*Jz$_LhvrML!)o*LpnA0?
z)baYH5~rg)_M=Z=csAK#+60Ni9Ia`+W_^w;_%*#|e|8Ae&+)?B($uNrpZ}>!5)mAe
zXNR;Ea}0USwk~>N5kEQ#&oK~#Z*MT0Ywz;KoPzS<1KC<~k#%4+yz*kU4UJJ%}V^-+{Q!|xgg<0h*Qy;>{s$$R3BvpS=EG#Q+e
zvEVzz*G(10bqcQ`xRQ1oQ=hSlDT^=H6@|P>>t?`YzKg~ik7f=?`-c_wpfX3VotS26
zTI9*>q+nH1ehEGg54`7%)YC-4TBCJiqha>Kt@7L7(WU;AFJJa@FwJ(Or^tK*KR3)8
zz^p$_M3I6wAwZaMB2o{}hiarMItCO6M9*7F@vZ`O4yC9xMnw;#h=2-t2YGUWoNs&+
zQ@rOp%vEcTV2(2X3W;{Iu0z7-`P&9kz#W_t8+E&I=opG%~Z^%2EN2Bj-v0a+DrXoj3QGltUD0L~u{
zxLe#9?5TsV(@Le9wj})fQ`H@YFuvL1{WiJ;5H(`v;E4L-L6j$yE$&{5DzYK
zWWku3KTUr=yzS=CEw&7y37fx)RgvG}d`9}2uCB|cqD(}A3G>!Z9*d*sUN1ZV-Yt`M
zqkOuLrnY+#A%WpRD}X31@XEO(bigUjElx~ZngC?NRj`XH(*>n6yf
zdEeDb9=KbM0Ev1dKD1xU`$difO;-Xq
z&CaBrJ}khT0G@Z4vIX?#{fCO6INXqckU$q6wdjYU9H!}cDTgRb?hN!YgeiWaH8-cY
zWkCta#({OF!FXBb<~460nrhR?j(ZASDq;u`ej#LetR+3XIXJvI;AC;IV>|o%t53;@
z(BsKY3McFfAlBs?s(jpyTJ;%|&<`0)VZ(^A7*c`OJVJ6j`J1DZ84}#$>%u=4{!o;M
z+5eHF{)P=(zE^nUyO(-mSvXn6JeDcT_Hc!r&s3ZxU@gTXccn5ZU7pqb4Cp(&6+HGP
zRIn_2=g^qzBpf_lkpaxY=r6JN;E(wkvX}@*MUpC0glg>}6Z27FiZWd@CGgxn_knl?
zdf^>m|3Wx4CJ4mW4eR|40e8PH6%0X7o);=p5mzFSB#!Cq#^?vQqeT5N9P8e@x!j);
zo^YY?A%Z4sxrQ1%t)v-OKzE;>cq2sv1(`MGp*!$J=-n{*(ILS_3o#z19c@w%Be*YU
zK9iemJ%#~2(=zJ+&Ih1bQL>Pkf)v5I88v*ln`r>g)tEya)Y4plc!eH%=$
zcW1m#|A&)ZeYKB3Ue%N(cFva!1xgTEnXMxH_w#QLReGhiis)xC3SYn9&XH2`Z`o2U
z+i~!ZQ8P?${5DkAp6$^$q0CT_U5uacLu*sYeu`Cvprt)DFMYuWn4LM&Ns@ZIYg+sD
zr~GFVd?To{Tcd^;US+X|*s{}+#%@V%BZ8mG#?W*G!-(YGN?b6(X5yC?G~Pr!m)Lct
zXniX_2JktG8>BP1Ysa6oe1`+p!vd`;;GWUNUdnI@jC_@zf_6l}#~;%}i7qGWKApZp
zKTayrU8{CcZ#VZY@btti2C^6()!m<0r7wI!v2sqEs2GTQ$JZ$;bEsK2>kdj&_zcT4
zvMdW=M?>|5M74=Dio+d=Q7{ZvVs(>ou@rS8H1OTaX;u%^ZGbDR0?h>UG#
zALKBO{`RGz(I?I)$^|LFvqxa4P!-xSP^;KYbHK2JVdW=@pgh>`m?(*l2-|aj)zSD9VkoG>+=hT6tYo$dj*C>Q
zH&y}&q*=$T(icv#X#u&$#O&P=+`lSV7c)gR0_H3CV}OWP8g4}FwPl-*2?V+*1V;&E
z)#|T5j=Y5*TyY314o1C?4IhY;szJm_n&pSWZe;W64D$$Y&gCPv9O|}3)8&1w2X#si
z$8uh#n@&iIvw)l6H{P%pmhBYXZ01iMwDy~aaul9!tw`XMR$~$yKB6UDE5uPT$AlVW
z?icI$yy%y4zXH6G=6W-)=EdKO_aAW)6_zC&%lzDypZo56(fz7&IxqZm5nHh-Y}xFs
ztf5n_-6Co5{v@g1V+jvrv?D2Ci+okXI@Ui3kH!$da;dG1PGCdKg-W}vvipUceoZ-~
zYKZ*N=mor1)Cxw9j?wI+)mGB1`;t2b8vi0gZDDqSK5ua8w~o&~Q1%y^>_i6L?FfGpK&$Y`KpqD9`WtedA>h*vCm
z#U*2HQd!=va35~&rF1_Dv@q7M68oAyfAzq`Fyrwfu&hupe61_t%q{bZ6pyP!=6tT9
z+|IA*{GpM)0LPlLysL*>&!ss^bpHi!hQ+IDD+-?rZs6S
zp)W;Yb8|_9lyCE-f=F8JRf0Is{3Y2_;bDug8H;KXwTt{U6e$9BWF#(hD>}u1)J+aJ-5s^)uy>G+KpC50=lxQ_qe)uZsDHXpF0#envMT9xaKrH{?3@2
zxDfvW-i}Ldt-8*EKT_)lSIxMqVR8#|XC*tGIG_S0Pd-7E0}XyOSgB>m+Z!NBo@Ucb
zluGp%_^G@}_>K(YPu|
zrqZl0hOiXvD4X90Ax?Y()r(6aTqGU7^#dz})$K7fxHPp(TdPV}O=@;sFA5B9x4Zc4
zg0csW((FgEcvgDBrx?z<)He%T19iL6;{k$J_G?F?#ODl7UFoCtssI^~JJ-nXt*Ayy
zgTPxUG>mU$)>f30(S!{rSUBT3{mNDv;Qb1&QDxhx6W#zWqmZ1*rIu6uM2kM;MSPtAfJQ>|>9(OnPW8BzU
zZ{@E^@cWP8xi#xhd5)^1F;ppZ~{P-ql0eA=3G9
z1=uxu14|X*EJ{wTO?x;v$Su8vLOLb;V=AwwmYq3+53Sq6s)||k6pY%^$(kCizb&<*DIYYhqx=>GNCDf9)
z71NA@1;sknhqgoV!i+v??%*%>5v1$2>EhTBcQSNdd$O&}GV#hO?rT>R!YQhWJvA^N
z+WxYN>};GpAHrewu`J%A;E}A>$7K?iqJM0cyUMwMY-m-@$NlSKFv-2jOV@_aJ0}Lp
zlSY}aW&46OY=bkxyL5ltb%vl5SI+mpkOp#VsW|b!?>&E-%vuRm(TLD%{J7xKg-~lZ
z)-+*ceV5sq%aer?p@xT5f`0VO&*&{6$0gpYdI8(Y2>CXi4IYYfj8330Kr2olLN@2~
zk&KlEE1kT5;0$82s@C_)nI7e0m96V|EFK)MHRZTIVOv_cFvm(q{;{+G3**{{#9yn|
z1){V?A80bZe9$(~n8R;gB7!M9h&=@fxLe%~H^ydG*wB@6StxcZ)+aL_@vBT?l{`RC
zWSoq{TP#w@e`Vgou{&OZw&kKyG?L9^${(PU4_8aYD1oOUcI3X6eT$xB6_7y1EAvE2
z=Ak?w5P_5?mA9T|C`*|5u_m!k)jSDyf+HHEB&Bemc57!M2BjmuGoLgc>KI+Uex6^u)d6B+MfS_ohWNok>-gX&NlYj{JX=W#^-B+
zZT7&1ex-4OTcxADs^-(hx#o)Q3K_gjfi%~jKrs#J=Yw}r(%9aQ9h}XFUTl+hJyzsu
zG*qXoDW?h!lFtl#9Z8FXTMle7R_$w};x04XGF7o~t#qffZ*NrxpX|8u6ph5Pn8@eo
z#1Md6b*vNPz_
zuRl!^y_dJ+GrVjzoJUzT5A&xEbr_e^Aa5*t9w9
znBjlTsk@uFr&V~2@L4dh?){##vJKjAd${fYDmAxae14V)RE{-RD)w$ZporC8wav}!
z6XDf^PE^CAEn!hse4D#=CvkuvOkR~yk(VLIJCZixi`Ql?vd^Bv=1ES02(|Yo1F31U
z65;KnRE~imY33@t;IPpVOEd{Cc`sq4+tH~Mds?9oWyxLUg3wy5m}xmIJ>j-dPV`*a%oHG$Ck4L#`x^AxRegJhQJFq5@rLRLtUx
zBFms9YeZKs3&o!Xt2Zkrwy1UC#4n1dRG&aq$obJdJxe|}`yNNAKKc1}^1*M|Lw)vi
zZ=z!I0V8cT@I~m+NVpQ>MplD;^GE`Uo^bU*%9;R>vTWSM0O*0|iU*>WQD9V@skRK4l$Qz4!k)UZ~W%7&S3%
zmc{(CNwdfD4h52Mg;!TWtC?ZfPRHP6O2KC5{mS4b!z$V`oSJZ8`*vm_iZH=rfCJKZ{XM4IHTKKb&O_@*^DCe65s9(J&;O
z)Rh;D6KIcWfDcGZcU}53@$a69Aew@bY`9i6LJg1rRO2;jItu2-bFP?Or4k7qhy23M
zM{FhB*EbvEO{+cp*$zwd$$)thr4J5(@mr{Qq)U$5<;r
zz-O5re6T!;rMF1{u~g3N4>6>7BHs`1XRM@Ru&0SWIS>)uNT!A^PJ}p|E3OFZ+vr|s
zVb2!}IT)PX2hJ7n_GnYjmF`QGQ+rqGZ#G#~-Bf;`=)}%)E&YD39*wplVQU8zw8S!`
z1F);o)TbRnn-^n-0bhucg|ewK@<>ITGZ2Cf3NR_7<{T;S=Az2b^|!9rW@uav=VV-}_1URX?)!5faCC0N1==>{<4)
ztA=*p1#)%*L7txm{!|wSftl`3TJ$+i+928-k@+npW6Swf%e57Pe1zc&{vQ_YVu^ND
zq@JD_^@1payoIUUQa2F!k=y0hS#ahD+m?%lG*cP0M5iB4n(?Geooi^9q@Y_&9Po<2u@+G5G&VvRBe<|VP*lNX+m~`OwDCJS;^V|2_m{L>d;_OwwFO
z+9%c44}~A-BxQ6}a3~`zMa6JD87*WH{6&$F5&t3+DfaIhp;UHH^9Lh?4ZzN{CIurC
z0VBhQS3LtMU!XXAz@KM_dlEpi`oM7GjsIQQo!xx<-O$6tMuCgZlpMF69sQGi|M)aB
zV6l`7*FL`F$Y&8x>uUL!@NxcQP882Rt!)*({pVxu_qnIw
zqp8B!3Shd=Z|H5fu8QX8HU)O()yj?4_5mS^yjy|zcU}x0om5TLO8V)MFgJE4H}N$$
z?6s@ts?SNEF)=BhwLCXY=eth^SxJ@@%%R#5kWZ*1{nnvjT`}>N6wnQuk!g``=q`Jr
z1;}~a!jF@9-%8Tz9fpt>&)E~Q)FAzdG&`xVC)5dk>t=)g>JabXR2}o3NL7?~dN!s?
zo#cC5jy2crP#^2E=DdjiXTALXrLVuZPYHw
z3cUK{!bQ{>z0BMb2g)Xp>0WP3zz~Wg5=*&~G5k-7wQ^pKbu8(x3nj?&{H~%p1
z@y*=)v(Ii*28sS^C$!DANh1#MBS7`4oI==(U8<8r@muH1c@-bw!d3tx25?N=Jg^b$
zrNnjcm3C080?@EFk29luMb6$#iGb1=S($9O%v~9+xGA*nEI*hMsJ6&hwEhUo8_j68
z=Mxt~rQR-?7Ito^Axwz}JPyni`ZY?l2mHrhI3QCE>>(?b2YCr4-7%~bPjgN40n_)F2zRs!!c24AkW6g2Y
zaC2A_Xl?V6{R*9&&^L&#x>H$r6-qNxDLWs8dc5@HXds^b_1*Wo>e=`yqu9yK%&}34
zytu)f&l6KdxSHPRcBB91u7R#^+v~Rb88hg0!@aiGToCm7XZs<#*#1Q}%ea$S@wh`oU4Phy#@+K
zk2c&f_rI7jqR-jzHq9b0^k8?|kq6!I1J09cFANsoQz%IH
zT+>x?9yzPoF)R+~muqBYFWGqzJqlQ13{t;ZgnLeT((R`HIma^P!%V#pz>1cpaKVOzn;@c7aoLjLk6|z8{*{lKELoyqR<+Va=j-3qs`gN|-;bs8D$d_vJkV
z{Yu0&aTW}m8+1ksW)K-qAOAP;!2%v%LED#p#*>%W*L;eR=Yl8Z*Q?R&l)W~dYM-TO
z7^}@3zAvM-;SEBmhCt$3#_WUHCA*Lx=MOsP^kwz0MjGJl8-Ld8LRTY+YXkWI+k{(v#
z(}G$PJh}kEp1Ov1;BI>CgvN9^KlZNNIZU?=+L~}VtyVWUyo(H51-GlX41Y9%J8uad
zRC@^H;paaC;E(QuBr8e7X`eIO!6QEZb?^$DKWS7GYjlfQ3XOd&z2m9~qk5;Poo2FoW7qskxttV%O-T=GU(oD_bqT|74Y|lL^)B99e%o^Bxu)q$E>YoUqt_urZVR7s_jY
z_<^DSi#*q!ac4Mvr47Z_2}$cecW(JcnY!S$TC@&X2I+>x*m{W7EMlB%?_c!&*{E3r
zl0epE?0rr1N{eK_C&xxj$Vp%NN1U&wW6U7(nn2k{pIT^tLAa)Sn6Mty!W0*3C)znm
zN}9PFW7R1w8r4hMa6$b+kF;44t;1-pnt5gsXq^8wWSFVRYCx+@r?}GCEe50zLI+ng
zw+3GpEsf@Ai_vRxy1E)OAVZ2aPLDk^7jF}IEd6wDtlkY)c*E^W%5xsFJW|4WySeV8
zO7$P6udUChe0W^BH<1%+mX>P&VqBy+Js8zGqT^yAe+5W;ipOv1E;8kk>tE%r(C9={T+8aC>3l*o|ydGcI
zj8=4~za6T6dc*i+Q1C^Wq4#oj!6m~fbX{?3paCsuVqr;g=>}B7x#syaJG;om@5xen
z)dJ!qFgT6X^@!ZyQW4Z;{W>l?-N>7
zuk2E8lY@2X2)5ul%}Wo1Pps%U09+mpS7M
zvqpcKr;EnV!I-S?YtPJo7Rzyh8faeml{hJ{p_!WB
zVUFZi{|6~e?9P$8Ra_Io1pLRJ+a;(93t|?N(GVX$nHQ87AIKj=sLX#%w-F>Q2PWGt
z1m>3WqCsg&gr}1QTVo|iz#teu({O%wTGy@X2s>GT$}g|^ufnd$mMJa2Z<5oQ6jR4W
zxwxr6rCsCvgvv?KvGGNFx}k(PJA(C*$(2SF^5v@4>&|wJw`(F(*`VtoQ|NZPL2q%$
z6m^1u6X8Ld1R#)}$cTpaV6JY&|HD19$!tst^rH;y9zu1{O26F$KCA?l5{a`fp3+!G
z#%n^>+o@eii+GSyK7J|^F%3>=i-I&8QSQHn4oMzSeG5-u#7F-O7>qX@k!A;ni9o3_
zNV!P4Urgt3eL024R
zOZG2OJ0hx$`q_7d)|ETnw%d!_aLJmHI$D5Af4Vw=L3~5FWR6K1%NM7=K&OY}p|6X<
zjSGWtC0!k<9J?zY!iuS)`(fcE+Rm^-!B2qxf0G)8nivILLO#ig9y>^c-1lo@W=%V%z7Q9!Hm!dT5sc3u~@?~xzTh}fUM1zrC<PhKmVyW`+Fmb?G@~Q(SX2R+=6VjUBEa(
z!`~AM!*K0gT;FL-@H$@cuC@1It)W}$OxQz8^EzyeYnbb5QWld*^3y5mCB!1SJhoqx})z(W;c=rM{?q7Scv|@Fb3;S
zEEL>4zkV9+&)32xLB@D<1FZBmXP@5K|B}DsP24ZgY>k1&%#!=t!DhrNY)g`niX
zwSCwdRMH%Fac$T)8;GEUMka72y_=|##YHhG6A#$KWTOv9HvREIMhw5+LC&3J8{to7
zoCD7<Z|g0c&9N7XQA+s0q{#%!y>?+?Gh^
z5cP7&**OsFv%9y@u703K&!=85tl5lcV<1b!;d?PwLA-C*hFG)W%46h?R;8L~MU!$E
zhb9zVWB5*2siTzg7?auN6)3i+&nyuL|B7kqu|V;>TfiY)gLUJv_BQ(ZC0w_l^UlOW
z^2>%W8TNk7T?RXz$l}mO-~Vy-)=^bQ%loiMcXu}k(w)*F-AEm}8zc`c-Joh!smP*BQwkG&
zxyHcZK#R)UQ58!a$5X<77eOy6{z;diqW@Bi3-86F#
z9lyha&c57dqz94Ah3w>3tFeRfeUp^YoU0tv434h^ABNc~rr94-6(KZqsDt-Z6vC+i
z*MPUv5(q>3cz#$HnazPNXqXSt``tn5(w;&1ek$RU-XJ;R1sifUsQ-rvfSmO0bgK{)
z1QQ2x*$wB1RHHv|?^hON?vIwsF|oyh_NT$zlHeH1F$3DU0Y7ELXGxhVRt1||5;aoU
z90S#>Ox!(|Nk!R^ljD-C%AuCWy)wZ0Rh3~kAiroDJTD5+U!i?J7>znNC*6q4N
z3P_&P3*mr7o~Li}qk+R5k}7^(!oq9_eAHq?;^NfGX;QLZ&S7Irq3mRO7^q*Lp(}a8
z9NsB1gthMmR-r~P`47>qkk@j*6t_T!IvqO!S|<7t1n&zhof)S
zhvtl-#>{=bDmW|L(~|*)J_xqF&mK27-1%kRkElPK7@LxLNj<%O?zi$=Ep#Hrp|0_7Vd!IlMsBz@PCc{6b>mHuiv&6f}
z^K2(lXJkEL|0v~aM!c}eQ)%X$0ZBtCfxbE@&D9i`wa}O!|D<7jnK>pBO@>EW0@q?`epG
z*%@6J{#^wo8#vMzb|?R;QG7CC)z_>O+7OKr9Q54K9j^^(?L!iEEPy0Nw3flOb(Mx~
z5?hZQek$|1bQJe27$as<^uGJ!($|S!vP&0$(51)PUVH+r!mP1J;vHJl(ZNJMvWp@C
zbw#|6ye|GQnWiE!2NOl?z|?_j{HatC1=D-Bm;-7qx~uP0tT40=BtIp08&t@!9zwo~
zeXyo6gULL+HYURU?@7XqPvx;cjm)I#;BJkx8+v|oWzOTO?HR&jzGs;o{V+2#fEdF3
z)$SYL?d561#=}_B{i;9LUPVKilPO*GCxLQ)beoPF#s|=ZQf{*tkWT}*e+gmK
zUC5lm0GIp+%br?U(^K}0scU2D8KXX{d$#<8-sqw@wsehev>wPQY;pIJbR0CZar_ab
zL$t~+gga_)aya_({TX-8J97g}4xM
z?=2B|o9~@XG^|2|K}h4B+AFmA#qj%pfSkU|uOEw$v_YuqtA_wEkP^&w3PnR=8A2pA
z63%4We#i4$XvL6t7wgvYy3$C;u47olJdi5+pPK?YR`FAwxg@_Y+=||8Vd@jeKbDYg
z+L4aBV|}@fTBVH98q4_FO0b>FCT0u%z<#qLmY-w(voK~Rl72WLtqvqm1mowGibNOP
zv!x$WTb0pMYxO}oIv#$4VeN
zcgSj@0Zdf|8%xj05X==^N3rc@;;f9!b%t=fHDufL31ooG%5pZ-OS^~UZr!0%Rbl^+
zuI3bsmVaoJtqR$H>)aY+b#FiJQXcdH{)BNt
zLbSF$v4P
zjdQ_@RJ;2~=*5Ch=>ZMsd0Sukik#C|v}K6o_Wfm^*??sOSX;^lIj)T@h(@MMN#+R(uO
zO%&goo7?jjcsV)!vxa@!`A!tr<|^_FK5KsO@dxBn(#kI}KVNWl?6cwq@9QrXAQ_ix
z-H<_u-!p{Xs{NaBnZ9jdC75{_xDS%~gpqQY*hj@Ic^bin0tG-FF#WGqmY#8o!N;Mp
z#0{EgQWyp|V%!i_Fl=&LjirJBP(*tCKH&#occVEblHxE@&tf9HpO5}_^!s6G%W`ZP
z{wLZ?^+^ECmnFEy1vw_&^TIFvwNE4v46Q0MClYG>dLnQ}rtIGS~oXof*6C={HO9Y*M-*w#M@n+4gF54Oe
zPgKA)Zq?$`Pu|zcK_p(I~M@(`+N=F$6
zIUC;eXIhrCpOHOaDDUnsyy6y48Lq?@06Yl9T@-dT2qCBd44we7g*Q;f26zv(#Q2hM
zUM12LnF$QB!c@I=IEU57+e?sthWj6`A_FM~PqPq0lx845(&s$kwTrg`xY4)+La;u9
zqJ1%dDWZkov+|_FS>DCY`Q17TnV}Q0B%+_?AAwC%pMtMG=R=Cliodd?CCTRRrGNMw
z*wIv1YjOV0n?W85P6ONRcyKRab_Eh&bCNnoEw08=uj1a`x7(KZP7gEw$#TGwmWwVTGpC|;5;UYct%J5!Po{xmbDPwp?kH+O4)w)$jZyZrtc
zn`=|Co^auf1t3@o#qJGf4b*5C90K&mk%DV0nsEGN$_U?Y7<6;817mag5nrV?)B!Zm
zoHegE_`C=Wnpi(O5Mq1U5E=c(&~M=`8y;pjU_P5HXWUKEd(F;#5xuKzZYpB)4ufm+
z?!Y?8i#-WXfcK4quh90J5JSs~%12%eJI*=p<-Gl=wN=vUvra>CA0!P)${rAP71-8<
zyP*Q6xdY@tZzv56lm`%#Sn|H4!|tf6B?jyUg;0&_p6*oS=0S3@)BiwioT4-c9!aW#
zfND?C?_YhoWQ!v5Ys=5z%~pnaAJctygT2`y`|O#!nF1$0`H@!^-u_O;;VD`hFP^Or
zUDIwerK5*;`W_#-jtF|30~e30&#$rYQbM@{8>2Z;&pyTBmeX&CyWN8l5k%o%OL9r@
zusTCoaeZ+02@7weO@gIl?cPw=LPht%Az@u#3XDwZTnpzth{^^GYFv)pJ03*yYzsg0
z5byq2!ZQDaeiW><=WF=GeSYU^Shy8^G|V`7kDZFzE2;~>--ylvgw?B4489$|1L{dqeH9PrJ{3ssLMWBVq9nmP=U*Uijn0FB2?obpu
z{t9;wtBsAli%A)js_f&vtL`&0JNKMudo2AEOxeKq_nl=h_4Uvpvw{;X5
z8mqOChK$Jot6%IxqEKY%o_e~gkINv&fXRP7k@Y$^DKk%-5FW(Pd7-NL&f0!+uH7H$
zo|mE%`RUr2a!O#5&`N>pu_Cny&#$#4W!Op3Q&PIbHxVkb9&S5IXC{#vkBX03N2xFr
z%0@{{6=FATmfY7sfr$&HnxB}M+>(-%>&6e>}NkgKn6
z>IVn1ZD6w?URV~hH&v2eZW2&;%kU^!Et&cw2X8a?z<6ZuFx2!z>8Sau%tHaZPbjMo
z_qCN=d{J_SZ6k(HTHHuzz4Ic*fO)S}vmL@#9cA=LC;|)dWg?!cTtsw1
z`h%=0RyGbTVjG*X5RoKvBWptl8_Pd6_BmLu+t_i|g{ZONZn0OpG_vUp2W$%Ij}$L!
z$FUtOgGp#7G-l+JuDID`bAaqBE+Hpdo&RqNMP4U7dnLuPVER2Lf#do9p8}-6h0Yb9
z=pkIKsb}leO;JW_GA`mCRAU5QeVC0%6gp{D3RYJ~iU
zgtw6$8H|F1I`Pk1C(D9KaFt3CT1I#dFEFRqIIx20w|nWpR
z+Ir#Ua1A`?bExcb`%56xWZaIiR}1G{g%(ed-Ag>3!@Pedy9{UIa}FBGa*VX
zr5($w#v+*zN!29?lu+@zODR!`L)kKksGQ#21~H6cb61{Y$z5`&;bFG$%Y~@a$4q{W
zUaCh4Var5%&Bl4`ca?7JY-m7EjWm8UX$2~R{S=K;z0qXHp_vHdu~Y`OS|n8pK8vKFy!xNYlyBJa_+Hv*M>ga9dT7$*a(h9%x)vhwVBU@tkACpyk3cjw?i65c$
zE%O+=pL(VAZ4q26DMx>VB7hD#v(HtEWtrUQ@+rdQ)(30TGiplQf@R^ljN2ee66qqS`6hm04*oQil5BC}+*a*)@;PXu#J_O-7JOj{_Su7w7&I*v!3|xf
zG_o}s&kqG{Vn%adAq3U;oZMU%YNlis8ucFGNw_W}w@1G&vb67&L~t*OA&JcHIVYZG
zNEZ4GJF06AQWd2KIQ@VGs_MH`lM4hJQWUcL^#L_QxHj@?;WQ}JWOtu)nM1lYUvmn7
zB;oZ@S<$N?-b^GACubXb7}u;Xybg?)JZjyufLy++xthQJ8a=D$=`uX4E*ts-)S8A&8$4yns!t}<#TWuoU)
z8jzRU797dcW6t;$wpWqA7gt#B`c}0j5BZZ~_dv(u4vSBNQAZPzf>2bBJ9?D=JP8}nL)mRd{#x0gu
z!{irDQO$A%sm>rsD^kO7e`UT#<`z-;+}%=#p@qeJY1-o=$|6Zah+MKN44D0w@jsms
zQ_LU9he(y`L(xCuUEb|LcEvtN{5TgqrW4r4_ky56BT*$3uTNeYth>}
zG6IR$6AA>ovCZyZ61;;%3&J1SW?{cLo_nar=~h*jS0teYcIUy@yTf+k2pMaK43HZ2!b~xrT^F+@)xGfi0Y!YSm2<_5^>Xi*Tf#
z)^7p>(ZJ_s;DJ
z9sCY#Kh?fttN#$`Z`~D%zT8{&40LEhr5SCuUw12C<%xH}2s0TJ`kjB#
zfI4?n0~Qm-O%xK@pNMUE9QHouUj5D;z1U@^#vLR#XN6fx)Lmc$lT?N&UglzS9u!I&
z5!6RpJL|C~$w60$za2d+E^TPt1eL1s@90t8WasuT3;rHGwCqLo(UYpt_oqF*Wt?ZC
z_oBaFip|V{hL?{vj(vh$v8SCyl+#nhzZEahm{O1k`p}(9*Uok>3}etVG-7fY*Z76C
z{nu!W<^btrBANKHdgPS5$JJ1p7~7CejJed(Q8;~S0;d=}s47g9W@)x{BFX?;m4OcY
zFHo5GFb0@vagvmAh+|JQW?rKdkHSGv+OPI6RUY0ch6TMDV*iSQaAXwC5mzER$m*@$
zej0vp@57Dy^FrX6gB@vjZCazyn>+5ckm#A3xfL(C
ziMFn;zBYfh?Op=Z4SAdm*7~4e4G0B@be?JKd3>+_$=;%KLKZB^_3&{CO@Zb1vqH~A
z^>MB(P1yiQ0Qowvmb^Xc$t;v9Ox@KPgvp2e=S^umgs`5RoTZG?`xQ&U}0P*GY!Md*_yP@oHq|5~^*c^J+@7_ffz
zXX|pLnLIy*l%g~*g0n-oJtOHU*;SN#md-a5J9oViTDd8wY-~R{77NbcOyjv1fg3Fq
zWS$kD3R`x*x5zc5@d&5(j=Tf7cRW+26rSdc0r!4>>n&~Og%HqQ(k7;*>vjJUYhHBw
zrXgvbXXyF{;P9rX-#&hJyySTRR?au5ix3Q&$b9i9R^PxQun|Y^Nmmf1E8ju-A`r*T|oU}D^ikBpDjvZIU
z!S!FK^$U`259juRlQ*1Y@|nxz7Qx`Jz356mG=r&u8*6!FRX;YCn4pL|r}Q*sG?!M?
z?&U>(*((kRW%3Mym5iQ$@RQC8RSq~^6GA@-q54!{Do0vMbU+>o**L60zL1B4vJGt%
zJ(zaHB#s=0!z{7Sj}mbvJ6UB%DT2H?QH?b&?J205Ak_DNK_24m5ZeC#fqY=pN^d+=
zdvNeTeojTR{xz}&Z%pelpMxat3_+;PjR8z40^ND?V-3?0Wem
znn_k9h>QjP^zD!dTzFL0x$g!FvpBtxu4euLCUm$3XgOq;C5?Z2YW}Uge7{sZpmUgl
z?910=r9Plw#?w#Si{sc9z8Pa2$s5Y}n;_3Ks*BYH4_1<{_M`k7Dq<7^J*+v^jV~z9
z)F&~7pvdzTHvkoBBm}qqzqru_L6kFsf?Wk$H{BEuk+k_{CPc(Jp@57B{
z@n187MYDl!TO$%bb#O(kw5MdN}L)jt16cP8PI-r>TWDh#v
z$oj>&O)J+t5kan=qmr$j7`8HEPT81wRwR8h2o#`Iu|K9Ozd)wOL{?
z3iEl&`*tor5a71@94}?bP-+IbZRtP&9ZgRi$aa-w&v=_S4|O2wr$YvXyzi8
zrS08Wv6Jn2QacD5@FH5CvLxXhU!EYpHk{dDXtBx%+M&T)jX7{%sjhqSAd&PkIJF_b
z#v0@Bg{rO-hy|9?k0iDPN$RWgAah$rKC#h=Xj5Zj;v{G